From d23604e85c0572bd516d0a4940b07f16d65494af Mon Sep 17 00:00:00 2001
From: rurban <rurban@96ab9672-09ca-45d6-a79d-3d69d39ca109>
Date: Mon, 28 Jun 2004 16:35:12 +0000
Subject: [PATCH] prevent from shell commands

git-svn-id: svn://svn.code.sf.net/p/phpwiki/code/trunk@3802 96ab9672-09ca-45d6-a79d-3d69d39ca109
---
 lib/plugin/Ploticus.php      | 26 ++++++++++++++++++++++----
 lib/plugin/RecentChanges.php |  8 +++++---
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/lib/plugin/Ploticus.php b/lib/plugin/Ploticus.php
index 5205c3603..3964fa349 100644
--- a/lib/plugin/Ploticus.php
+++ b/lib/plugin/Ploticus.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: Ploticus.php,v 1.4 2004-06-19 10:06:38 rurban Exp $');
+rcs_id('$Id: Ploticus.php,v 1.5 2004-06-28 16:35:12 rurban Exp $');
 /*
  Copyright 2004 $ThePhpWikiProgrammingTeam
 
@@ -80,7 +80,7 @@ extends WikiPluginCached
     }
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.4 $");
+                            "\$Revision: 1.5 $");
     }
     function getDefaultArguments() {
         return array(
@@ -217,11 +217,23 @@ extends WikiPluginCached
          return $output;
     }
 
+    function withShellCommand($script) {
+        $findme  = 'shell';
+        $pos = strpos($script, $findme);
+        if ($pos === false) 
+            return 0;
+        return 1;
+    }
+
     function getImage($dbi, $argarray, $request) {
         //extract($this->getArgs($argstr, $request));
         //extract($argarray);
         $source =& $this->source;
         if (!empty($source)) {
+            if ($this->withShellCommand($source)) {
+                $this->_errortext .= _("shell commands not allowed in Ploticus");
+                return false;
+            }
             $html = HTML();
             //$cacheparams = $GLOBALS['CacheParams'];
             $tempfiles = $this->tempnam('Ploticus');
@@ -238,8 +250,10 @@ extends WikiPluginCached
                 $code = $this->oldFilterThroughCmd($source, $commandLine);
             //if (empty($code))
             //    return $this->error(fmt("Couldn't start commandline '%s'", $commandLine));
-            if (! file_exists("$tempfiles.$gif") )
-                return $this->error(fmt("Ploticus error: Outputfile '%s' not created", $tempfiles.$gif));
+            if (! file_exists("$tempfiles.$gif") ) {
+                $this->_errortext .= fmt("Ploticus error: Outputfile '%s' not created", $tempfiles.$gif);
+                return false;
+            }
             $ImageCreateFromFunc = "ImageCreateFrom$gif";
             $img = $ImageCreateFromFunc( "$tempfiles.$gif" );
             return $img;
@@ -255,6 +269,10 @@ extends WikiPluginCached
 };
 
 // $Log: not supported by cvs2svn $
+// Revision 1.4  2004/06/19 10:06:38  rurban
+// Moved lib/plugincache-config.php to config/*.ini
+// use PLUGIN_CACHED_* constants instead of global $CacheParams
+//
 // Revision 1.3  2004/06/03 09:40:57  rurban
 // WikiPluginCache improvements
 //
diff --git a/lib/plugin/RecentChanges.php b/lib/plugin/RecentChanges.php
index 55274cbb4..c435957a1 100644
--- a/lib/plugin/RecentChanges.php
+++ b/lib/plugin/RecentChanges.php
@@ -1,5 +1,5 @@
 <?php // -*-php-*-
-rcs_id('$Id: RecentChanges.php,v 1.99 2004-06-20 14:42:54 rurban Exp $');
+rcs_id('$Id: RecentChanges.php,v 1.100 2004-06-28 16:35:12 rurban Exp $');
 /**
  Copyright 1999, 2000, 2001, 2002 $ThePhpWikiProgrammingTeam
 
@@ -524,7 +524,6 @@ extends _RecentChanges_Formatter
         include_once('lib/RssWriter.php');
         $rss = new RssWriter;
 
-
         $rss->channel($this->channel_properties());
 
         if (($props = $this->image_properties()))
@@ -658,7 +657,7 @@ extends WikiPlugin
 
     function getVersion() {
         return preg_replace("/[Revision: $]/", '',
-                            "\$Revision: 1.99 $");
+                            "\$Revision: 1.100 $");
     }
 
     function managesValidators() {
@@ -841,6 +840,9 @@ class DayButtonBar extends HtmlElement {
 }
 
 // $Log: not supported by cvs2svn $
+// Revision 1.99  2004/06/20 14:42:54  rurban
+// various php5 fixes (still broken at blockparser)
+//
 // Revision 1.98  2004/06/14 11:31:39  rurban
 // renamed global $Theme to $WikiTheme (gforge nameclash)
 // inherit PageList default options from PageList
-- 
2.45.0