[pmwiki-users] Skins: How to disable file: , function: , and page: markups?
Petko Yotov
5ko at free.fr
Fri Jun 22 21:13:26 CDT 2007
Hello Patrick and all,
I am considering letting the users upload their skin templates and css files
via the upload function of PmWiki, without FTP, and without bothering the
server administrator.
Obviously, I can only allow ordinary templates, "skin.tmpl" files (no php
scripts). However, even they may contain some malicious code that may become
a big security or privacy problem.
So, is it possible to disable the following skin markups from being processed:
<!--function: fname par par...-->
<!--file:/etc/passwd-->
<!--page:ReadProtectedPage SiteAdmin.AuthUser-->
The only "pluggable" thing that came to my mind is to intercept the uploads
and remove those keywords or replace them with something different. The
functions LoadPageTemplate() and PrintFmt() seem unusually hardcoded to be
set without a core patch.
Thanks a lot,
Petko
More information about the pmwiki-users
mailing list