diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2008-06-15 16:27:08 -0400 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2008-06-15 16:27:08 -0400 |
commit | 8f8543389e1472292b55b7394835932d206ecddb (patch) | |
tree | 3014a5f71688e917e6f12573e68343ea0681e66f /doc/plugins/hnb | |
parent | 78a7f6938f24e6ccf60b5a50400e728cb2b98ff9 (diff) | |
download | ikiwiki-8f8543389e1472292b55b7394835932d206ecddb.tar ikiwiki-8f8543389e1472292b55b7394835932d206ecddb.tar.gz |
finish including hnb plugin
Diffstat (limited to 'doc/plugins/hnb')
-rw-r--r-- | doc/plugins/hnb/discussion.mdwn | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/doc/plugins/hnb/discussion.mdwn b/doc/plugins/hnb/discussion.mdwn new file mode 100644 index 000000000..45bd703c4 --- /dev/null +++ b/doc/plugins/hnb/discussion.mdwn @@ -0,0 +1,28 @@ +I've reviewed this plugin's code, and there is one major issue with it, +namely this line: + + system("hnb '$params{page}.hnb' 'go root' 'export_html $tmp' > /dev/null"); + +This could potentially allow execution of artibtary shell code, if the filename +contains a single quote. + +* Fixed with version 0.02 by usage of `$params{content}` -- XTaran + +Which ikiwiki doesn't allow by default, but I prefer to never involve a shell where one is not needed. The otl plugin is a good example of how to safely fork a child process without involving the shell. + +* Had a look at that one as example before writing the hnb plugin, but hnb has different input/output characteristics. I would prefer another solution, too, but as long as it works and is secure, I'm fine with the current (fixed :-) ) solution -- [[XTaran]]. + +Other problems: + +* Use of shell mktemp from perl is suboptimal. File::Temp would be better. + * Fixed with version 0.02 -- [[XTaran]] +* The htmlize hook should not operate on the contents of `$params{page}.hnb`. + The content that needs to be htmlized is passed in to the hook in + `$params{content}`. + * Fixed with version 0.02 -- [[XTaran]] + +If these problems are resolved and a copyright statement is added to the file, + +* Copyright Statement is in their for about a month. -- [[XTaran]] + +I'd be willing to include this plugin in ikiwiki. --[[Joey]] |