Gregory Maxwell wrote:
On 9/4/07, Platonides <Platonides(a)gmail.com>
wrote:
People happily give "SELECT page_content
WHERE page_name =
""getParam('title') + ";"
Mmmm.. PHP: Bringing you SQL injection since 1995.
(And yes, PHP is special in this case, Perl, Python, etc db APIs have
a safe way to pass user data without requiring the coder to
religiously pass the data through quoting functions)
They're doing the same with javaScript. Luckily Mediawiki doesn't rely
on user scripts to escape SQL.
If you add set
the toolserver to be non-blocked, the log is exactly the
same: He who adds <script src="/tools/...
What do you want to have it working? Have it pointing to svn repository?
(so anything running there is versioned)
[snip]
Now thats a dandy idea for pure JS things.. but pure JS things don't
need to be off-site.. they can just be tossed into the MediaWiki
namespace.
The need to proxy to a backend service comes when you have something
local cgi that performs a search or consults a database.
It wouldn't be hard to setup a path whos files could only be changed
by pushing things through SVN... especially for software which doesn't
require compilation.
This would produce a nice enough audit trail.
I wasn't thinking in JavaScripts, but the full files. :-)