[Pmwiki-users] Request for Article: "How to write safe scripts"

Steven Leite steven_leite
Sun Jun 20 23:02:44 CDT 2004


Frequently on the list we have observed suggestions and warnings about not allowing users ("authors") the ability to execute arbitrary code through some method/function such as a user-defined function / Cookbook recipe.

>From my observations, PmWiki has been built with security and safety in mind, which I can appreciate.  Since most of the Cookbook recipe's are written by "other" developers, I think using them can and probably *is* a risky thing.

I've written a number of Cookbook scripts myself, and many of them "take input" from the user ("author").  I'd like to know how I can write scripts so that they are written with the same security-mindedness that PmWiki is written in.  After all, a system is only as secure as it's weakest point, so PmWiki can be as secure as fort-knox, but if there's just one cookbook recipe running that has a loop-hole in it, then ... the world may cease to exist.

I'd like to see a short (or detailed) article which address this potential for security breaches, and maybe give some tips on how developers can improve their scripts.

Here's one example in particular that I would like to see scrutinized, since I use it in almost all of my scripts.  I haven't released it to the Cookbook because I'm just too lazy, but I'll call it x-ParseLight

// This is the "hook" that executes the main function (in this case
// the main function is called xParseLight
$DoubleBrackets["/\\[\\[x-parse:(.*?)\\]\\]/e"] = 'xParseLight("$1");';

function xParseLight($input)
{
  // this "main" function takes the $1 parameter as $input.  It contains
  // everything between the [[x-parse: and the closing ]].  The next few 
  // lines chops it up and loads it in to an array for internal use.

  $params = explode(" ", $input);
  foreach($params as $param){
     list($key,$value) = explode("=", $param);
     $xParseParams["$key"] = $value;}

  // . rest of your code here ...
}

So, by using the above example, it's possible to do something like:

[[x-calendar: months=6 wrap=3 startmonth=1 showsummary=false]]

To get a very customized calendar output.  Or another example might be

[[x-include: url=http://www.yahoo.com width=100% height=400 scrollbars=no]]

There may be "other" security holes out there besides this one.  Perhaps pages that take information from a WikiPage like a "safe url list" could be used by "bad people".  Or maybe a seemingly harmless WikiPage containing random quotes could also be subverted for "evil deeds".

These thigns and others are the types of things I would like to see discussed in an article, or even in general as a thread on this list.  It will benefit the developers who make these scripts, and also the users ("administrators") who use the scripts.

Sidenote:  Thanks to Patrick for his constant nagging about the mis-use and abuse of the word "user".  I can't use that word anymore without thinking that I am probably mis-using it!  Haha ...

-Steven Leite
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users_pmichaud.com/attachments/20040621/678d16ef/attachment.htm


More information about the pmwiki-users mailing list