[pmwiki-devel] $12.50 -> .50 var problem
The Editor
editor at fast.st
Tue Apr 10 15:16:42 CDT 2007
On 4/10/07, W Randolph Franklin <pmwiki at wrfranklin.org> wrote:
> This is about a user-supplied field containing '$' having the '$'
> being treated as the special char that it is.
>
> Since no one else seems to have mentioned it:
>
> Inserting unchecked user-supplied text into a program and then
> reparsing, which is what this seems to amount to, it is a
> horrible security situation. In the worst case, an attacker gets
> complete control of your system.
I take it this means it's never safe to run a preg_replace command on
a input field from a user? Or am I missing something... There are
probably other places this should be checked also. No one has
mentioned this in the past. Curious it's just now come up. I'll do
some scouting around if I haven't misunderstood you...
Cheers,
Dan
More information about the pmwiki-devel
mailing list