[wp-hackers] idea: no SQL in themes

Donncha O Caoimh donncha at linux.ie
Wed Nov 16 16:54:54 GMT 2005


An older version of WPMU used Smarty templates - it's still used on 
blogs.linux.ie and powers my blog at http://blogs.linux.ie/xeer/
Using Smarty in secure mode is a pretty good way of allowing users to 
edit their templates. It does of course require that all templates be 
rewritten. :(
It's not as flexible as the PHP templates, but that's not because it's 
using Smarty, WPMU was using Smarty before the current PHP templates 
were in WordPress and didn't get as much thought or design.

http://blogsome.com/ uses the same version which is how they allow 
editing of templates.

You could examine all the PHP commands in a template using the PHP 
tokeniser and only allow a subset. I explored that possibility here: 
http://blogs.linux.ie/xeer/2005/07/12/security-checking-php-templates/

Recently I thought about using the markdown engine to convert templates 
from a "user safe" form into standard PHP templates and back again for 
editing but haven't looked at it at all.

Another compromise is to allow editing of the CSS stylesheet. That would 
be a lot easier to secure.

Donncha.

John Joseph Bachir wrote:
> On Tue, 15 Nov 2005, David House wrote:
> 
>> I don't see any reason for positively banning SQL calls, but certainly
>> providing a comprehensive API for all possible DB calls is a good
>> idea.
> 
> 
> Well, a malicious person could distribute a theme that had
> 
>   $wpdb->query("TRUNCATE $wpdb->posts");
[snip]
> p.s. I thought of this is because I am working on a multi-blog branch of 
> WordPress [http://lyceum.ibiblio.org], so it is a much bigger problem 
> for me because a buggy/malicious theme could damage every single blog in 
> the installation. But it is still an issues for single user WP, and such 
> a features could also perhaps benefit WordPress MU. I see (at least on 

-- 
Donncha O Caoimh
http://blogs.linux.ie/xeer/ / http://inphotos.org/


More information about the wp-hackers mailing list