blob: 45bd703c4156f60654ce96909509c1a490763289 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
I've reviewed this plugin's code, and there is one major issue with it,
namely this line:
system("hnb '$params{page}.hnb' 'go root' 'export_html $tmp' > /dev/null");
This could potentially allow execution of artibtary shell code, if the filename
contains a single quote.
* Fixed with version 0.02 by usage of `$params{content}` -- XTaran
Which ikiwiki doesn't allow by default, but I prefer to never involve a shell where one is not needed. The otl plugin is a good example of how to safely fork a child process without involving the shell.
* Had a look at that one as example before writing the hnb plugin, but hnb has different input/output characteristics. I would prefer another solution, too, but as long as it works and is secure, I'm fine with the current (fixed :-) ) solution -- [[XTaran]].
Other problems:
* Use of shell mktemp from perl is suboptimal. File::Temp would be better.
* Fixed with version 0.02 -- [[XTaran]]
* The htmlize hook should not operate on the contents of `$params{page}.hnb`.
The content that needs to be htmlized is passed in to the hook in
`$params{content}`.
* Fixed with version 0.02 -- [[XTaran]]
If these problems are resolved and a copyright statement is added to the file,
* Copyright Statement is in their for about a month. -- [[XTaran]]
I'd be willing to include this plugin in ikiwiki. --[[Joey]]
|