On 9/4/07, Platonides Platonides@gmail.com wrote:
People happily give "SELECT page_content WHERE page_name = ""getParam('title') + ";"
Mmmm.. PHP: Bringing you SQL injection since 1995.
(And yes, PHP is special in this case, Perl, Python, etc db APIs have a safe way to pass user data without requiring the coder to religiously pass the data through quoting functions)
[snip]
If you add set the toolserver to be non-blocked, the log is exactly the same: He who adds <script src="/tools/... What do you want to have it working? Have it pointing to svn repository? (so anything running there is versioned)
[snip]
Now thats a dandy idea for pure JS things.. but pure JS things don't need to be off-site.. they can just be tossed into the MediaWiki namespace.
The need to proxy to a backend service comes when you have something local cgi that performs a search or consults a database.
It wouldn't be hard to setup a path whos files could only be changed by pushing things through SVN... especially for software which doesn't require compilation.
This would produce a nice enough audit trail.