[wp-hackers] idea: no SQL in themes
Donncha O Caoimh
donncha at linux.ie
Wed Nov 16 16:54:54 GMT 2005
An older version of WPMU used Smarty templates - it's still used on
blogs.linux.ie and powers my blog at http://blogs.linux.ie/xeer/
Using Smarty in secure mode is a pretty good way of allowing users to
edit their templates. It does of course require that all templates be
rewritten. :(
It's not as flexible as the PHP templates, but that's not because it's
using Smarty, WPMU was using Smarty before the current PHP templates
were in WordPress and didn't get as much thought or design.
http://blogsome.com/ uses the same version which is how they allow
editing of templates.
You could examine all the PHP commands in a template using the PHP
tokeniser and only allow a subset. I explored that possibility here:
http://blogs.linux.ie/xeer/2005/07/12/security-checking-php-templates/
Recently I thought about using the markdown engine to convert templates
from a "user safe" form into standard PHP templates and back again for
editing but haven't looked at it at all.
Another compromise is to allow editing of the CSS stylesheet. That would
be a lot easier to secure.
Donncha.
John Joseph Bachir wrote:
> On Tue, 15 Nov 2005, David House wrote:
>
>> I don't see any reason for positively banning SQL calls, but certainly
>> providing a comprehensive API for all possible DB calls is a good
>> idea.
>
>
> Well, a malicious person could distribute a theme that had
>
> $wpdb->query("TRUNCATE $wpdb->posts");
[snip]
> p.s. I thought of this is because I am working on a multi-blog branch of
> WordPress [http://lyceum.ibiblio.org], so it is a much bigger problem
> for me because a buggy/malicious theme could damage every single blog in
> the installation. But it is still an issues for single user WP, and such
> a features could also perhaps benefit WordPress MU. I see (at least on
--
Donncha O Caoimh
http://blogs.linux.ie/xeer/ / http://inphotos.org/
More information about the wp-hackers
mailing list