3 I'm curious what the security implications of having this plugin on a
4 publically writable wiki are.
6 First, it looks like the way it looks up the stylesheet file will happily
7 use a regular .mdwn wiki page as the stylsheet. Which means any user can
8 create a stylesheet and have it be used, without needing permission to
9 upload arbitrary files. That probably needs to be fixed; one way would be
10 to mandate that the `srcfile` has a `.xsl` extension.
12 Secondly, if an attacker is able to upload a stylesheet file somehow, could
13 this be used to attack the server where it is built? I know that xslt is
14 really a full programming language, so I assume at least DOS attacks are
15 possible. Can it also read other arbitrary files, run other programs, etc?
sipb-www / ikiwiki.git / blob