in reply to Re: User-updatable web sites
in thread User-updatable web sites

Ok, in regards to security, would it be ok to just have my program chmod the files, write to them, then chmod them back? Most of the pages would be different or I would DEFINITELY use a template system. What types of things do I need to validate for? I read Ovid's stuff and it seemed pretty straight forward. Is there anything else I should be aware of?

Replies are listed 'Best First'.
(Ovid) Re(2): User-updatable web sites
by Ovid (Cardinal) on Mar 26, 2001 at 03:20 UTC
    A few things spring to mind here. This is all based on the assumption that users get to write their own HTML.
    1. I would strip all meta tags from their code. Users can play havoc with redirects, such as redirecting to porn sites or worse, having two accounts and having them redirect to each other's page. A browser could be then caught in an infinite loop of redirects.
    2. If they are allowed to create their own HTML, do they get to include images also? If so, you might have a concern about adult content.
    3. Make sure that server side includes are disabled or at least have the "exec" option turned off. Plus, I would probably just strip SSI tags from their input.
    4. This is the big one: however they create their pages, stick them in a database (after validating page size) or, if they are written out to files, make sure that the user CAN NOT pick their file name. Also, don't let their filename be based on the name they input. They could potentially stick a null byte in their username and cause you all sorts of pain.
    Any other suggestions from fellow monks?

    Cheers,
    Ovid

    Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

[reply]
      Personally, I would just have a set / static header.txt & footer.txt file(s) and have the user modify the content. Thus, if I wanted to change the navigation/banners/layout, as long as I had the new templates written to properly display the included content files, things would propagate seamlessly.

      Server Side Includes would be a must for this application. Each user would have their index.html file, and all it would consist of would be SSI calls to include:

      header.txt
      content.txt
      footer.txt

      Its really not that complicated. But takes some getting used to. This way meta tags cant really be used, and I would take into consideration the notes from the node above as well..
      I hope this sheds some light on the subject,

      _14k4 - webmaster@860.org (www.poorheart.com)
[reply]
[d/l]
        The main issue I have with that is that the user that will be maintaining this site doesn't have a clue about web design nor the desire to learn HTML. I have to make it so they can change individual elements and blocks of text without messing up the layout.
[reply]
      I should have been a little more clear about what I meant by user-maintainable web sites. What I meant was that the person I designed the site for would be able to maintain the content of the site. They would not be able to add new pages, name the files, etc. I would design the entire thing and they basically could change any text or graphics that were necessary to update.
[reply]

In Section Seekers of Perl Wisdom