01206: Provide a way to use FmtPagename() safely on user-supplied data

Summary: Provide a way to use FmtPagename() safely on user-supplied data
Created: 2010-06-19 15:36
Status: Open
Category: CoreCandidate
Assigned:
Priority: 4
Version: 2.2 plus
OS: n/a

Description: According to this thread it is unwise to use FmtPagename() on user-supplied data. (See here for the specific quote from PM.) This is primarily (I believe?) because it exposes global variables which could cause a security risk.

However, FmtPagename() is an immensely helpful function for recipe writers and very often this involves wanting to process page source -- i.e., user supplied data. If an additional, optional parameter were added to FmtPagename() which got rid of the processing of globals it would be a big help in writing secure recipes. This would require adding 2 lines of code and changing the function definition slightly...

- function FmtPageName($fmt, $pagename) {
+ function FmtPageName($fmt, $pagename, $do_globals=true) {

After that it's just a simple case of if'ing out the section at the end of the function that deals with globals...

  if (strpos($fmt,'$')===false) return $fmt;
+ if ($do_globals) {
  static $g;
  if ($GCount != count($GLOBALS)+count($FmtV)) {
    $g = array();
    foreach($GLOBALS as $n=>$v) {
      if (is_array($v) || is_object($v) ||
         isset($FmtV["\$$n"]) || in_array($n,$UnsafeGlobals)) continue;
      $g["\$$n"] = $v;
    }
    $GCount = count($GLOBALS)+count($FmtV);
    krsort($g); reset($g);
  }
  $fmt = str_replace(array_keys($g),array_values($g),$fmt);
+ }
  $fmt = preg_replace('/(?>(\\$[[:alpha:]]\\w+))/e', 
          "isset(\$FmtV['$1']) ? \$FmtV['$1'] : '$1'", $fmt); 
  return $fmt;