[Pmwiki-users] New version no upload directives available for testing here

Christian Ridderström chr
Fri Jan 30 04:12:14 CST 2004


On Thu, 29 Jan 2004, Patrick R. Michaud wrote:

> On Thu, Jan 29, 2004 at 11:19:28PM +0100, Christian Ridderstr?m wrote:
> > 
> > AFAIK, the only problem right now is that 'security' can be bypassed, e.g. 
> > it's possible to list the files in another directory and there's no check 
> > if this is allowed.
> > 
> > Patrick, I can put this up as a cookbook extension, or you can have a 
> > look at it and see if it should go into 0.6.
> 
> I'm probably going to leave this particular feature as a cookbook
> extension. 

Ok, I'll put it up as a cookbook extension. As it's implemented, it's 
simply a new 'upload.php' that should be used instead of the one in 
scripts/.

> Speaking from experience as a system administrator, I'm
> very wary of anything that allows anonymous web users to specify
> paths directly into my filesystem--and the elimination of the '/' 
> character in attachment names is a reasonable safeguard against that.

Although not a sys.admin, I'm also vary of this, so I should clarify how 
the "safety" aspect is handled -- it's actually quite straight forward:

 * The code specifically checks that the path doesn't contain '/../'
 * Any path *not* starting with '/' is prepended with '/$Group/'
 * Finally '$UploadDir' is prepended with the path.

The result is that only '$UploadDir' is treated as 'root' and it is 
only that directory and it's subdirectories that are accessible through 
this mechanism (unless there's a bug... ;-)

>From an implementation point of view, the parsing and testing of the path 
is done by a function called UploadAdjustPath(), that is called by 
FmtAttachLink() etc.

> This isn't a criticism of the code or the module itself--I'm just
> looking at it from a "PmWiki acceptability" perspective.

I understand. Hmm.. maybe I should make this extended path mechanism a 
separate feature, e.g. enabled using $EnableUploadExtendedPaths or 
something?

> > PS. The new directives now also allow non-english characters in the 
> > filenames and directories.
> 
> Hmmm, I'm wondering what you had to do to achieve this, and if it would 
> help in configuring PmWiki to have non-ASCII characters in page names...?
> Can you send me a couple of pointers/tips?

Well, you can look at the code of course:
	http://www.lyx.org/~chr/demo/uploads/Upload/upload.php.txt

but the following EBNF should illustrate how it works:

    upload-path      ::= ?/ *( +upload-char /)
    upload-char      ::= upload-char-allowed | ~upload-char-disallowed
    upload-char-allowed  ::= . | + | - | _
    upload-char-disallowed ::= punct | cntrl | ws

This syntactic description was taken from:
	http://www.lyx.org/~chr/demo/pmwiki.php?pagename=Upload.Syntax

and the corresponding code that implements it looks as follows:

   // $UploadCharPattern defines the characters allowed in a path
   SDV($UploadCharPattern, '(?:[^[:space:][:cntrl:][:punct:]]|[.+:_-])');
   SDV($UploadDirPattern, "(?:$UploadCharPattern+\\/)");
   SDV($UploadNamePattern,"(?:(\\/*$UploadDirPattern*)$UploadCharPattern+)");

/Christian

-- 
http://www.md.kth.se/~chr




More information about the pmwiki-users mailing list