Re: [RULE] Inclusion of php scripts in SPIP CMS?

[C David Rigby]

From a security perspective, this should be okay if

1) We are confident we can trust the script to behave itself
2) It does not accept any input in the form of a parameters supplied by 
the user (or at least restricts that input to, say, only the [a-zA-Z0-9] 
characters].

The point is to not let a user of the system narness a script to pass 
malicious/erroneous instructions to the server or a shell.

CDR

M. Fioretti wrote:
> On Sat, Mar 20, 2004 17:55:19 PM +0100, C David Rigby (address@hidden) wrote:
>
> > Good (UTC+1) to everybody,
> >
> > As previously threatened, I have written a report about a CMS called
> > SPIP that can be accessed on the testing server here:
> >
> > http://rule-test.homelinux.org/SPIP-report.html
>
>
> David (and Rodolfo)
>
> The report above says:
>
>
> > For authors of articles, there is also a set of formatting
> > "shortcuts" that allow the inclusion of basic text markup
> > (highlighting, headings, tables, etc.)  without use of HTML. However,
> > for the author that desires to use full HTML, the formatting
> > shortcuts can be escaped by a specific tag that indicates to the
> > formatting engine to pass the data to the webserver without
> > modification.
>
>
> The current structure today does embed some PHP scripts in this way:
> if the ascii source code has a line like:
>
> ##INSERT(scripts/phpscripts/show_home.php)
>
> where show_home.php is a piece of php code which queries the mysql
> database to display the three latest news, pages, sw entries.
>
> the .txt -> .php cron converter replaces that line with the content of
> that file (which is *outside* the public_html directory, ie can be
> uploaded only via ssh today). Maybe we could do the same thing in
> SPIP, ie patch it in some way that allows php stuff to be inserted
> only if it is already on the server in some private area. Consider
> that such scripts will need to be updated /created much less often
> than everything else in the page containing them, so it shouldn't be
> an hassle if they have to be uploaded the "old" (scp) way.
>
> This would still leave coauthors free to add the same (already
> existing) scripts in other/new pages, but that shouldn't be a security
> hole, should it?
>
> What do you think?
>
> Ciao,
>         Marco Fioretti
> --
> Marco Fioretti m.fioretti, at the server inwind.it
> Red Hat for low memory http://www.rule-project.org/en/
>
> It's not the hours you put in your work that counts, it's the work you
> put in the hours.                                            Sam Ewing
>
>
> _______________________________________________
> Rule Project HOME PAGE:  http://www.rule-project.org/en/
> Rule Development Site:   http://savannah.gnu.org/projects/rule/
> address@hidden
> http://mail.nongnu.org/mailman/listinfo/rule-list