[dokuwiki] Re: Doku_Handler : remove htmlok and phpok tests [SECURITY!]

On Tue, 29 Jan 2008 18:51:36 +0000
Christopher Smith <chris@xxxxxxxxxxxxx> wrote:

> Pierre,
> 
> Can you check this against a current darcs version of DW and issue
> an updated patch ...  I think you may have been working off an old  
> version so your patch has introduced some problems.
> 
> I have that the checks were removed from the renderer in a patch by  
> Anika Henke around 9 months ago.  Also your patch has only removed
> the checks from php and html, not from phpblock and htmlblock.  My
> dev version of DW currently has no checks on php or html syntax (this
> can be seen by viewing the wiki:syntax page and following the toc
> down to the embedding html and php section - the big red text and a
> php image says they are active).
> 
> I agree that the checks should only be in one place and it makes the  
> most sense to have those checks in the renderer.  That means
> removing the remaining checks from the handler and inserting checks
> into the renderer.
> 
> Note:  For anyone running a wiki with this patch applied and htmlok  
> and phpok settings off, you probably want to wind this patch back
> for now.

Ouch! I missed that one when looking at the patch. I applied a rollback
for now. Everybody running on darcs should pull immeadiately.

Andi

-- 
http://www.splitbrain.org

Other related posts: