code review of hnd plugin
parent
5447cf4089
commit
6690f1091a
|
@ -0,0 +1,19 @@
|
||||||
|
I've reviewed this plugin's code, and there is one major issue with it,
|
||||||
|
namely this line:
|
||||||
|
|
||||||
|
system("hnb '$params{page}.hnb' 'go root' 'export_html $tmp' > /dev/null");
|
||||||
|
|
||||||
|
This could potentially allow execution of artibtary shell code, if the filename
|
||||||
|
contains a single quote. Which ikiwiki doesn't allow by default, but I prefer
|
||||||
|
to never involve a shell where one is not needed. The otl plugin is a good
|
||||||
|
example of how to safely fork a child process without involving the shell.
|
||||||
|
|
||||||
|
Other problems:
|
||||||
|
|
||||||
|
* Use of shell mktemp from perl is suboptimal. File::Temp would be better.
|
||||||
|
* The htmlize hook should not operate on the contents of `$params{page}.hnb`.
|
||||||
|
The content that needs to be htmlized is passed in to the hook in
|
||||||
|
`$params{content}`.
|
||||||
|
|
||||||
|
If these problems are resolved and a copyright statement is added to the file,
|
||||||
|
I'd be willing to include this plugin in ikiwiki. --[[Joey]]
|
Loading…
Reference in New Issue