X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/bb964f69a3a5a4554fb9351b93fd98a3af7e3c3a..5aeaafac7ad106e0d6a90625def01154e3abc992:/doc/plugins/contrib/compile/discussion.mdwn?ds=sidebyside diff --git a/doc/plugins/contrib/compile/discussion.mdwn b/doc/plugins/contrib/compile/discussion.mdwn index 7777750ec..fbf9f22ea 100644 --- a/doc/plugins/contrib/compile/discussion.mdwn +++ b/doc/plugins/contrib/compile/discussion.mdwn @@ -7,8 +7,46 @@ Problem: Any user can change the command to something dangerous that deletes fil causes irreversible damage to the system. I can even happen by mistake. Suggestion: Add an option to the setup file that forbids to override the build command in the -directive, and then only the setup file can configure build commands (if you want). +directive, and then only the setup file can configure build commands (if you want). Another +idea, an option to validate the build command, either against a regex or using an arbitrary +script specified in setup file - then e.g. you can choose which commands are allowed. What do you think? -- [[fr33domlover]] + +> The problem you mention is known, and is not a problem for me, since I am the +only user of the wiki. However, if we need a *secure* version of this +command... +> +> Imagine we have a setup option `compile_unsecure`. +> +> The directive takes the following arguments +> +> - filetype: No problem. +> - build: Forbidden. +> - source: No problem. +> - template: No problem. +> - destname and files: The problem is that right now, the command is run using a shell +> call. Thus, a user can easily use this argument to inject malicious +> commands (something like \[[!compile files=";rm -fr *"]] (well, this +> actually would not work, but you get the idea)). I do want to keep the +> ability to use shell commands, for the flexibility it provides, but I imagine +> we can: +> - interpret the `build` command depending on its type: +> - if it is a string, it is interpreted as a shell command; +> - if it is a list of strings, the first one is the command to execute, +> the following ones are the arguments. If I am not wrong, this should +> prevent command injection. +> - if it is a list of lists of strings, it is a list of commands to +> execute (execution being stopped on the first error; usefull for stuff +> like `latex foo.tex && dvipdf foo.dvi`). +> - the `compile_unsecure` would: +> - forbid commands to be strings (thus, forbidding shell commands, and preventing command injections); +> - forbid compilation using Makefile or executable present in the wiki (to prevent users from modifying those files, and executing arbitrary commands); +> - forbid directive argument `build`. +> +> +> Any thoughts? +> +> -- [[Louis|spalax]]