[RULE] Inclusion of php scripts in SPIP CMS?

C David Rigby cdrigby at 9online.fr
Mon Mar 22 07:43:15 EET 2004

Previous message: [RULE] Inclusion of php scripts in SPIP CMS?
Next message: [RULE] Inclusion of php scripts in SPIP CMS?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 From a security perspective, this should be okay if

1) We are confident we can trust the script to behave itself
2) It does not accept any input in the form of a parameters supplied by 
the user (or at least restricts that input to, say, only the [a-zA-Z0-9] 
characters].

The point is to not let a user of the system narness a script to pass 
malicious/erroneous instructions to the server or a shell.

CDR

M. Fioretti wrote:
> On Sat, Mar 20, 2004 17:55:19 PM +0100, C David Rigby  cdrigby at 9online.fr  wrote:
> 
>>Good (UTC+1) to everybody,
>>
>>As previously threatened, I have written a report about a CMS called
>>SPIP that can be accessed on the testing server here:
>>
>>http://rule-test.homelinux.org/SPIP-report.html
>>
> 
> 
> David (and Rodolfo)
> 
> The report above says:
> 
> 
>>For authors of articles, there is also a set of formatting
>>"shortcuts" that allow the inclusion of basic text markup
>>(highlighting, headings, tables, etc.)  without use of HTML. However,
>>for the author that desires to use full HTML, the formatting
>>shortcuts can be escaped by a specific tag that indicates to the
>>formatting engine to pass the data to the webserver without
>>modification.
> 
> 
> The current structure today does embed some PHP scripts in this way:
> if the ascii source code has a line like:
> 
> ##INSERT(scripts/phpscripts/show_home.php)
> 
> where show_home.php is a piece of php code which queries the mysql
> database to display the three latest news, pages, sw entries.
> 
> the .txt -> .php cron converter replaces that line with the content of
> that file (which is *outside* the public_html directory, ie can be
> uploaded only via ssh today). Maybe we could do the same thing in
> SPIP, ie patch it in some way that allows php stuff to be inserted
> only if it is already on the server in some private area. Consider
> that such scripts will need to be updated /created much less often
> than everything else in the page containing them, so it shouldn't be
> an hassle if they have to be uploaded the "old" (scp) way.
> 
> This would still leave coauthors free to add the same (already
> existing) scripts in other/new pages, but that shouldn't be a security
> hole, should it?
> 
> What do you think?
> 
> Ciao,
> 	Marco Fioretti
> --
> Marco Fioretti mfioretti
> Red Hat for low memory www.rule-project.org
> 
> It's not the hours you put in your work that counts, it's the work you
> put in the hours.                                            Sam Ewing
> 
> 
> _______________________________________________
> Original home page of the RULE project: www.rule-project.org
> Original Rule Development Site http://savannah.gnu.org/projects/rule/> 
Original RULE mailing list: Rule-list at nongnu.org, hosted at http://mail.nongnu.org/mailman/listinfo/rule-list
> 
> 


_______________________________________________
Original home page of the RULE project: www.rule-project.org
Original Rule Development Site http://savannah.gnu.org/projects/rule/
Original RULE mailing list: Rule-list at nongnu.org, hosted at http://mail.nongnu.org/mailman/listinfo/rule-list

Previous message: [RULE] Inclusion of php scripts in SPIP CMS?
Next message: [RULE] Inclusion of php scripts in SPIP CMS?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This full static mirror of the Run Up to Date Linux Everywhere Project mailing list, originally hosted at http://lists.hellug.gr/mailman/listinfo/rule-list, is kept online by Free Software popularizer, researcher and trainer Marco Fioretti. To know how you can support this archive, and Marco's work in general, please click here