[pmwiki-devel] how is the e modifier a security issue?
Hans
design5 at softflow.co.uk
Wed Nov 15 15:39:07 CST 2006
Wednesday, November 15, 2006, 8:41:40 PM, JB wrote:
> "Note: Be very careful with the /e modifier in regular expressions;
> malicious authors may be able to pass strings that cause arbitrary
> and undesirable PHP functions to be executed."
> How is this a security issue?
My limited take on this:
The e/ modifier allows execution of a function. So you have to make
sure that whatever can get passed to your custom function won't be
able to do harm, i.e. the custom function can handle it.
> In my recipe AdvancedTableDirectives I was told to put all user
> attributes through the PMWiki routine "PQA()" to make it secure.
> Is there something like that to use for CustomMarkup?
ParseArgs($opts) is a nice helper function to process arguments passed in
markup of form key1=value1 key2=value2, and builds an array of those.
You can have defaults defined and merge the default array with the
array ParseArgs returns. Then your custom function can process value
attributes according to the keys, and is not threatened with malicious
arguments. Lots of recipes use it. See for instance
http://www.pmwiki.org/wiki/Cookbook/NewPageBox
as an example how ParseArgs is exploited
Hans
More information about the pmwiki-devel
mailing list