[geeklog-devel] PHP in Static Pages
dirk at haun-online.de
Tue Jan 13 15:26:24 EST 2004
(moving this to the list from private email)
>Have we considered the possibility of stripping calls to certain php
>functions? I know we turn PHP off by default and have documented how
>enabled PHP could be stupid (especially considering most GL logins don't
>occur over SSL). Specifically, exec(), system() and some of the
>filesystem methods should probably be removed or, at the very least,
>generated emails to the GL admin when they are found.
I can't see how you would do this (reliably) without adding a PHP parser
There is a feature request that suggests limiting PHP to only call
certain functions (prefixed with phpstatic_):
Looks like the intention was to make it similar to PHP blocks.
>Just thinking of ways to be more proactive security-wise with this.
>Personally I hate seeing PHP in static pages...but I grudgingly conceded
>considering users seem to insist on having it.
I guess an option in the static pages' config.php to disable PHP
altogether can't hurt ...
More information about the geeklog-devel