[pmwiki-devel] Safe way to take a page name as an argument in Markup
Petko Yotov
5ko at 5ko.fr
Wed Jan 27 21:47:16 CST 2010
On Sunday 24 January 2010 06:55:36, Randy Brown wrote :
> I'm a rank beginner at regex, but I seem to recall a warning that hackers
> might exploit an argument if you use "/e" in Markup. Thus I currently
> restrict my argument (which is supposed to be a page name) to digits:
>
> Markup('mydirective', 'directives',
> '/\\(:mydirective (\\d+):\\)/e',
> "mydirective('$1')");
>
> I assume there is a way for my directive to support any page name without
> introducing a security hole. I probably only need to support a page Name,
> rather than Group.Name, but for future reference it would be good to know
> how to support either.
>
> Could someone please tell me a safe expression, or else point me to a
> script that could serve as a model for a safe expression?
Hello. You can pass the string through MakePageName() -- see as an example the
markup definition for (:attachlist:) and the function FmtUploadList(), both
are in scripts/upload.php.
Petko
More information about the pmwiki-devel
mailing list