Janne Jalkanen wrote:
Has anyone does this already? Or is there an understanding that there
are no security issues here? (I'm thinking of things like permitting
HTML parsing for a single page, etc. -- there might be others more
subtle.)
In short: yes. Only a subset of properties, deemed safe, are allowed to
override the jspwiki.properties. These aren't unfortunately really
documented anywhere. :-/
Janne,
Thanks very much -- I had kinda thought that such an obvious security
hole wouldn't have been able to survive so many versions of the code,
so it's reassuring to know that there is a filter in place.
On the other hand, I've been so far unable to locate in the code where
this takes place. There's the no-no list on what is permitted to be
revealed (via 'get'), and I can find handleMetadata() in the parser
(which seems to expand any variables via the VariableManager's
expandVariables() method and then simply set them for the page, but I
can't find any actual filter or filter list. If you can tell me where
this happens I might be able to this week document it on the
jspwiki.org site.
Cheers,
Murray
...........................................................................
Murray Altheim <murray07 at altheim.com> === = =
http://www.altheim.com/murray/ = = ===
SGML Grease Monkey, Banjo Player, Wantanabe Zen Monk = = = =
Boundless wind and moon - the eye within eyes,
Inexhaustible heaven and earth - the light beyond light,
The willow dark, the flower bright - ten thousand houses,
Knock at any door - there's one who will respond.
-- The Blue Cliff Record
