From: Tim Starling <tstarling@users.mediawiki.org>
Date: Thu, 4 May 2006 06:12:47 +0000 (+0000)
Subject: security concerns
X-Git-Tag: 1.31.0-rc.0~57252
X-Git-Url: http://git.cyclocoop.org/%7B%24www_url%7Dadmin/compta/pie.php?a=commitdiff_plain;h=a790edbb7e041bea7cbad394d6e48534fb9e68f9;p=lhc%2Fweb%2Fwiklou.git

security concerns
---

diff --git a/includes/cbt/README b/includes/cbt/README
index 1f565e0d1e..cffcef2f21 100644
--- a/includes/cbt/README
+++ b/includes/cbt/README
@@ -43,6 +43,10 @@ The problems I saw were:
 * Syntax. The syntax is minimalistic and easy to parse, but can be quite ugly.
   Will generations of MediaWiki users curse my name?
 
+* Security. The code produced by TemplateCompiler is best stored in memcached
+  and executed with eval(). This allows anyone with access to the memcached port
+  to run code as the apache user.
+
 
 Template syntax
 ---------------