On 9/4/07, Platonides <Platonides(a)gmail.com> wrote:
People happily give "SELECT page_content WHERE
page_name =
""getParam('title') + ";"
Mmmm.. PHP: Bringing you SQL injection since 1995.
(And yes, PHP is special in this case, Perl, Python, etc db APIs have
a safe way to pass user data without requiring the coder to
religiously pass the data through quoting functions)
[snip]
If you add set the toolserver to be non-blocked, the
log is exactly the
same: He who adds <script src="/tools/...
What do you want to have it working? Have it pointing to svn repository?
(so anything running there is versioned)
[snip]
Now thats a dandy idea for pure JS things.. but pure JS things don't
need to be off-site.. they can just be tossed into the MediaWiki
namespace.
The need to proxy to a backend service comes when you have something
local cgi that performs a search or consults a database.
It wouldn't be hard to setup a path whos files could only be changed
by pushing things through SVN... especially for software which doesn't
require compilation.
This would produce a nice enough audit trail.