Description

Even when show_hosts = 0, it is possible to reveal the IP host name.

Steps to reproduce

  1. Ensure that the configuration file has: 
    •     show_hosts = 0

  2. Go to the /FrontPage and move down to the line that says something like: 

    •     last edited 2005-05-18 11:32:36 by BarryCornelius

  3. Hover above the name of the editor, e.g., BarryCornelius.

  4. The IP host name of the machine from which the editor made the edit will be revealed.

Details

I'm using MoinMoin 1.3.4 but a glance at the code of MoinMoin 1.3.5 reveals that this code has not been changed.

Workaround

Discussion

Here are lines 61 to 63 of the file logfile/editlog.py of MoinMoin 1.3.5: 

   1         if kind == 'homepage':
   2             return '<span title="%s">%s</span>' % (wikiutil.escape(self.hostname),
   3                                                    editor.link_to(request))

Surely this should be: 

   1         if kind == 'homepage':
   2             return '<span title="%s">%s</span>' % (wikiutil.escape((request.cfg.show_hosts and self.hostname) or ''),
   3                                                    editor.link_to(request))

Looks like the code got changed in 1.5 (logfile/editlog.py line 89-92): 

   1         if request.cfg.show_hosts:
   2             title = " @ %s[%s]" % (self.hostname, self.addr)
   3         else:
   4             title = ""

I assume that should be suffient to get this bug fixed but didn't test myself.

Plan

Ignore in 1.3 branch.

CategoryMoinMoinBugFixed

MoinMoin: MoinMoinBugs/HostnameRevealedEvenWhenShowHostsOff (last edited 2007-10-29 19:19:58 by localhost)