[pmwiki-users] Faster searches and categories

Martin Fick fick at fgm.com
Mon Sep 12 16:12:39 CDT 2005


> Oh yes, it's a very difficult problem, as a result the 
> system() command is generally considered to be very unsafe --
> especially if any of the arguments or inputs to the command
> come from user input.
> 
> > This does not seem to happen because for some reason /s are
> > replaced with \s making paths unreadable.  I tried simpler 
> > safe versions and could not get them to work.
> 
> One can do a lot of damage even without having the ability
> to create paths -- the cd command can be used to switch to
> other directories before the command is executed...
> 
> But even so, are the slashes *replaced* by backslashes, or
> is it just that a backslash appears in front of the existing
> slash?

...no, actually replaced, strange.

> 
> > Do you think this simple fix would safeguard things better:
> > 
> > switch
> >     $ginclp .= "-e $ip ";
> > 
> > to
> >     $ginclp .= "-e '$ip' ";
> > 
> > or could single quotes get injected somehow?
> 
> Single quotes can be injected just as easily:
> 
>    (:pagelist "foo' bar ; rm -rf . ; echo 'xyz":)
> 
> becomes
> 
>     cd wiki.d; F=`find . -type f |grep -v '^\./\.'`; 
>     grep -l -i -e 'foo' bar ; rm -rf \. ; echo 'xyz' \$F |sed -es'|^.*/||g'


OK, fixed in the current recipe, I use escapeshellarg() to
ensure that each search term is safe.

-Martin




More information about the pmwiki-users mailing list