From 0454be45f4f153663b1e8c227a1e59ae5a4871c5 Mon Sep 17 00:00:00 2001
From: "http://anastigmatix.net/" <http://anastigmatix.net/@web>
Date: Fri, 24 Oct 2014 19:45:23 -0400
Subject: [PATCH] do=goto leaks page existence

---
 doc/todo/Zoned_ikiwiki.mdwn | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/doc/todo/Zoned_ikiwiki.mdwn b/doc/todo/Zoned_ikiwiki.mdwn
index 6b562215a..c2dfb7a24 100644
--- a/doc/todo/Zoned_ikiwiki.mdwn
+++ b/doc/todo/Zoned_ikiwiki.mdwn
@@ -123,6 +123,21 @@ but I'll begin it here.
 
 Note that not all of these issues will be problems for all **zoned ikiwiki use cases**.
 
+### Leakage of page existence by `do=goto`
+
+An unauthorized client can use a `do=goto` request to find out whether a
+page exists (will be forbidden to view it) or not (will be forbidden to create it).
+
+My first idea was to fix this all within [[plugins/contrib/signinview]] by hooking
+`cgi` first and checking for `goto` and an unauthorized page. But checking authorization
+requires session info, not loaded at `cgi` hook time. Next idea was to somehow skip the rest of
+the chain of `cgi` hooks, preventing `goto` from handling the request, and handling
+it again in `sessioncgi`. But 'skip the rest of this chain' doesn't seem to be something
+a hook can return.
+
+Hmm, maybe change the `do` parameter to something other than `goto` before the `goto` hook
+can see it, _then_ handle it later in `sessioncgi`?
+
 ### Backlinks
 
 What is problematic is when you link a public page in a private page : 
-- 
2.32.0.93.g670b81a890