search

gizmore / phpgdo

Reference GDOv7 core implementation in PHP.
Other
2 stars 1 forks source link

[security] Escape expression inputs for the case of PHP-proxies (foreign or domestic) using the extract variable #3

Open chl0e3e opened 2 years ago

chl0e3e commented 2 years ago

Code

All inputs to CLI systems should be escaped for security reasons. Also recommended to add blacklists for CLI functions and/or remove them.

gizmore commented 2 years ago

GDOv7 is not really planned as a multi-user system, but it should and (?:could)* be? +asap

Thanks for this!

gizmore commented 2 years ago

A milestone here is to have two linux user accounts to share the same gdo installation (this is actually a speedup as the pathes are in opcache)

Thx for your input!

gizmore commented 2 years ago

One could write a phpgdo-multiuser module that switches configs based on usernames? O.o (brrr)

gizmore commented 2 years ago

Escaping should only be done to untrusted user input. For example you can mark GDTs Traiting WithTitle as being ->escaped().

@TODO: Automaticall mark GDO having GDT_Title as being escaped. (I bet there are XSS lurking atm)

As a user you might want to add plain html.

Actually GDOv7 GDT_Message - (user content OUCH!) - is based on a simple