[Pmwiki-users] calculating directives ?
Knut Alboldt
mailing
Sun Jun 20 10:09:58 CDT 2004
At 17:05 20.06.2004, Pm wrote:
> > I thought of evaluating php-functions for the expressions and assignments
> > maybe added by some user-written php-functions
>
>Keep in mind that evaluating arbitrary php functions using eval()
>is a Very Bad Thing if you're allowing other authors to edit pages.
>For example, you probably don't want to let someone eval a string like
>
> 0+3*system('rm -rf wiki.d')
>
>Continuing on, "user-written php functions" (where "user" means "author")
>is likely a Very Very Bad Idea -- you're basically giving authors
>the ability to execute arbitrary scripts on your server.
Thanks for that tipp, taht's right, it's really a big security whole.
I rather thought on using this only on my "home"-wiki, so I would be the
only author. But anyway it might be better to use the suggestes solution
(1. cause its ready, 2. cause its save(er) ) just in case when the wiki one
day becomes public (I bet I forget the problems it could cause then).
Thanks to all for these tipps (incl keyboard mapping etc) !
Knut
PS: I really like this maillist !
More information about the pmwiki-users
mailing list