From: spalax Date: Tue, 31 May 2016 20:39:17 +0000 (-0400) Subject: More thought about "bibtex2html" and "compile" X-Git-Tag: debian/3.20160728~42^2~4 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/182a2ad99208169084e6b4fc8ef33222d46eba5a More thought about "bibtex2html" and "compile" --- diff --git a/doc/plugins/contrib/bibtex2html/discussion.mdwn b/doc/plugins/contrib/bibtex2html/discussion.mdwn index ac05a29a6..86686929c 100644 --- a/doc/plugins/contrib/bibtex2html/discussion.mdwn +++ b/doc/plugins/contrib/bibtex2html/discussion.mdwn @@ -97,3 +97,38 @@ Right now, it is not possible for the [[plugins/contrib/compile]] plugin to rend >>> A clever admin can certainly find out about such a command and >>> having a way for that admin to easily hook that into ikiwiki would >>> be a powerful tool, with all that implies. --[[anarcat]] + +>>>> Concerning the ability to run arbitrary commands, a [[discussion was +>>>> started|https://ikiwiki.info/plugins/contrib/compile/discussion/]] by someone +>>>> who wanted a secure version of this plugin. The idea I had (which has some +>>>> similarities with what is being discussed here) was to provide a +>>>> `compile_secure` boolean option to restrict what the user can do (if +>>>> false, users can run arbitrary commands; if true, users can only run a set of +>>>> predefined commands). However, since [[fr33domlover]], who started the +>>>> discussion, did not answer, nothing was implemented. +>>>> +>>>> Concerning arbitrary commands, I do not know Perl, but I think it can run +>>>> commands using something similar to [exec](http://linux.die.net/man/3/exec), +>>>> which prevents (?) shell injections. This adds the burden of manipulating +>>>> arrays instead of strings, but security should be improved. +>>>> +>>>> If we want to merge this plugin and compile, I think a better idea than the one +>>>> I proposed at the beginning of the discussion would be to provide two different +>>>> directives: a `\[[!compile "foo.bar"]]` would compile the file and render it as a +>>>> link to the compiled file (what the compile plugin does right now), while +>>>> `\[[!render "foo.bar"]]` would compile the file, +>>>> and render its content in the current page (whath the bibtex2html plugin +>>>> does). In fact, providing this +>>>> `\[[!render ...]]` directive (without the security considerations) seems +>>>> easy enough to implement, and I might implement it some day (soon, if it +>>>> solves [[anarcat]] problem and closes the discussion). +>>>> +>>>> While I am really happy to see that my plugin sparks some interest, I fear I +>>>> won't be able to implement what is discussed here, apart from the quick +>>>> feature I mentionned in the previous paragraph (I have a baby at home, I am +>>>> moving to another city in a few weeks, and the only code I ever wrote in Perl +>>>> was to contribute to IkiWiki). However, you have my blessing for making +>>>> whatever you want with my code: contribute, write a version 2 of it, write a +>>>> new plugin that makes it obsolete, copy the good ideas and dump the rest, etc. +>>>> +>>>> --[[Louis|spalax]]