#97 code injection vulnerability in WWInterface::replace_inlines

[Lee Worden]

there's a FIXME comment in there, where it uses preg_replace_all('/.../e' with a string that includes "...md5('$2')", i.e. it pastes the content of each .tex-math source file into a PHP code string that computes the md5 hash of the file contents. This could in principle be abused by a construction such as "$$').file_get_contents('/etc/passwd$$", which under some circumstances can cause the wiki code to execute "...md5('').file_get_contents('/etc/passwd')" and reveal secret login information to the wiki user.

however, I tried that and it didn't do anything bad, it just took the md5 sum of the whole weird string of text. but the vulnerability should be removed anyway because it might be possible to exploit it with a different string, or with a different server setup.

[Lee Worden]

see also [#661]

[Lee Worden]

Closed as a side effect of [#661]