Ethan Jucovy wrote: > *GenshiMacro* is a wiki macro that lets you write, and render, Genshi > templates directly in wiki pages using a ``#!Genshi`` processor for > blockquotes.
You ask about security on the project page, so here's my take on it.
Genshi templates allow executing arbitrary Python code. So you basically
give users who can insert the macro anywhere (wiki page, ticket comment,
etc) permission to act as the user running Trac, including running run
any shell command.
{{{#!Genshi
<div>${open('/etc/apache2/htpasswd').read()}</div>
}}}
{{{#!Genshi
<?python
import os
os.system("rm /path/to/env/db/trac.db")
?>
}}}
So my advice is, only enable this macro on sites where you trust *all*
users who can edit *any* wiki text with the web server's account.
-- Remy
signature.asc
Description: OpenPGP digital signature
