Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Private pages can be overriden by URL hacking #44
Thanks for your great work on Omnigollum.
While using it, I've just noticed that if you specify
Then if you go to e.g. https://mywiki.com/private the authorization prompt is shown as expected. However, there seems to be an easy way to override this:
I'm by no means a Ruby developer, so I'm not too sure what's going on behind the scenes.
Something I tried was to modify the route, so that it's converted to downcase. While that works for that particular case, then unauthenticated users cannot access the open parts of the site that use capital letters, e.g. mywiki.com/Home. So no, the workaround does not quite work:
I'm sure there are better and cleverer ways to fix this.
changed the title from
Private routes can be overriden by URL hacking
Private pages can be overriden by URL hacking
Mar 28, 2017
referenced this issue
Mar 28, 2017
I just stumbled upon this issue while setting up gollum with omnigollum. Also having the described problem, I finally was able to solve this using regular expressions in the
:protected_routes => [ /\/[Pp][Rr][Ii][Vv][Aa][Tt][Ee]\/.*/, /\/[Pp][Rr][Ii][Vv][Aa][Tt][Ee]/ ]
I'm sure this solution can easily be improved, but being no ruby coder, this was the best I could come up with. Anyway, maybe this helps.