[geeklog-devel] PHP in Static Pages
Dirk Haun
dirk at haun-online.de
Tue Jan 13 15:26:24 EST 2004
(moving this to the list from private email)
Tony wrote:
>Have we considered the possibility of stripping calls to certain php
>functions? I know we turn PHP off by default and have documented how
>enabled PHP could be stupid (especially considering most GL logins don't
>occur over SSL). Specifically, exec(), system() and some of the
>filesystem methods should probably be removed or, at the very least,
>generated emails to the GL admin when they are found.
I can't see how you would do this (reliably) without adding a PHP parser
to Geeklog.
There is a feature request that suggests limiting PHP to only call
certain functions (prefixed with phpstatic_):
<http://project.geeklog.net/tracker/index.php?
func=detail&aid=83&group_id=6&atid=108>
Looks like the intention was to make it similar to PHP blocks.
>Just thinking of ways to be more proactive security-wise with this.
>Personally I hate seeing PHP in static pages...but I grudgingly conceded
>considering users seem to insist on having it.
I guess an option in the static pages' config.php to disable PHP
altogether can't hurt ...
bye, Dirk
--
http://www.haun-online.de/
http://www.tinyweb.de/
More information about the geeklog-devel
mailing list