From: Nitin R. <nit...@da...> - 2010-03-02 07:18:06
|
Hi The first time I used the Manage Configuration form, I tried pasting in a PHP array directly but due to the line breaks, it wasn't correctly identified (...and I later read the bug report that the array has to be entered on a single line). I then learned that the keys shouldn't be quoted even if they are strings. Would it, perhaps, be simpler if we would use "eval" in this case since access to this page is restricted to admin users? PHP developers would be able to enter the array by copying in what they require and eval supports the existing formats that we use, including the use of unquoted strings. I've posted a patch to the issue, for illustration, at: http://www.mantisbt.org/bugs/view.php?id=11166 Additionally, I was considering the use of a substring comparison rather than the regular expression comparison to check if the user-provided string begins with the keyword "array" and ends with a closing paranthesis ")" (see my notes on the issue). Regards, Nitin |
From: Gianluca S. <gi...@gm...> - 2010-03-02 09:58:52
|
On Tue, Mar 2, 2010 at 8:15 AM, Nitin Reddy <nit...@da...> wrote: > Would it, perhaps, be simpler if we would use "eval" in this case since > access to this page is restricted to admin users? PHP developers would be > able to enter the array by copying in what they require and eval supports > the existing formats that we use, including the use of unquoted strings. eval was specifically removed because it allows arbitrary PHP code to be executed on server => security issue. The current (limited) system is there to cover basic usage avoiding the security implications, but we should really aim to replace the whole options handling so you don't really need to enter complex arrays to configure your stuff. -- Gianluca Sforna http://morefedora.blogspot.com http://www.linkedin.com/in/gianlucasforna |
From: Nitin R. <nit...@da...> - 2010-03-02 12:55:56
|
Hi Gianluca! Thank you for your reply. I've only had to use the Manage Configuration interface recently. I've been using Mantis for over a year during which I edited the code to customize the interface... mostly moving fields between the simple and advanced views, but have only started development on Mantis last month. As I'm new to the scene, I'm unaware of the reasoning for the decisions that were made in the past. I've been looking at common functionality that needs an interface for configuration but currently can only be performed through the Manage Configuration page. I've created a plugin for configuring the fields on the Report Issue page at: https://mantisadmin.svn.sourceforge.net/svnroot/mantisadmin/trunk If somebody could post a list of functionality that cannot, currently, be performed without the Manage Configuration page, I could build the needed interfaces as plugins that can eventually be made a part of Mantis Core. Regards, Nitin ________________________________________ From: Gianluca Sforna [gi...@gm...] Sent: Tuesday, March 02, 2010 1:58 PM To: developer discussions Subject: Re: [mantisbt-dev] Possible fix for MantisBT issue #11166 On Tue, Mar 2, 2010 at 8:15 AM, Nitin Reddy <nit...@da...> wrote: > Would it, perhaps, be simpler if we would use "eval" in this case since > access to this page is restricted to admin users? PHP developers would be > able to enter the array by copying in what they require and eval supports > the existing formats that we use, including the use of unquoted strings. eval was specifically removed because it allows arbitrary PHP code to be executed on server => security issue. The current (limited) system is there to cover basic usage avoiding the security implications, but we should really aim to replace the whole options handling so you don't really need to enter complex arrays to configure your stuff. -- Gianluca Sforna http://morefedora.blogspot.com http://www.linkedin.com/in/gianlucasforna ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ mantisbt-dev mailing list man...@li... https://lists.sourceforge.net/lists/listinfo/mantisbt-dev |
From: David H. <hic...@op...> - 2010-03-04 08:06:31
|
On Tue, 2010-03-02 at 10:58 +0100, Gianluca Sforna wrote: > eval was specifically removed because it allows arbitrary PHP code to > be executed on server => security issue. Indeed, eval() is a horrible statement to rely upon in any part of the codebase. > The current (limited) system is there to cover basic usage avoiding > the security implications, but we should really aim to replace the > whole options handling so you don't really need to enter complex > arrays to configure your stuff. That would be a good long term goal for anyone interested in redesigning/updating the UI configuration and management pages. For the interim a better approach would be to use the PHP tokenizer extension (http://www.php.net/manual/en/book.tokenizer.php) to parse the array instead of relying on our own primitive approach. Regards, David |