summaryrefslogtreecommitdiff
path: root/doc/plugins/contrib
diff options
context:
space:
mode:
Diffstat (limited to 'doc/plugins/contrib')
-rw-r--r--doc/plugins/contrib/hnb.mdwn2
-rw-r--r--doc/plugins/contrib/hnb/discussion.mdwn19
2 files changed, 20 insertions, 1 deletions
diff --git a/doc/plugins/contrib/hnb.mdwn b/doc/plugins/contrib/hnb.mdwn
index 4f4457cd6..8352e1a9b 100644
--- a/doc/plugins/contrib/hnb.mdwn
+++ b/doc/plugins/contrib/hnb.mdwn
@@ -1,5 +1,5 @@
[[template id=plugin name=hnb author="[[XTaran]]"]]
-[[tag type/format]]
+[[tag type/format type/slow]]
This plugin allows ikiwiki to process `.hnb` XML files, as created by
the Hierachical Notebook [hnb](http://hnb.sourceforge.net/). To use it, you need to have
diff --git a/doc/plugins/contrib/hnb/discussion.mdwn b/doc/plugins/contrib/hnb/discussion.mdwn
new file mode 100644
index 000000000..716753878
--- /dev/null
+++ b/doc/plugins/contrib/hnb/discussion.mdwn
@@ -0,0 +1,19 @@
+I've reviewed this plugin's code, and there is one major issue with it,
+namely this line:
+
+ system("hnb '$params{page}.hnb' 'go root' 'export_html $tmp' > /dev/null");
+
+This could potentially allow execution of artibtary shell code, if the filename
+contains a single quote. Which ikiwiki doesn't allow by default, but I prefer
+to never involve a shell where one is not needed. The otl plugin is a good
+example of how to safely fork a child process without involving the shell.
+
+Other problems:
+
+* Use of shell mktemp from perl is suboptimal. File::Temp would be better.
+* The htmlize hook should not operate on the contents of `$params{page}.hnb`.
+ The content that needs to be htmlized is passed in to the hook in
+ `$params{content}`.
+
+If these problems are resolved and a copyright statement is added to the file,
+I'd be willing to include this plugin in ikiwiki. --[[Joey]]