[RULE] Inclusion of php scripts in SPIP CMS?

C David Rigby cdrigby at 9online.fr
Mon Mar 22 07:43:15 EET 2004 

 From a security perspective, this should be okay if

1) We are confident we can trust the script to behave itself
2) It does not accept any input in the form of a parameters supplied by 
the user (or at least restricts that input to, say, only the [a-zA-Z0-9] 
characters].

The point is to not let a user of the system narness a script to pass 
malicious/erroneous instructions to the server or a shell.

CDR

M. Fioretti wrote:
> On Sat, Mar 20, 2004 17:55:19 PM +0100, C David Rigby (cdrigby at 9online.fr) wrote:
> 
>>Good (UTC+1) to everybody,
>>
>>As previously threatened, I have written a report about a CMS called
>>SPIP that can be accessed on the testing server here:
>>
>>http://rule-test.homelinux.org/SPIP-report.html
>>
> 
> 
> David (and Rodolfo)
> 
> The report above says:
> 
> 
>>For authors of articles, there is also a set of formatting
>>"shortcuts" that allow the inclusion of basic text markup
>>(highlighting, headings, tables, etc.)  without use of HTML. However,
>>for the author that desires to use full HTML, the formatting
>>shortcuts can be escaped by a specific tag that indicates to the
>>formatting engine to pass the data to the webserver without
>>modification.
> 
> 
> The current structure today does embed some PHP scripts in this way:
> if the ascii source code has a line like:
> 
> ##INSERT(scripts/phpscripts/show_home.php)
> 
> where show_home.php is a piece of php code which queries the mysql
> database to display the three latest news, pages, sw entries.
> 
> the .txt -> .php cron converter replaces that line with the content of
> that file (which is *outside* the public_html directory, ie can be
> uploaded only via ssh today). Maybe we could do the same thing in
> SPIP, ie patch it in some way that allows php stuff to be inserted
> only if it is already on the server in some private area. Consider
> that such scripts will need to be updated /created much less often
> than everything else in the page containing them, so it shouldn't be
> an hassle if they have to be uploaded the "old" (scp) way.
> 
> This would still leave coauthors free to add the same (already
> existing) scripts in other/new pages, but that shouldn't be a security
> hole, should it?
> 
> What do you think?
> 
> Ciao,
> 	Marco Fioretti
> --
> Marco Fioretti m.fioretti, at the server inwind.it
> Red Hat for low memory http://www.rule-project.org/en/
> 
> It's not the hours you put in your work that counts, it's the work you
> put in the hours.                                            Sam Ewing
> 
> 
> _______________________________________________
> Rule Project HOME PAGE:  http://www.rule-project.org/en/
> Rule Development Site:   http://savannah.gnu.org/projects/rule/
> Rule-list at nongnu.org
> http://mail.nongnu.org/mailman/listinfo/rule-list
> 


_______________________________________________
Rule Project HOME PAGE:  http://www.rule-project.org/en/
Rule Development Site:   http://savannah.gnu.org/projects/rule/
Rule-list at nongnu.org
http://mail.nongnu.org/mailman/listinfo/rule-list

More information about the Rule-list mailing list