On Sat, May 29, 2004 at 10:29:59AM +0100, IvorW wrote:

I see from recent changes that we have lots of the likes of

Locale Clapham;format=rdf

oglondon=> select count(*) from node where name like '%action=%'; count ------- 142 (1 row)

oglondontest=> select name from node where name like '%action=%'; Category French Food;format=rdf;action=edit;action=edit;format=rdf Category French Food;action=delete;action=delete;action=delete;action=delete Category French Food;action=edit;action=delete;action=edit;action=edit Category French Food;action=delete;action=edit;action=edit;action=delete Category French Food;action=delete;format=rdf;action=edit;format=rdf [following listing of many spurious nodes nusked]

Kate, can I delete these safely the simple SQL way, or should I write something to use the CGI::Wiki method for it?

This smells of a bug.

In somebody else's spider, as far as I can tell, which combined erroneously appending multiple parameters with incorrect URL encoding. But, it does confirm the point that Dom made - namely, autocreation violates RFC 2616 ("In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval."). This behaviour is clearly potentially harmful, and we should disable it.

Or a security hole, allowing an unscrupulous third party spider to pollute the database with badly formed stubs.

Why not just pollute the database with randomly-named nodes, if you were going to do that? At least that way it would be harder to do a SELECT statement to find them. And anyway, you don't need autocreation to do that.

Oops, should I have said that on a publically-archived list? ;)