[Phoenix-pm] Bill's Security Question
Scott Walters
scott at slowass.net
Sun Sep 5 20:05:28 PDT 2010
Which Wiki? The TinyWiki on phoenix.pm.org?
It shouldn't actually name a page 'rm -rf *':
umask 0; my $wiki = qr{[A-Z][a-z]+[A-Z][A-Za-z]+}; my $sn =
$ENV{SCRIPT_NAME}; my $rip = $ENV{REMOTE_ADDR};
# ...
$word =~ s/((\A|\s)[a-z])/\U$1/g; $word =~ s/\s//g; $word =
'HomePage' unless $word and $word =~ m/^$wiki$/o;
If you give it something that doesn't look like a WikiWord, it should
fall back on using HomePage.
The question of securing <% ... Perl code ... %> is a far more open one.
-scott
On 9/3/10, Douglas E. Miles <doug at veritablesoftware.com> wrote:
> Bill,
>
> Unless I misunderstood what you were saying last night, you actually
> can't do anything nasty through the wiki page naming mechanism. I just
> created a page named 'rm -rf *' and it happily created a page with that
> name with no ill effects. Also I should mention that the path
> normalization code prevent you from going above the specified root
> directory. Sorry I didn't think this through last night, but we got some
> good humor out of it anyway. :)
> _______________________________________________
> Phoenix-pm mailing list
> Phoenix-pm at pm.org
> http://mail.pm.org/mailman/listinfo/phoenix-pm
>
More information about the Phoenix-pm
mailing list