[pmwiki-devel] PmWiki as Markup Service - is this a security hole?

michael paulukonis xraysmalevich at gmail.com
Fri May 17 09:39:52 CDT 2013 

I neglected to thank you for the help (summer 2012!).
I haven't done further work on the project, but have been using it, and
hope to extend it further this year.

cheers!

-Michael Paulukonis
http://www.xradiograph.com
<http://goog_2112721603>Interference Patterns (a
blog)<http://www.xradiograph.com%5Cinterference>
@XraysMonaLisa <https://twitter.com/XraysMonaLisa>
http://michaelpaulukonis.com
<http://www.BestAndroidResources.com>

Sent from somewhere in the Cloud
(hearthrug, by the fender)


On Tue, Jun 12, 2012 at 7:33 AM, Petko Yotov <5ko at 5ko.fr> wrote:

> michael paulukonis writes:
>
>> Basically, the plugin checks for text enclosed by a set of tags, passes
>> that
>> to the markup service, which them provides HTML back to WordPress.
>>
>
> It looks you're getting the output HTML via a network connexion (browser or
> server)?
>
>
>  Is there any major security hole that I'm opening up in PmWiki by doing
>> this?
>>
> ...
>
>  Is there any way to obtain arbitrary JavaScript that extension attempt to
>> add to the page?
>>
>
> No, not any more than leaving the standard PmWiki open to viewing. How
> secure
> is that, depends on how secure are the recipes you enabled.
>
>
>  (other than inline JS applied to markup) ?
>>
>
> If you have inline JS, some of these PmWiki recipes also inject JavaScript
> into the header or footer of the rendered full page. Without it, some
> functionnalities may not work in the HTML returned by MarkupToHTML(). But
> this
> is not a security issue.
>
> About security, in your case, I'd probably limit the PmWiki installation to
> only do the 'wikimarkup' action. Something like this in config.php:
>
>  $action = 'wikimarkup'; # OR
>  if($action != 'wikimarkup') $action = 'wikimarkup';
>
> Alternatively, it may be possible to include pmwiki.php and use only the
> markup engine. In your WordPress php configuration file, you can add
> something
> like this:
>
>  $EnableActions = 0;
>  include_once("pmwiki/pmwiki.**php");
>
> This will load PmWiki but will disable all automatc processing, allowing
> you
> to call selected functions yourself, for example MarkupToHTML().
>
> Note tht PmWiki will look for configuration files at two places:
>
>  local/config.php - the directory 'local' is related index.php of WordPress
>  local/farmconfig.php - 'local' here is related to where pmwiki.php is
>
> And if you include recipes, you'll need to use the $FarmD variable:
>
>  include_once("$FarmD/cookbook/**my-recipe.php");
>
> See the following discussion on the mailing list:
>
>  http://thread.gmane.org/gmane.**comp.web.wiki.pmwiki.user/**
> 37668/focus=37694<http://thread.gmane.org/gmane.comp.web.wiki.pmwiki.user/37668/focus=37694>
>
> Petko
>
> ______________________________**_________________
> pmwiki-devel mailing list
> pmwiki-devel at pmichaud.com
> http://www.pmichaud.com/**mailman/listinfo/pmwiki-devel<http://www.pmichaud.com/mailman/listinfo/pmwiki-devel>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-devel/attachments/20130517/837bb5e5/attachment.html>

More information about the pmwiki-devel mailing list