[Pmwiki-users] Re: Request for Article: "How to write safe scripts"
Patrick R. Michaud
Sun Jun 20 23:25:54 CDT 2004
On Mon, Jun 21, 2004 at 10:17:33AM -0700, Steven Leite wrote:
> I'd like to see a short (or detailed) article which address this
> potential for security breaches, and maybe give some tips on how
> developers can improve their scripts.
I don't have time for a detailed article at the moment, but here's
a short list. Essentially you have to be wary of anything that is
going to evaluate a string provided by an author as though it's
an executable command or code. This means being careful with things
such as PHP's eval() and system() functions, and also with preg_replace
where the '/e' modifier is given or available. Thus...
- If an author is somehow providing information for a regular expression,
make sure they aren't providing the entire regular expression (i.e.,
make sure they can't specify the /e modifier).
- If an author-supplied string is being used as the replacement value
for an expression modified by /e, make sure the author-supplied string
is quoted or that you have very good limits on what the author can supply.
- eval() is particularly dangerous with user-supplied strings.
Care is needed because the user-supplied string can often include
characters to get out of the quoted context and in a mode of being
able to execute functions directly. IMO, eval() should only be used
such that an author is limited to selecting from a set of predefined
constant strings (i.e., the author cannot define new strings in any
- system() is very dangerous because it generally calls a shell
environment where many characters have special meanings (esp. quotes,
pipes, angle brackets, ampersands, etc.). Again, this is a place where
an author should be limited to selecting from a set of strings to be
used with system().
There are plenty of others but these are the biggies.
> Here's one example in particular that I would like to see scrutinized,
> since I use it in almost all of my scripts. I haven't released it to
> the Cookbook because I'm just too lazy, but I'll call it x-ParseLight
> $DoubleBrackets["/\\[\\[x-parse:(.*?)\\]\\]/e"] =
This has the /e so it deserves a close look, however the $1 is
properly in quotation marks so it's pretty safe. The /e modifier will
cause PHP to escape any quotation marks that might appear in $1 to
keep the "..." from being terminated prematurely.
More information about the pmwiki-users