[pmwiki-users] Skins: How to disable file: , function: , and page: markups?

Patrick R. Michaud pmichaud at pobox.com
Fri Jun 22 21:22:11 CDT 2007


On Sat, Jun 23, 2007 at 04:13:26AM +0200, Petko Yotov wrote:
> I am considering letting the users upload their skin templates and css files 
> via the upload function of PmWiki, without FTP, and without bothering the 
> server administrator.
> 
> Obviously, I can only allow ordinary templates, "skin.tmpl" files (no php 
> scripts). However, even they may contain some malicious code that may become 
> a big security or privacy problem.
> 
> So, is it possible to disable the following skin markups from being processed:
>     <!--function: fname par par...-->
>     <!--file:/etc/passwd-->
>     <!--page:ReadProtectedPage SiteAdmin.AuthUser-->
> 
> The only "pluggable" thing that came to my mind is to intercept the uploads 
> and remove those keywords or replace them with something different. The 
> functions LoadPageTemplate() and PrintFmt() seem unusually hardcoded to be 
> set without a core patch.

Actually, I think we could make this fairly simple, by providing a
$SkinDirectivesPattern that identifies the patterns allowed in a
skin template.  Currently the code to do this is skin.php, line 106:

  $TmplFmt['Start'] = array_merge(array('headers:'),
    preg_split('/[[<]!--((?:wiki|file|function|markup):.*?)--[]>]/s',
      array_shift($sect),0,PREG_SPLIT_DELIM_CAPTURE));

(As you can see, <!--page:...--> already appears to not be supported. :-)

So, if we change this line to be a configuration variable, it may
be fairly simple.  :-)

Comments?

Pm



More information about the pmwiki-users mailing list