Andrew Garrett wrote:
On 30/06/2009, at 9:42 PM, Aryeh Gregor wrote:
On Tue, Jun 30, 2009 at 4:25 PM, Brion Vibberbrion@wikimedia.org wrote:
IMO by the time you've implemented your whitelisting parser you might as well just interpret it rather than eval()ing.
I don't think so. You'd only have to do the whitelisting once, on page save. After that you could just execute with no extra overhead.
That's just scary. We'd definitely want to do the validation as close as possible to the actual eval()ing, to minimise backdoors like Special:Import et al.
Executing PHP from apache-writable files saved on disk is also a security danger.
The original implementation of the MonoBook skin used the TAL templating language, which was compiled into executable PHP at runtime and stored in /tmp so it could be cached for the next view.
In addition to difficulties with hosts which had misconfigured /tmp directories, we found that people sharing their hosts with poorly-secured WordPress installations would end up finding their wikis hacked -- worms exploiting vulnerabilities in other PHP apps would hop around the system modifying any .php files they could write to... including the cached PHPTAL templates.
-- brion