[Pmwiki-users] calculating directives ?

Knut Alboldt mailing
Sun Jun 20 10:09:58 CDT 2004


At 17:05 20.06.2004, Pm wrote:

> > I thought of evaluating php-functions for the expressions and assignments
> > maybe added by some user-written php-functions
>
>Keep in mind that evaluating arbitrary php functions using eval()
>is a Very Bad Thing if you're allowing other authors to edit pages.
>For example, you probably don't want to let someone eval a string like
>
>    0+3*system('rm -rf wiki.d')
>
>Continuing on, "user-written php functions"  (where "user" means "author")
>is likely a Very Very Bad Idea -- you're basically giving authors
>the ability to execute arbitrary scripts on your server.

Thanks for that tipp, taht's right, it's really a big security whole.
I rather thought on using this only on my "home"-wiki, so I would be the 
only author. But anyway it might be better to use the suggestes solution 
(1. cause its ready, 2. cause its save(er) ) just in case when the wiki one 
day becomes public (I bet I forget the problems it could cause then).

Thanks to all for these tipps (incl keyboard mapping etc) !

Knut

PS: I really like this maillist !




More information about the pmwiki-users mailing list