[pmwiki-devel] The (In)Security of IncludeUpload

Patrick R. Michaud pmichaud at pobox.com
Wed May 2 08:01:54 CDT 2007 

On Wed, May 02, 2007 at 12:33:02PM +1000, Kathryn Andersen wrote:
> Having just mentioned the insecurity of my IncludeUpload recipe, I'd
> appreciate some help in actually making it secure.  It's secure enough
> if one can trust the people who have edit permission, but if it's an
> open wiki, it is Bad News.
> 
> There are a few issues I'm aware of:
> 
> 1. the command to do text-to-html conversion is a `command`, which
> isn't secure, since someone could pass in arguments which would turn
> it into `command arg;rm -rf /*` or the like.  With Perl, there are
> things like taint.  I don't know what the equivalent is in PHP.

PHP ain't got no taint.  :-)  Besides, even if it did, the 
variables you're wanting to use here ($txt2html_args) would 
be tainted, because they're coming from the "outside world".

Out of curiosity, what `command` are you typically using to
convert the text to html?  

One possibility might be to explicitly list the $txt2html_args
that you're willing to accept, rather than take them directly
from the directive argument.  (If you can provide a couple of
examples, I can illustrate a way to do this.)

> 2. Files stored in pmwiki/uploads are not checked to see whether
> the user has read permission on them.  [...]
> 3. Files stored under $DOCUMENT_ROOT do not check Apache permissions,
> they just go straight to the filesystem, which means that if the
> file is readable by Apache, then it's readable by anyone.
> I don't know how to check for this.

One answer might be to read the file's contents via url instead
of directly off the filesystem (i.e., using a url-based fopen).


> I'm not sure how one
> actually defines "read permission" for uploaded files, since
> PmWiki puts permissions on wiki pages, and it isn't clear how one
> would determine to which page a particular uploaded file "belongs",
> in order to see if the user is allowed to read the uploaded file.
> Presumably PmWiki does some sort of check when secure uploads are turned
> on, but I don't know how or where that's done.

When attachments are being protected ($EnableDirectDownload=0;), 
PmWiki uses a page's read permissions to determine whether a 
visitor has permission to view any of the attachments for that page.
There's not really a concept of a separate set of permissions
for individual attachment files.

Pm

More information about the pmwiki-devel mailing list