On Sat, Mar 20, 2004 17:55:19 PM +0100, C David Rigby (address@hidden) wrote:
Good (UTC+1) to everybody,
As previously threatened, I have written a report about a CMS called
SPIP that can be accessed on the testing server here:
http://rule-test.homelinux.org/SPIP-report.html
David (and Rodolfo)
The report above says:
For authors of articles, there is also a set of formatting
"shortcuts" that allow the inclusion of basic text markup
(highlighting, headings, tables, etc.) without use of HTML. However,
for the author that desires to use full HTML, the formatting
shortcuts can be escaped by a specific tag that indicates to the
formatting engine to pass the data to the webserver without
modification.
The current structure today does embed some PHP scripts in this way:
if the ascii source code has a line like:
##INSERT(scripts/phpscripts/show_home.php)
where show_home.php is a piece of php code which queries the mysql
database to display the three latest news, pages, sw entries.
the .txt -> .php cron converter replaces that line with the content of
that file (which is *outside* the public_html directory, ie can be
uploaded only via ssh today). Maybe we could do the same thing in
SPIP, ie patch it in some way that allows php stuff to be inserted
only if it is already on the server in some private area. Consider
that such scripts will need to be updated /created much less often
than everything else in the page containing them, so it shouldn't be
an hassle if they have to be uploaded the "old" (scp) way.
This would still leave coauthors free to add the same (already
existing) scripts in other/new pages, but that shouldn't be a security
hole, should it?
What do you think?
Ciao,
Marco Fioretti
--
Marco Fioretti m.fioretti, at the server inwind.it
Red Hat for low memory http://www.rule-project.org/en/
It's not the hours you put in your work that counts, it's the work you
put in the hours. Sam Ewing
_______________________________________________
Rule Project HOME PAGE: http://www.rule-project.org/en/
Rule Development Site: http://savannah.gnu.org/projects/rule/
address@hidden
http://mail.nongnu.org/mailman/listinfo/rule-list