diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2008-03-12 13:14:43 -0400 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2008-03-12 13:14:43 -0400 |
commit | 6690f1091a149a7b273d9b72c88806e5676fa185 (patch) | |
tree | 30461e73d53d7f09215504c29f3d8f2f6e0e19a0 /doc/plugins/contrib/hnb | |
parent | 5447cf4089916d22492ac22ea147b5a23097ef8f (diff) |
code review of hnd plugin
Diffstat (limited to 'doc/plugins/contrib/hnb')
-rw-r--r-- | doc/plugins/contrib/hnb/discussion.mdwn | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/doc/plugins/contrib/hnb/discussion.mdwn b/doc/plugins/contrib/hnb/discussion.mdwn new file mode 100644 index 000000000..716753878 --- /dev/null +++ b/doc/plugins/contrib/hnb/discussion.mdwn @@ -0,0 +1,19 @@ +I've reviewed this plugin's code, and there is one major issue with it, +namely this line: + + system("hnb '$params{page}.hnb' 'go root' 'export_html $tmp' > /dev/null"); + +This could potentially allow execution of artibtary shell code, if the filename +contains a single quote. Which ikiwiki doesn't allow by default, but I prefer +to never involve a shell where one is not needed. The otl plugin is a good +example of how to safely fork a child process without involving the shell. + +Other problems: + +* Use of shell mktemp from perl is suboptimal. File::Temp would be better. +* The htmlize hook should not operate on the contents of `$params{page}.hnb`. + The content that needs to be htmlized is passed in to the hook in + `$params{content}`. + +If these problems are resolved and a copyright statement is added to the file, +I'd be willing to include this plugin in ikiwiki. --[[Joey]] |