Rillke
commented
2 years ago HTML and replacing several patterns like {VARIABLE} might be both secure and sufficiently functional if it can be styled through CSS, or php execution can be sandboxed.
Closed Rillke closed 2 years ago
Rillke
commented
2 years ago HTML and replacing several patterns like {VARIABLE} might be both secure and sufficiently functional if it can be styled through CSS, or php execution can be sandboxed.
ferishili
commented
2 years ago Issue was taken care of in #410
Follow-Up from #369
Allowing upload and php execution might allow a studip root (who is not a server admin) to upload php code through UI and extend their privileges and compromising other portions of code if that's not set to read-only, even manipulating the log in the database if they wanted to.
I suggest to either document this for server admins to be aware, or to use something like svg templates. (SVG parsers also frequently suffer from CVEs and are better executed in a container.)