web commit by BrandenRobinson: Explain why letting users specify regexes is bad.

author: www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> 2006-03-17 16:51:14 +0000
committer: www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071> 2006-03-17 16:51:14 +0000
commit: 2aa59621153fcba1d72d7c7688037f1fdfa7f95f (patch)
tree: 622f45f20e8ee50ba5f6b4b260a934e04ef4cd8a /doc/todo.mdwn
parent: b93e189934c5f3abe39db070f0d9ed459007ddcf (diff)
download: ikiwiki-2aa59621153fcba1d72d7c7688037f1fdfa7f95f.tar
ikiwiki-2aa59621153fcba1d72d7c7688037f1fdfa7f95f.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/todo.mdwn b/doc/todo.mdwn
index d4abc832d..d7326854e 100644
--- a/doc/todo.mdwn
+++ b/doc/todo.mdwn
@@ -23,6 +23,10 @@ is built. (As long as all changes to all pages is ok.)
      explicitly named pages would be desirable.
   2. I think that since we're using Perl on the backend, being able to
      let users craft their own arbitrary regexes would be good.
+
+     Joey points out that this is actually a security hole, because Perl
+     regexes let you embed (arbitrary?) Perl expressions inside them.  Yuck!
+
   3. Of course if you do that, you want to have form processing on the user
      page that lets them tune it, and probably choose literal or glob by
      default.
author	www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>	2006-03-17 16:51:14 +0000
committer	www-data <www-data@0fa5a96a-9a0e-0410-b3b2-a0fd24251071>	2006-03-17 16:51:14 +0000
commit	2aa59621153fcba1d72d7c7688037f1fdfa7f95f (patch)
tree	622f45f20e8ee50ba5f6b4b260a934e04ef4cd8a /doc/todo.mdwn
parent	b93e189934c5f3abe39db070f0d9ed459007ddcf (diff)
download	ikiwiki-2aa59621153fcba1d72d7c7688037f1fdfa7f95f.tar ikiwiki-2aa59621153fcba1d72d7c7688037f1fdfa7f95f.tar.gz