[pmwiki-users] adding cookbook script
Patrick R. Michaud
pmichaud at pobox.com
Sun Feb 24 16:26:00 CST 2008
On Sun, Feb 24, 2008 at 11:19:19PM +0100, Christophe David wrote:
> > A similar argument goes for storing parts of config.php into
> > a wiki page -- it means that someone who is able to modify
> > those pages somehow can start executing arbitrary scripts
> > on the server. There may be cases where this would be
> > okay, but in the general case I think it's too big a
> > security risk for the core.
> Maybe an alternative would be to only allow loading (including)
> cookbooks from SiteAdmin.Config (no other PHP code). The Farm Admin
> could copy to $FarmD/Cookbook all recipes he is prepared to see
> running on his farm, and the Field Admin could load them.
> Going this route, what about having a markup (:cookbook xyz:) that
> would include_once the recipe passed as parameter ? This way, recipes
> could be loaded for specific pages, groups, etc.
- How many cookbook recipes are typically included that don't
require any additional configuration or settings? This is
not a rhetorical question -- I really don't have a feel for
how many times a recipe consists of precisely the steps
(1) download script, (2) add include_once() line.
- Using a markup like (:cookbook xyz:) to indicate loading a recipe
often occurs too late to do any good. Markups aren't processed
until after the system has already decided that (1) we are
browsing the page and (2) the visitor has read permission to
the page. Any recipe that adds new actions, modifies existing
actions, changes page security, or otherwise affects page handling
will have to be loaded long before we start processing a page's
> This markup should have to be enabled by the Farm Admin. When
> enabled, the only thing users could do is to load an already approved
> Would it not make life easier for many users ?
How many "users" are there who are administering wikis but aren't
the farm admin?
More information about the pmwiki-users