From: spalax Date: Sat, 25 Oct 2014 16:17:16 +0000 (-0400) Subject: Answer X-Git-Tag: 3.20150107~98 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/d60420b0a012b099653ecd4ed582f37662af260a Answer --- diff --git a/doc/plugins/contrib/compile/discussion.mdwn b/doc/plugins/contrib/compile/discussion.mdwn index 96269d4e4..c2d2f6cd4 100644 --- a/doc/plugins/contrib/compile/discussion.mdwn +++ b/doc/plugins/contrib/compile/discussion.mdwn @@ -14,3 +14,39 @@ script specified in setup file - then e.g. you can choose which commands are all What do you think? -- [[fr33domlover]] + +> The problem you mention is known, and is not a problem for me, since I am the +only user of the wiki. However, if we need a *secure* version of this +command... +> +> Imagine we have a setup option `compile_unsecure`. +> +> The directive takes the following arguments +> +> - filetype: No problem. +> - build: Forbidden. +> - source: No problem. +> - template: No problem. +> - destname and files: The problem is that right now, the command is run using a shell +> call. Thus, a user can easily use this argument to inject malicious +> commands (something like \[[!compile files=";rm -fr *"]] (well, this +> actually would not work, but you get the idea)). I do want to keep the +> ability to use shell commands, for the flexibility it provides, but I imagine +> we can: +> - interpret the `build` command depending on its type: +> - if it is a string, it is interpreted as a shell command; +> - if it is a list of strings, the first one is the command to execute, +> the following ones are the arguments. If I am not wrong, this should +> prevent command injection. +> - if it is a list of lists of strings, it is a list of commands to +> execute (execution being stopped on the first error; usefull for stuff +> like `latex foo.tex && dvipdf foo.dvi`). +> - the `compile_unsecure` would: +> - forbid commands to be strings (thus, forbidding shell commands, and preventing command injections); +> - forbid compilation using Makefile or executable prevent in the wiki (to prevent users from modifying those files, and executing arbitrary commands); +> - forbid directive argument `build`. +> +> +> Any thoughts? +> +> -- [[Louis|spalax]]