[Pmwiki-users] New version no upload directives available for testing here
Christian Ridderström
chr
Fri Jan 30 04:12:14 CST 2004
On Thu, 29 Jan 2004, Patrick R. Michaud wrote:
> On Thu, Jan 29, 2004 at 11:19:28PM +0100, Christian Ridderstr?m wrote:
> >
> > AFAIK, the only problem right now is that 'security' can be bypassed, e.g.
> > it's possible to list the files in another directory and there's no check
> > if this is allowed.
> >
> > Patrick, I can put this up as a cookbook extension, or you can have a
> > look at it and see if it should go into 0.6.
>
> I'm probably going to leave this particular feature as a cookbook
> extension.
Ok, I'll put it up as a cookbook extension. As it's implemented, it's
simply a new 'upload.php' that should be used instead of the one in
scripts/.
> Speaking from experience as a system administrator, I'm
> very wary of anything that allows anonymous web users to specify
> paths directly into my filesystem--and the elimination of the '/'
> character in attachment names is a reasonable safeguard against that.
Although not a sys.admin, I'm also vary of this, so I should clarify how
the "safety" aspect is handled -- it's actually quite straight forward:
* The code specifically checks that the path doesn't contain '/../'
* Any path *not* starting with '/' is prepended with '/$Group/'
* Finally '$UploadDir' is prepended with the path.
The result is that only '$UploadDir' is treated as 'root' and it is
only that directory and it's subdirectories that are accessible through
this mechanism (unless there's a bug... ;-)
>From an implementation point of view, the parsing and testing of the path
is done by a function called UploadAdjustPath(), that is called by
FmtAttachLink() etc.
> This isn't a criticism of the code or the module itself--I'm just
> looking at it from a "PmWiki acceptability" perspective.
I understand. Hmm.. maybe I should make this extended path mechanism a
separate feature, e.g. enabled using $EnableUploadExtendedPaths or
something?
> > PS. The new directives now also allow non-english characters in the
> > filenames and directories.
>
> Hmmm, I'm wondering what you had to do to achieve this, and if it would
> help in configuring PmWiki to have non-ASCII characters in page names...?
> Can you send me a couple of pointers/tips?
Well, you can look at the code of course:
http://www.lyx.org/~chr/demo/uploads/Upload/upload.php.txt
but the following EBNF should illustrate how it works:
upload-path ::= ?/ *( +upload-char /)
upload-char ::= upload-char-allowed | ~upload-char-disallowed
upload-char-allowed ::= . | + | - | _
upload-char-disallowed ::= punct | cntrl | ws
This syntactic description was taken from:
http://www.lyx.org/~chr/demo/pmwiki.php?pagename=Upload.Syntax
and the corresponding code that implements it looks as follows:
// $UploadCharPattern defines the characters allowed in a path
SDV($UploadCharPattern, '(?:[^[:space:][:cntrl:][:punct:]]|[.+:_-])');
SDV($UploadDirPattern, "(?:$UploadCharPattern+\\/)");
SDV($UploadNamePattern,"(?:(\\/*$UploadDirPattern*)$UploadCharPattern+)");
/Christian
--
http://www.md.kth.se/~chr
More information about the pmwiki-users
mailing list