[Pmwiki-users] Re: Request for Article: "How to write safe scripts"

Patrick R. Michaud pmichaud
Sun Jun 20 23:25:54 CDT 2004 

On Mon, Jun 21, 2004 at 10:17:33AM -0700, Steven Leite wrote:
> 
>    I'd  like  to  see  a  short  (or detailed) article which address this
>    potential  for  security  breaches,  and  maybe  give some tips on how
>    developers can improve their scripts.

I don't have time for a detailed article at the moment, but here's
a short list.  Essentially you have to be wary of anything that is
going to evaluate a string provided by an author as though it's
an executable command or code.  This means being careful with things
such as PHP's eval() and system() functions, and also with preg_replace
where the '/e' modifier is given or available.  Thus...

- If an author is somehow providing information for a regular expression,
make sure they aren't providing the entire regular expression (i.e.,
make sure they can't specify the /e modifier).

- If an author-supplied string is being used as the replacement value
for an expression modified by /e, make sure the author-supplied string
is quoted or that you have very good limits on what the author can supply.

- eval() is particularly dangerous with user-supplied strings.
Care is needed because the user-supplied string can often include
characters to get out of the quoted context and in a mode of being
able to execute functions directly.  IMO, eval() should only be used
such that an author is limited to selecting from a set of predefined
constant strings (i.e., the author cannot define new strings in any
way).

- system() is very dangerous because it generally calls a shell
environment where many characters have special meanings (esp. quotes,
pipes, angle brackets, ampersands, etc.).  Again, this is a place where
an author should be limited to selecting from a set of strings to be
used with system().

There are plenty of others but these are the biggies.

>    Here's one example in particular that I would like to see scrutinized,
>    since  I use it in almost all of my scripts.  I haven't released it to
>    the Cookbook because I'm just too lazy, but I'll call it x-ParseLight
> 
>    $DoubleBrackets["/\\[\\[x-parse:(.*?)\\]\\]/e"]                      =
>    'xParseLight("$1");';

This has the /e so it deserves a close look, however the $1 is 
properly in quotation marks so it's pretty safe.  The /e modifier will
cause PHP to escape any quotation marks that might appear in $1 to
keep the "..." from being terminated prematurely.  

Pm

More information about the pmwiki-users mailing list