diff options
| author | spalax <spalax@web> | 2014-10-25 12:17:16 -0400 |
|---|---|---|
| committer | admin <admin@branchable.com> | 2014-10-25 12:17:16 -0400 |
| commit | d60420b0a012b099653ecd4ed582f37662af260a (patch) | |
| tree | b763f2af4e6eebb97a66cae0ee9dc2e0376e5d69 /doc/plugins/contrib/compile | |
| parent | 0454be45f4f153663b1e8c227a1e59ae5a4871c5 (diff) | |
| download | ikiwiki-d60420b0a012b099653ecd4ed582f37662af260a.tar ikiwiki-d60420b0a012b099653ecd4ed582f37662af260a.tar.gz | |
Answer
Diffstat (limited to 'doc/plugins/contrib/compile')
| -rw-r--r-- | doc/plugins/contrib/compile/discussion.mdwn | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/plugins/contrib/compile/discussion.mdwn b/doc/plugins/contrib/compile/discussion.mdwn index 96269d4e4..c2d2f6cd4 100644 --- a/doc/plugins/contrib/compile/discussion.mdwn +++ b/doc/plugins/contrib/compile/discussion.mdwn @@ -14,3 +14,39 @@ script specified in setup file - then e.g. you can choose which commands are all What do you think? -- [[fr33domlover]] + +> The problem you mention is known, and is not a problem for me, since I am the +only user of the wiki. However, if we need a *secure* version of this +command... +> +> Imagine we have a setup option `compile_unsecure`. +> +> The directive takes the following arguments +> +> - filetype: No problem. +> - build: Forbidden. +> - source: No problem. +> - template: No problem. +> - destname and files: The problem is that right now, the command is run using a shell +> call. Thus, a user can easily use this argument to inject malicious +> commands (something like \[[!compile files=";rm -fr *"]] (well, this +> actually would not work, but you get the idea)). I do want to keep the +> ability to use shell commands, for the flexibility it provides, but I imagine +> we can: +> - interpret the `build` command depending on its type: +> - if it is a string, it is interpreted as a shell command; +> - if it is a list of strings, the first one is the command to execute, +> the following ones are the arguments. If I am not wrong, this should +> prevent command injection. +> - if it is a list of lists of strings, it is a list of commands to +> execute (execution being stopped on the first error; usefull for stuff +> like `latex foo.tex && dvipdf foo.dvi`). +> - the `compile_unsecure` would: +> - forbid commands to be strings (thus, forbidding shell commands, and preventing command injections); +> - forbid compilation using Makefile or executable prevent in the wiki (to prevent users from modifying those files, and executing arbitrary commands); +> - forbid directive argument `build`. +> +> +> Any thoughts? +> +> -- [[Louis|spalax]] |