On Wed, May 02, 2007 at 12:33:02PM +1000, Kathryn Andersen wrote: > Having just mentioned the insecurity of my IncludeUpload recipe, I'd > appreciate some help in actually making it secure. It's secure enough > if one can trust the people who have edit permission, but if it's an > open wiki, it is Bad News. > > There are a few issues I'm aware of: > > 1. the command to do text-to-html conversion is a `command`, which > isn't secure, since someone could pass in arguments which would turn > it into `command arg;rm -rf /*` or the like. With Perl, there are > things like taint. I don't know what the equivalent is in PHP.
PHP ain't got no taint. :-) Besides, even if it did, the variables you're wanting to use here ($txt2html_args) would be tainted, because they're coming from the "outside world". Out of curiosity, what `command` are you typically using to convert the text to html? One possibility might be to explicitly list the $txt2html_args that you're willing to accept, rather than take them directly from the directive argument. (If you can provide a couple of examples, I can illustrate a way to do this.) > 2. Files stored in pmwiki/uploads are not checked to see whether > the user has read permission on them. [...] > 3. Files stored under $DOCUMENT_ROOT do not check Apache permissions, > they just go straight to the filesystem, which means that if the > file is readable by Apache, then it's readable by anyone. > I don't know how to check for this. One answer might be to read the file's contents via url instead of directly off the filesystem (i.e., using a url-based fopen). > I'm not sure how one > actually defines "read permission" for uploaded files, since > PmWiki puts permissions on wiki pages, and it isn't clear how one > would determine to which page a particular uploaded file "belongs", > in order to see if the user is allowed to read the uploaded file. > Presumably PmWiki does some sort of check when secure uploads are turned > on, but I don't know how or where that's done. When attachments are being protected ($EnableDirectDownload=0;), PmWiki uses a page's read permissions to determine whether a visitor has permission to view any of the attachments for that page. There's not really a concept of a separate set of permissions for individual attachment files. Pm _______________________________________________ pmwiki-devel mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
