[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [RULE] Inclusion of php scripts in SPIP CMS?
From: |
M. Fioretti |
Subject: |
Re: [RULE] Inclusion of php scripts in SPIP CMS? |
Date: |
Mon, 22 Mar 2004 07:14:50 +0100 |
User-agent: |
Mutt/1.4i |
On Mon, Mar 22, 2004 06:43:15 AM +0100, C David Rigby (address@hidden) wrote:
> From a security perspective, this should be okay if
>
> 1) We are confident we can trust the script to behave itself
We can come to that together as it would be just a few scripts, most
of which already existing
> 2) It does not accept any input in the form of a parameters supplied
> by the user (or at least restricts that input to, say, only the
> [a-zA-Z0-9] characters].
The existing scripts which fetch newest stuff from the database are
like this. The only problem is the form which places stuff in the test
database, and of course those provided by SPIP
> The point is to not let a user of the system narness a script to pass
> malicious/erroneous instructions to the server or a shell.
agreed.
Ciao,
Marco Fioretti
--
Marco Fioretti m.fioretti, at the server inwind.it
Red Hat for low memory http://www.rule-project.org/en/
Human beings act intelligently only after they have exhausted the
alternatives -- Abba Eban