[pmwiki-users] Skins: How to disable file: , function: , and page: markups?

Petko Yotov 5ko at free.fr
Fri Jun 22 21:13:26 CDT 2007


Hello Patrick and all,

I am considering letting the users upload their skin templates and css files 
via the upload function of PmWiki, without FTP, and without bothering the 
server administrator.

Obviously, I can only allow ordinary templates, "skin.tmpl" files (no php 
scripts). However, even they may contain some malicious code that may become 
a big security or privacy problem.

So, is it possible to disable the following skin markups from being processed:
    <!--function: fname par par...-->
    <!--file:/etc/passwd-->
    <!--page:ReadProtectedPage SiteAdmin.AuthUser-->

The only "pluggable" thing that came to my mind is to intercept the uploads 
and remove those keywords or replace them with something different. The 
functions LoadPageTemplate() and PrintFmt() seem unusually hardcoded to be 
set without a core patch.

Thanks a lot,
Petko




More information about the pmwiki-users mailing list