[pmwiki-users] new version of IncludeUpload -- more secure!
Kathryn Andersen
kat_lists at katspace.homelinux.org
Tue May 8 05:06:22 CDT 2007
Thanks to suggestions of various folks on pmwiki-devel (and looking at
the code in ThomasP's "IncludeFile" recipe) I've now plugged various
security holes in the IncludeUpload recipe.
http://www.pmwiki.org/wiki/Cookbook/IncludeUpload
1) replaced txt2html= option with type= option
This means that the user can no longer pass in arbitrary arguments
which could be used to do Bad Things on your server.
Now the conversion commands, including *all* their arguments,
must be defined by the admin, and one picks which version of
the comand by setting the "type" option (or the file extension).
This is also cool because it means that one can define one's own
"types" of file to include, so long as you can construct a command
which will generate HTML from the file.
2) use url_fopen to conform to Apache permissions for files on the website
Since the file is opened through the webserver, it obeys the
webserver permissions. However, since not all sites allow url_fopen,
one can set $IncludeUploadUrlFopenEnabled = 0; to fall back to the
original read-from-the-filesystem behaviour.
3) added 'includeupload' authorization level
This checks to see whether the user is allowed to access the
page associated with the Attached file (which will either
be the current page, or the other-group page associated
with the uploaded file).
So I think that all justifies taking off the "WARNING DANGER" from the
recipe. 8-)
Please let me know if I'm mistaken!
Kathryn Andersen
--
_--_|\ | Kathryn Andersen <http://www.katspace.com>
/ \ |
\_.--.*/ | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
v |
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha! | -> Earth -> Sol -> Milky Way Galaxy -> Universe
More information about the pmwiki-users
mailing list