If you are going to do this anyway, despite the warnings given, use some
regex to strictly find all function & method invocations and only allow a
very small whitelisted set. Err on the side of caution with the regex
finding too many matches including false positives.
On Sun, 2 Jul 2017 07:57 Jean Valjean <jeanvaljean2718(a)gmail.com> wrote:
Well it does have a certain coolness factor to do
everything through the
wiki. It's kind of like how Mark Zuckerberg wanted Facebookers to be able
to do everything they needed to do on the web without leaving Facebook.
Facebook would have email, messaging, games, video, search, and even
Wikipedia articles!
https://thenextweb.com/opinion/2015/03/25/facebook-has-officially-declared-…
But why should Zuck be the only one to have such grand, sweeping ambitions?
Once MediaWiki becomes powerful enough, it can kill all other apps and rule
the world!
http://www.npr.org/sections/alltechconsidered/2016/04/13/
474011009/facebooks-new-master-plan-kill-other-apps
<http://www.npr.org/sections/alltechconsidered/2016/04/13/474011009/facebooks-new-master-plan-kill-other-apps>
We can create MediaWiki
extensions for artificial intelligence, virtual reality, drones, you name
it. Why shouldn't there be artificially intelligent robotic aircraft that
anyone can edit?
https://www.fastcompany.com/3052885/mark-zuckerberg-facebook
Facebook walls people off from each other through the proprietary nature of
its technology and the cliquish tendencies of its circles of friends.
MediaWiki brings everyone together through openness and its natural
tendency to foster online collectivist utopias. Therefore the time is
coming for a steel cage match between the two platforms, in which they
battle for dominance, with room for only one survivor. Once technology
advances to the point where the software becomes self-aware, this
deathmatch can move from being a theoretical possibility to a practical
reality.
One might ask, "Why is it even necessary to revise LocalSettings.php so
often?" Ideally, there would be a configuration database, so that it
wouldn't be necessary to make so many changes to LocalSettings.php, but I
think the reason that never caught on is that there just aren't enough
MediaWiki installations out there for it to seem like a worthwhile idea.
It's not like WordPress, which probably has millions of installations. Or
hundreds of thousands, anyway. Thus, it seems like we're doomed to continue
manually editing PHP files for the foreseeable future.
Sucks that they got rid of php_check_syntax(). That seems superior to php
-l.
http://php.net/manual/en/function.php-check-syntax.php
On Sat, Jul 1, 2017 at 7:32 PM, Brian Wolff <bawolff(a)gmail.com> wrote:
Most people just use a git repo for version
controlling their
LocalSettings.php
If you really really want to do this onwiki approach, try verifying the
file with `php -l` before saving.
--
brian
On Saturday, July 1, 2017, Jean Valjean <jeanvaljean2718(a)gmail.com>
wrote:
Yeah,
that's already happened a few times (typo taking the site down).
What
I did on another wiki farm was have one wiki in
charge of the other
wiki's
config files, so that if you messed up
LocalSettings.php, it wouldn't
take
> down the wiki that was modifying it.
>
> My goal was to have some sort of version control system in place so
that
as
different people are changing the files, we know
who did what when, and
can
revert easily to a previous version.
On Sat, Jul 1, 2017 at 7:04 PM, Brian Wolff <bawolff(a)gmail.com> wrote:
> Even ignoring the security issues, if one of your users makes a typo,
they
>> take down the site and they cannot revert because the site is then
down.
>
> From a security prespective, this is equivalent to giving your users
shell
>> access to your server. They can run any arbitrary program, do
anything,
>> insert backdoors, etc. Additionally this
setup requires the web user
to
>> have write access to php enabled web
directories which is also bad
>> practise.
>>
>> --
>> bawolff
>>
>> On Saturday, July 1, 2017, Legoktm <legoktm.wikipedia(a)gmail.com>
wrote:
>> > On 07/01/2017 03:16 PM, Jean
Valjean wrote:
>> >> I want to let some of my administrators (in the wizards group) edit
>> >> LocalSettings.php, so I used this snippet, which allows them to
make
>
>> changes by editing the Project:Shared_config.php page. Then I
protected
>> the
>> >> page so that only wizards can edit it. Do you think this presents
any
>
>> security issues?
> >
> > Yes, it presents a huge security issue. Anyone who can modify your
> > LocalSettings.php can execute arbitrary PHP code. They could see any
> > private data in your database, easily get passwords, or even
potentially
> give
themselves server access.
>
> I would highly recommend NOT doing this.
>
> -- Legoktm
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
>
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l