[pmwiki-users] Includes
Nils Knappmeier
nk at knappi.org
Wed Feb 23 14:48:56 CST 2005
Patrick R. Michaud wrote:
>On Mon, Feb 14, 2005 at 06:46:09PM +1300, Simon wrote:
>
>
>>I'm looking for a way to include separate (non wiki) files (generally
>>containing html snippets or calls to javascript) in at both templates
>>and wiki pages levels.
>>
>>
>
>In a template, you can use <!--file:path/to/template.html-->.
>
>Within a wiki page itself it can be a bit more tricky, because you
>probably don't want wiki authors to be able to access arbitrary
>files in the file system. If you can get the files into a single
>directory (or populate a directory with symlinks to the files)
>it's quite a bit safer:
>
>
> Markup('includefile', 'directives',
> '/\\(:includefile\\s+([-\\w.])+:\\)/e',
> "Keep(implode('', file('/path/to/safe/includes/$1')))");
>
>
>
How about if someone does a (:includefile ../something.html:) ?
What if someone does a (:includefile /etc/passwd :) ?
I guess the second one won't be working, but the first should be able to
escape the prison...
I would do a
Markup('includefile', 'directives',
'/\\(:includefile\\s+([-\\w.])+:\\)/e',
"Keep(implode('', file/str_replace('..','','/path/to/safe/includes/$1'))))");
Or is this kind of checking done somewhere else already. I just wrote an exam in IT-Security today
and this kind of not-checking-user-input is exactly what causes a lot of problems...
Nils
More information about the pmwiki-users
mailing list