security
I'm curious what the security implications of having this plugin on a
publically writable wiki are.
First, it looks like the way it looks up the stylesheet file will happily
use a regular .mdwn wiki page as the stylsheet. Which means any user can
create a stylesheet and have it be used, without needing permission to
upload arbitrary files. That probably needs to be fixed; one way would be
to mandate that the srcfile has a .xsl extension.
Secondly, if an attacker is able to upload a stylesheet file somehow, could
this be used to attack the server where it is built? I know that xslt is
really a full programming language, so I assume at least DOS attacks are
possible. Can it also read other arbitrary files, run other programs, etc?
--[[Joey]]
For the first point, agreed. It should probably check that the data file has a .xml extension also. Have now fixed.
For the second point, I think the main concern would be resource usage. XSLT is a pretty limited language; it can read other XML files, but it can't run other programs so far as I know.
-- [[KathrynAndersen]]
XSLT is, indeed, a Turing-complete programming language.
However, XML::LibXSLT provides a set of functions to help
to minimize the damage that may be caused by running a random
program.
In particular, max_depth () allows for the maximum
recursion depth to be set, while
read_file () , write_file () , create_dir () ,
read_net () and write_net ()
are the callbacks that allow any of the possible file
operations to be denied.
To be honest, I'd prefer for the read_file () callback to
only grant access to the files below the Ikiwiki source
directory, and for all the write_ … and
…_net callbacks to deny the access unconditionally.
One more wishlist item: allow the set of locations to take
.xsl files from to be preconfigured, so that, e. g.,
one could allow (preasumably trusted) system stylesheets,
while disallowing any stylesheets that are placed on the Wiki
itself.
— Ivan Shmakov, 2010-03-28Z.
|