Gregory Maxwell wrote:
On 9/4/07, Platonides Platonides@gmail.com wrote:
People happily give "SELECT page_content WHERE page_name = ""getParam('title') + ";"
Mmmm.. PHP: Bringing you SQL injection since 1995.
(And yes, PHP is special in this case, Perl, Python, etc db APIs have a safe way to pass user data without requiring the coder to religiously pass the data through quoting functions)
They're doing the same with javaScript. Luckily Mediawiki doesn't rely on user scripts to escape SQL.
If you add set the toolserver to be non-blocked, the log is exactly the same: He who adds <script src="/tools/... What do you want to have it working? Have it pointing to svn repository? (so anything running there is versioned)
[snip]
Now thats a dandy idea for pure JS things.. but pure JS things don't need to be off-site.. they can just be tossed into the MediaWiki namespace.
The need to proxy to a backend service comes when you have something local cgi that performs a search or consults a database.
It wouldn't be hard to setup a path whos files could only be changed by pushing things through SVN... especially for software which doesn't require compilation.
This would produce a nice enough audit trail.
I wasn't thinking in JavaScripts, but the full files. :-)