security
I'm curious what the security implications of having this plugin on a publically writable wiki are.
First, it looks like the way it looks up the stylesheet file will happily
use a regular .mdwn wiki page as the stylsheet. Which means any user can
create a stylesheet and have it be used, without needing permission to
upload arbitrary files. That probably needs to be fixed; one way would be
to mandate that the srcfile
has a .xsl
extension.
Secondly, if an attacker is able to upload a stylesheet file somehow, could this be used to attack the server where it is built? I know that xslt is really a full programming language, so I assume at least DOS attacks are possible. Can it also read other arbitrary files, run other programs, etc? --Joey
For the first point, agreed. It should probably check that the data file has a
.xml
extension also. Have now fixed.For the second point, I think the main concern would be resource usage. XSLT is a pretty limited language; it can read other XML files, but it can't run other programs so far as I know.
XSLT is, indeed, a Turing-complete programming language. However, XML::LibXSLT provides a set of functions to help to minimize the damage that may be caused by running a random program.
In particular,
max_depth ()
allows for the maximum recursion depth to be set, whileread_file ()
,write_file ()
,create_dir ()
,read_net ()
andwrite_net ()
are the callbacks that allow any of the possible file operations to be denied.To be honest, I'd prefer for the
read_file ()
callback to only grant access to the files below the Ikiwiki source directory, and for all thewrite_
… and …_net
callbacks to deny the access unconditionally.One more wishlist item: allow the set of locations to take
.xsl
files from to be preconfigured, so that, e. g., one could allow (preasumably trusted) system stylesheets, while disallowing any stylesheets that are placed on the Wiki itself.— Ivan Shmakov, 2010-03-28Z.