Hello Patrick and all,
I am considering letting the users upload their skin templates and css files
via the upload function of PmWiki, without FTP, and without bothering the
server administrator.
Obviously, I can only allow ordinary templates, "skin.tmpl" files (no php
scripts). However, even they may contain some malicious code that may become
a big security or privacy problem.
So, is it possible to disable the following skin markups from being processed:
<!--function: fname par par...-->
<!--file:/etc/passwd-->
<!--page:ReadProtectedPage SiteAdmin.AuthUser-->
The only "pluggable" thing that came to my mind is to intercept the uploads
and remove those keywords or replace them with something different. The
functions LoadPageTemplate() and PrintFmt() seem unusually hardcoded to be
set without a core patch.
Thanks a lot,
Petko
_______________________________________________
pmwiki-users mailing list
[email protected]
http://www.pmichaud.com/mailman/listinfo/pmwiki-users
