aboutsummaryrefslogtreecommitdiff
path: root/doc/plugins
diff options
context:
space:
mode:
authorspalax <spalax@web>2014-10-25 12:17:16 -0400
committeradmin <admin@branchable.com>2014-10-25 12:17:16 -0400
commitd60420b0a012b099653ecd4ed582f37662af260a (patch)
treeb763f2af4e6eebb97a66cae0ee9dc2e0376e5d69 /doc/plugins
parent0454be45f4f153663b1e8c227a1e59ae5a4871c5 (diff)
downloadikiwiki-d60420b0a012b099653ecd4ed582f37662af260a.tar
ikiwiki-d60420b0a012b099653ecd4ed582f37662af260a.tar.gz
Answer
Diffstat (limited to 'doc/plugins')
-rw-r--r--doc/plugins/contrib/compile/discussion.mdwn36
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/plugins/contrib/compile/discussion.mdwn b/doc/plugins/contrib/compile/discussion.mdwn
index 96269d4e4..c2d2f6cd4 100644
--- a/doc/plugins/contrib/compile/discussion.mdwn
+++ b/doc/plugins/contrib/compile/discussion.mdwn
@@ -14,3 +14,39 @@ script specified in setup file - then e.g. you can choose which commands are all
What do you think?
-- [[fr33domlover]]
+
+> The problem you mention is known, and is not a problem for me, since I am the
+only user of the wiki. However, if we need a *secure* version of this
+command...
+>
+> Imagine we have a setup option `compile_unsecure`.
+>
+> The directive takes the following arguments
+>
+> - filetype: No problem.
+> - build: Forbidden.
+> - source: No problem.
+> - template: No problem.
+> - destname and files: The problem is that right now, the command is run using a shell
+> call. Thus, a user can easily use this argument to inject malicious
+> commands (something like \[[!compile files=";rm -fr *"]] (well, this
+> actually would not work, but you get the idea)). I do want to keep the
+> ability to use shell commands, for the flexibility it provides, but I imagine
+> we can:
+> - interpret the `build` command depending on its type:
+> - if it is a string, it is interpreted as a shell command;
+> - if it is a list of strings, the first one is the command to execute,
+> the following ones are the arguments. If I am not wrong, this should
+> prevent command injection.
+> - if it is a list of lists of strings, it is a list of commands to
+> execute (execution being stopped on the first error; usefull for stuff
+> like `latex foo.tex && dvipdf foo.dvi`).
+> - the `compile_unsecure` would:
+> - forbid commands to be strings (thus, forbidding shell commands, and preventing command injections);
+> - forbid compilation using Makefile or executable prevent in the wiki (to prevent users from modifying those files, and executing arbitrary commands);
+> - forbid directive argument `build`.
+>
+>
+> Any thoughts?
+>
+> -- [[Louis|spalax]]