blob: 716753878baefa2ab75b38f070de6f8188fa0ae6 (
plain)
I've reviewed this plugin's code, and there is one major issue with it,
namely this line:
system("hnb '$params{page}.hnb' 'go root' 'export_html $tmp' > /dev/null");
This could potentially allow execution of artibtary shell code, if the filename
contains a single quote. Which ikiwiki doesn't allow by default, but I prefer
to never involve a shell where one is not needed. The otl plugin is a good
example of how to safely fork a child process without involving the shell.
Other problems:
- Use of shell mktemp from perl is suboptimal. File::Temp would be better.
- The htmlize hook should not operate on the contents of
$params{page}.hnb.
The content that needs to be htmlized is passed in to the hook in
$params{content}.
If these problems are resolved and a copyright statement is added to the file,
I'd be willing to include this plugin in ikiwiki. --[[Joey]]
|
