From 9b5ae66772e36e61195fa7ab792a9a30407db999 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= Date: Fri, 22 Oct 2004 14:37:24 +0000 Subject: [PATCH] Unless admin specifies there programs to use, it does nothing now. --- ChangeLog | 2 ++ .../text_plain__external.inc.php | 21 +++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 85e613b4a..a717db37e 100755 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ $Source$ * db_operations.php, lang/*: We switch to database here. not table. * lang/*: strProperties is not used anywhere now. * config.inc.php: Mention db_operations.php possibility. + * libraries/transformations/text_plain__external.inc.php: Unless admin + specifies there programs to use, it does nothing now. 2004-10-21 Marc Delisle * tbl_query_box.php: bug 1050691, missing parameters diff --git a/libraries/transformations/text_plain__external.inc.php b/libraries/transformations/text_plain__external.inc.php index d7fa1af0e..154590899 100644 --- a/libraries/transformations/text_plain__external.inc.php +++ b/libraries/transformations/text_plain__external.inc.php @@ -66,8 +66,25 @@ function PMA_transformation_text_plain__external($buffer, $options = array(), $m // further operations on $buffer using the $options[] array. $allowed_programs = array(); - $allowed_programs[0] = '/usr/local/bin/tidy'; - $allowed_programs[1] = '/usr/local/bin/validate'; + + // + // WARNING: + // + // It's up to administrator to allow anything here. Note that users may + // specify any parameters, so when programs allow output redirection or + // any other possibly dangerous operations, you should write wrapper + // script that will publish only functions you really want. + // + // Add here program definitions like (note that these are NOT safe + // programs): + // + // $allowed_programs[0] = '/usr/local/bin/tidy'; + // $allowed_programs[1] = '/usr/local/bin/validate'; + + // no-op when no allowed programs + if (count($allowed_programs) == 0) { + return $buffer; + } if (!isset($options[0]) || $options[0] == '' || !isset($allowed_programs[$options[0]])) { $program = $allowed_programs[0];