Menu
▾
▴
Re: [Nms-cgi-devel] NMSView base code available...
|
From: Nick C. <ni...@cl...> - 2003-01-31 16:04:08
|
On Fri, Jan 31, 2003 at 10:50:01AM -0500, Wizard wrote:
>
> > In that case, it might be better to have some sort of non-alpha
> > delimiter, e.g.
> > '<a href="/new_path[% NMS_CFG_ITEM %]_wwwpost_url">Try the new list</a>'
> I thought of that, but the problem I see is what universal delimeter won't
> be munged by any of the HTML editors (I suspect that this is what most of
> our users will use)? Anything not A-Z, a-z, _, !, ? or - may very well get
> transformed. Also, anything like "<!-- -->" may be invisible on some
> editors, confusing the user. Any suggestions are welcome.
I've seen __NMS_CFG_ITEM__ used for this stuff from time to time.
> > The scripts are all scripts, but not every module in CGI::NMS:: is
> > associated with a particular script, e.g. CGI::NMS::Charset under /v2
> > in the CVS tree.
> Ok, that's valid. CGI::NMS::Script::Data* it is.
CGI::NMS::Script::NMSBoard::Data ? IMO CGI::NMS::Script::Data::* would
be for an NMS script called 'Data'.
> > # check if 'cfg' is set via the URL query_string, if so use that.
> > my $cfg_input = $cgi_data->param('cfg');
> > if ( defined $cfg_input ) {
> > $cfg_input =~ /^([\w\-]{1,100})$/ or die "bad cfg value [$cfg_input]";
> > $def_cfg = "./conf/$1.cfg";
> > }
> This isn't quite what I had planned but I understand what you are saying. I
> had hoped not to limit config files to any specific directory. What I was
> planning was to limit the path to specific characters ('.', '/', '\', ' ',
> '-' and \w). Is this not enough?
No, that allows any file on the system to be treated as a config file.
The attacker my be able to upload a file somewhere else (an incoming
FTP location maybe) or use this to trick the script into reading some
other arbitrary file as a config file and getting confused.
> There is also another option which I've used in past projects that specifies
> a separate list of config locations, i.e., "cfg_1 = ./nms.cfg", where the
> script is passed the index of the configuration file (&cfg=1). Is this a
> safer or better way to go?
That's very safe, but also quite limited for the users.
--
Nick
|
