[pmwiki-devel] PmWiki as Markup Service - is this a security hole?

[Petko Yotov]

michael paulukonis writes:
> Basically, the plugin checks for text enclosed by a set of tags, passes that
> to the markup service, which them provides HTML back to WordPress.

It looks you're getting the output HTML via a network connexion (browser or
server)?

> Is there any major security hole that I'm opening up in PmWiki by doing
> this?
...
> Is there any way to obtain arbitrary JavaScript that extension attempt to
> add to the page?

No, not any more than leaving the standard PmWiki open to viewing. How secure
is that, depends on how secure are the recipes you enabled.

> (other than inline JS applied to markup) ?

If you have inline JS, some of these PmWiki recipes also inject JavaScript
into the header or footer of the rendered full page. Without it, some
functionnalities may not work in the HTML returned by MarkupToHTML(). But this
is not a security issue.

About security, in your case, I'd probably limit the PmWiki installation to
only do the 'wikimarkup' action. Something like this in config.php:

  $action = 'wikimarkup'; # OR
  if($action != 'wikimarkup') $action = 'wikimarkup';

Alternatively, it may be possible to include pmwiki.php and use only the
markup engine. In your WordPress php configuration file, you can add something
like this:

  $EnableActions = 0;
  include_once("pmwiki/pmwiki.php");

This will load PmWiki but will disable all automatc processing, allowing you
to call selected functions yourself, for example MarkupToHTML().

Note tht PmWiki will look for configuration files at two places:

  local/config.php - the directory 'local' is related index.php of WordPress
  local/farmconfig.php - 'local' here is related to where pmwiki.php is

And if you include recipes, you'll need to use the $FarmD variable:

  include_once("$FarmD/cookbook/my-recipe.php");

See the following discussion on the mailing list:

  http://thread.gmane.org/gmane.comp.web.wiki.pmwiki.user/37668/focus=37694

Petko