[pmwiki-users] Skins: How to disable file: , function: , and page: markups?
Patrick R. Michaud
pmichaud at pobox.com
Fri Jun 22 21:22:11 CDT 2007
On Sat, Jun 23, 2007 at 04:13:26AM +0200, Petko Yotov wrote:
> I am considering letting the users upload their skin templates and css files
> via the upload function of PmWiki, without FTP, and without bothering the
> server administrator.
>
> Obviously, I can only allow ordinary templates, "skin.tmpl" files (no php
> scripts). However, even they may contain some malicious code that may become
> a big security or privacy problem.
>
> So, is it possible to disable the following skin markups from being processed:
> <!--function: fname par par...-->
> <!--file:/etc/passwd-->
> <!--page:ReadProtectedPage SiteAdmin.AuthUser-->
>
> The only "pluggable" thing that came to my mind is to intercept the uploads
> and remove those keywords or replace them with something different. The
> functions LoadPageTemplate() and PrintFmt() seem unusually hardcoded to be
> set without a core patch.
Actually, I think we could make this fairly simple, by providing a
$SkinDirectivesPattern that identifies the patterns allowed in a
skin template. Currently the code to do this is skin.php, line 106:
$TmplFmt['Start'] = array_merge(array('headers:'),
preg_split('/[[<]!--((?:wiki|file|function|markup):.*?)--[]>]/s',
array_shift($sect),0,PREG_SPLIT_DELIM_CAPTURE));
(As you can see, <!--page:...--> already appears to not be supported. :-)
So, if we change this line to be a configuration variable, it may
be fairly simple. :-)
Comments?
Pm
More information about the pmwiki-users
mailing list