I had an e-mail thread going with Andi and he suggested I bring it to the mailing list for additional feedback.
Links embedded in DokuWiki pages can use arbitrary protocol handlers, for example the shell: protocol handler. While browsers usually block this particular handler, allowing the user to specify arbitrary handlers in links (in combination with a protocol handler vulnerability in the browser, OS, or 3rd party software) opens the possibility of a malicious user utilizing a DokuWiki installation to compromise other visitors.
Both Firefox and IE will pass un-handled protocol handlers to the operating system. (Probably other browsers as well.) If there's a vulnerability in the protocol handler, a malicious user could place a link in a DokuWiki installation which exploits this.
There have been protocol handler vulnerabilities in the past, e.g. a BO in Windows' gopher protocol handler, a telnet handler vuln. in Opera, shell handler vuln. in Firefox, etc.
Suggestion:Add a config option to specify the acceptable protocol handlers in links. Set the DokuWiki installation default to (say) http, https, and ftp.
Thoughts? Thanks, Walter -- DokuWiki mailing list - more info at http://wiki.splitbrain.org/wiki:mailinglist