X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/5c8351541d8bcdb09a137aa7fe029ce10e5db057..12eb056b33e1f01a63c4fcee408c9ac0d96c6b5e:/doc/todo/mailnotification.mdwn?ds=inline diff --git a/doc/todo/mailnotification.mdwn b/doc/todo/mailnotification.mdwn index 5aae98894..37fe9a55a 100644 --- a/doc/todo/mailnotification.mdwn +++ b/doc/todo/mailnotification.mdwn @@ -13,6 +13,24 @@ Should support mail notification of new and changed pages. Joey points out that this is actually a security hole, because Perl regexes let you embed (arbitrary?) Perl expressions inside them. Yuck! +(This is not actually true unless you "use re 'eval';", without which +(?{ code }) is disabled for expressions which interpolate variables. +See perldoc re, second paragraph of DESCRIPTION. It's a little iffy +to allow arbitrary regexen, since it's fairly easy to craft a regular +expression that takes unbounded time to run, but this can be avoided +with the use of alarm to add a time limit. Something like + + eval { # catches invalid regexen + no re 'eval'; # to be sure + local $SIG{ALRM} = sub { die }; + alarm(1); + ... stuff involving m/$some_random_variable/ ... + alarm(0); + }; + if ($@) { ... handle the error ... } + +should be safe. --[[WillThompson]]) + It would also be good to be able to subscribe to all pages except discussion pages or the SandBox: `* !*/discussion !sandobx`, maybe --[[Joey]] 3. Of course if you do that, you want to have form processing on the user @@ -34,3 +52,8 @@ Should support mail notification of new and changed pages. into a folder. --[[BrandenRobinson]] + + I'm deferring these nicities until there's some demonstrated demand + --[[Joey]]. + +[[todo/done]]