Menu
▾
▴
Re: [PHPiCalendar-DEV] Easy solution for customizing
|
From: Wesley M. <we...@we...> - 2005-11-28 23:57:54
|
Hi Jim,
Unfortunately, that's a bad idea because it opens a major security
hole. I know from previous devel list mail that some people are using
PHP iCalendar in multi-user environments. Letting those users put a
cpath_config.php file into their personal calendar directories makes
it possible for those users to do lots of bad things.
Also, some $cpath security logic needs to get put in. For example to
remove any instances of .. or non-directory characters. Probably a
good idea to make sure it always falls into a subdirectory of the
main calendar directory, or something similar.
I don't think we should ever make it possible for an end-user instead
of a sysadmin to make server-side customizations. The $cpath is
already pretty dangerous in my opinion, but at least it only allows
access to *.ics files because of how it is used.
On Nov 28, 2005, at 7:43 AM, Jim Hu wrote:
> Last night I was wondering about customizing the webcalendars in
> different subdirectories specified by cpath. I just realized this
> is unbelievably easy. I can add this under the code in
> init.inc.php that sets cpath
>
> #this allows you to place a file within a calendar subdirectory to
> override global settings, or execute local code...e.g. to secure a
> particular subdirectory.
> if(is_file("$calendar_path/cpath_config.php")){
> include ("$calendar_path/cpath_config.php");
> }
>
> Then you can just drop a config file into that directory to
> override whatever you want, insert login code, etc. I think
> something like this would be useful for anyone who wants to set up
> a calendar server service.
> What do you think? Should I add this to CVS? Or is there a better
> way to do this?
--
Wesley Miaw
we...@we...
|
