[pmwiki-users] new version of IncludeUpload -- more secure!

Kathryn Andersen kat_lists at katspace.homelinux.org
Tue May 8 05:06:22 CDT 2007


Thanks to suggestions of various folks on pmwiki-devel (and looking at
the code in ThomasP's "IncludeFile" recipe) I've now plugged various
security holes in the IncludeUpload recipe.
http://www.pmwiki.org/wiki/Cookbook/IncludeUpload

1) replaced txt2html= option with type= option
   This means that the user can no longer pass in arbitrary arguments
   which could be used to do Bad Things on your server.
   Now the conversion commands, including *all* their arguments,
   must be defined by the admin, and one picks which version of
   the comand by setting the "type" option (or the file extension).

   This is also cool because it means that one can define one's own
   "types" of file to include, so long as you can construct a command
   which will generate HTML from the file.

2) use url_fopen to conform to Apache permissions for files on the website
   Since the file is opened through the webserver, it obeys the
   webserver permissions.  However, since not all sites allow url_fopen,
   one can set $IncludeUploadUrlFopenEnabled = 0; to fall back to the
   original read-from-the-filesystem behaviour.
3) added 'includeupload' authorization level 
   This checks to see whether the user is allowed to access the
   page associated with the Attached file (which will either
   be the current page, or the other-group page associated
   with the uploaded file).

So I think that all justifies taking off the "WARNING DANGER" from the
recipe. 8-)

Please let me know if I'm mistaken!

Kathryn Andersen
-- 
 _--_|\     | Kathryn Andersen	<http://www.katspace.com>
/      \    | 
\_.--.*/    | GenFicCrit mailing list <http://www.katspace.com/gen_fic_crit/>
      v     | 
------------| Melbourne -> Victoria -> Australia -> Southern Hemisphere
Maranatha!  |	-> Earth -> Sol -> Milky Way Galaxy -> Universe



More information about the pmwiki-users mailing list