[pmwiki-devel] The (In)Security of IncludeUpload
Patrick R. Michaud
pmichaud at pobox.com
Wed May 2 08:01:54 CDT 2007
On Wed, May 02, 2007 at 12:33:02PM +1000, Kathryn Andersen wrote:
> Having just mentioned the insecurity of my IncludeUpload recipe, I'd
> appreciate some help in actually making it secure. It's secure enough
> if one can trust the people who have edit permission, but if it's an
> open wiki, it is Bad News.
> There are a few issues I'm aware of:
> 1. the command to do text-to-html conversion is a `command`, which
> isn't secure, since someone could pass in arguments which would turn
> it into `command arg;rm -rf /*` or the like. With Perl, there are
> things like taint. I don't know what the equivalent is in PHP.
PHP ain't got no taint. :-) Besides, even if it did, the
variables you're wanting to use here ($txt2html_args) would
be tainted, because they're coming from the "outside world".
Out of curiosity, what `command` are you typically using to
convert the text to html?
One possibility might be to explicitly list the $txt2html_args
that you're willing to accept, rather than take them directly
from the directive argument. (If you can provide a couple of
examples, I can illustrate a way to do this.)
> 2. Files stored in pmwiki/uploads are not checked to see whether
> the user has read permission on them. [...]
> 3. Files stored under $DOCUMENT_ROOT do not check Apache permissions,
> they just go straight to the filesystem, which means that if the
> file is readable by Apache, then it's readable by anyone.
> I don't know how to check for this.
One answer might be to read the file's contents via url instead
of directly off the filesystem (i.e., using a url-based fopen).
> I'm not sure how one
> actually defines "read permission" for uploaded files, since
> PmWiki puts permissions on wiki pages, and it isn't clear how one
> would determine to which page a particular uploaded file "belongs",
> in order to see if the user is allowed to read the uploaded file.
> Presumably PmWiki does some sort of check when secure uploads are turned
> on, but I don't know how or where that's done.
When attachments are being protected ($EnableDirectDownload=0;),
PmWiki uses a page's read permissions to determine whether a
visitor has permission to view any of the attachments for that page.
There's not really a concept of a separate set of permissions
for individual attachment files.
More information about the pmwiki-devel