[pmwiki-devel] Safe way to take a page name as an argument in Markup

Petko Yotov 5ko at 5ko.fr
Wed Jan 27 21:47:16 CST 2010


On Sunday 24 January 2010 06:55:36, Randy Brown wrote :
> I'm a rank beginner at regex, but I seem to recall a warning that hackers
>  might exploit an argument if you use "/e" in Markup. Thus I currently
>  restrict my argument (which is supposed to be a page name) to digits:
> 
> Markup('mydirective', 'directives',
>   '/\\(:mydirective (\\d+):\\)/e',
>   "mydirective('$1')");
> 
> I assume there is a way for my directive to support any page name without
>  introducing a security hole. I probably only need to support a page Name,
>  rather than Group.Name, but for future reference it would be good to know
>  how to support either.
> 
> Could someone please tell me a safe expression, or else point me to a
>  script that could serve as a model for a safe expression?

Hello. You can pass the string through MakePageName() -- see as an example the 
markup definition for (:attachlist:) and the function FmtUploadList(), both 
are in scripts/upload.php.

Petko



More information about the pmwiki-devel mailing list