[pmwiki-users] Includes

Nils Knappmeier nk at knappi.org
Wed Feb 23 14:48:56 CST 2005


Patrick R. Michaud wrote:

>On Mon, Feb 14, 2005 at 06:46:09PM +1300, Simon wrote:
>  
>
>>I'm looking for a way to include separate (non wiki) files (generally 
>>containing html snippets or calls to javascript) in at both templates 
>>and wiki pages levels.
>>    
>>
>
>In a template, you can use  <!--file:path/to/template.html-->.
>
>Within a wiki page itself it can be a bit more tricky, because you
>probably don't want wiki authors to be able to access arbitrary
>files in the file system.  If you can get the files into a single
>directory (or populate a directory with symlinks to the files)
>it's quite a bit safer:
>  
>

>      Markup('includefile', 'directives',
>      '/\\(:includefile\\s+([-\\w.])+:\\)/e',
>      "Keep(implode('', file('/path/to/safe/includes/$1')))");
>
>  
>
How about if someone does a (:includefile ../something.html:) ?
What if someone does a (:includefile /etc/passwd :) ?
I guess the second one won't be working, but the first should be able to 
escape the prison...
I would do a

    Markup('includefile', 'directives',
      '/\\(:includefile\\s+([-\\w.])+:\\)/e',
      "Keep(implode('', file/str_replace('..','','/path/to/safe/includes/$1'))))");

Or is this kind of checking done somewhere else already. I just wrote an exam in IT-Security today
and this kind of not-checking-user-input is exactly what causes a lot of problems...


Nils




More information about the pmwiki-users mailing list