[pmwiki-users] Faster searches and categories
Martin Fick
fick at fgm.com
Mon Sep 12 16:12:39 CDT 2005
> Oh yes, it's a very difficult problem, as a result the
> system() command is generally considered to be very unsafe --
> especially if any of the arguments or inputs to the command
> come from user input.
>
> > This does not seem to happen because for some reason /s are
> > replaced with \s making paths unreadable. I tried simpler
> > safe versions and could not get them to work.
>
> One can do a lot of damage even without having the ability
> to create paths -- the cd command can be used to switch to
> other directories before the command is executed...
>
> But even so, are the slashes *replaced* by backslashes, or
> is it just that a backslash appears in front of the existing
> slash?
...no, actually replaced, strange.
>
> > Do you think this simple fix would safeguard things better:
> >
> > switch
> > $ginclp .= "-e $ip ";
> >
> > to
> > $ginclp .= "-e '$ip' ";
> >
> > or could single quotes get injected somehow?
>
> Single quotes can be injected just as easily:
>
> (:pagelist "foo' bar ; rm -rf . ; echo 'xyz":)
>
> becomes
>
> cd wiki.d; F=`find . -type f |grep -v '^\./\.'`;
> grep -l -i -e 'foo' bar ; rm -rf \. ; echo 'xyz' \$F |sed -es'|^.*/||g'
OK, fixed in the current recipe, I use escapeshellarg() to
ensure that each search term is safe.
-Martin
More information about the pmwiki-users
mailing list