To improve support for custom addons to RC I propose to move the current action-to-file-mapping (currently starting on index.php:214) to the actual action-directory. This allows for a customization to contain only a directory in '/program/steps/'. I see two possible options:
- create a file 'mappings.inc' containing the exact switches that are
currently in the index.php
- validate a action by looking up the existence of
'/program/steps/$_task/$_action.inc'
I think the second option is best. Comments?
Regards, Sjon
Sjon wrote:
To improve support for custom addons to RC I propose to move the current action-to-file-mapping (currently starting on index.php:214) to the actual action-directory. This allows for a customization to contain only a directory in '/program/steps/'. I see two possible options:
- create a file 'mappings.inc' containing the exact switches that are
currently in the index.php
I like this option more.
- validate a action by looking up the existence of
'/program/steps/$_task/$_action.inc'
I don't like direct access to script files from URL parameters without any checks. This is one of the most popular security issues on many web applications.
I think the second option is best. Comments?
Regards, Sjon
Regards, Thomas
On Mon, 09 Jan 2006 08:30:15 +0100, Thomas Bruederli roundcube@gmail.com wrote:
Sjon wrote:
- validate a action by looking up the existence of
'/program/steps/$_task/$_action.inc'
I don't like direct access to script files from URL parameters without any checks. This is one of the most popular security issues on many web applications.
I never said without any checks ;) What I use most of the time is something like this:
if (!preg_match('~^[a-zA-Z_-]*$~', $_action)) die('invalid action');
That way, it's secure and flexible.
Regards, Sjon
-
Sjon -
Thomas Bruederli