#4666 - Support
-
By Chris Graham
- Added
- 8 views
| Identifier | #4666 |
|---|---|
| Issue type | Feature request or suggestion |
| Title | Support <?php for declaring PHP code |
| Status | Closed (rejected) |
| Handling member | Deleted |
| Addon | commandr |
| Description | PHP code is currently initiated by a prefix of ":" (colon).
That's fine. But it would be cool if it also recognised the regular PHP opening tag. That would allow copy and pasting arbitrary PHP code in with less effort. |
| Steps to reproduce | |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
It also makes it a little harder to perform remote script execution attacks if Commandr does not recognize the PHP tag. E.g. it would be easy to take any PHP file and run it as a Commandr script if we did this.
If we allow PHP syntax in Commandr, this opens the door for remote script execution attacks since Commandr can run / execute "Commandr scripts". It would be easy to feed Commandr any PHP file and run it if it was coded to recognize the PHP start tag. Even if we code it to not allow .php files, any PHP file could be renamed to .bin / .bat or whatever the extension is to have Commandr run it. We could require : when running external scripts but allow <?php within Commandr itself, but this will create a UX nuance.
Sure, it's still possible to attack by making Commandr scripts starting with : (on a compromised system or by a web admin who doesn't know what they're doing), but it's much less likely an attacker would know about this / do this.
IMO, it's more trouble than beneficial.