Hello all,
Thanks for the comments. I have modified the previous hack to do what we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){ $Content = "include('$Content');"; } else{ $Content = "echo " <strong>invalid include file specified <strong>";"; } eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); }
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to your wiki directory then use the syntax <includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki directory are executed. Everything else is rejected. It's a simple matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
On Tue, 9 Nov 2004 23:07:33 +0000, Rowan Collins rowan.collins@gmail.com wrote:
On Tue, 9 Nov 2004 08:21:25 -0700, Taneem A T thezeropoint@gmail.com wrote:
So I was thinking, could we modify the hack so that you couldn't put in PHP directly into the Wiki but you could include an external PHP file whose code would be executed?
Perhaps this would be a good reason to implement the ability to include [some?] Special: pages as templates, as requested at http://bugzilla.wikipedia.org/show_bug.cgi?id=813
That way, the PHP code could only be written by someone with access to the wiki's source directory, and there would be no need to validate filenames, as none would ever be directly given (they would be produced by Title.php, presumably).
I don't know how easy this would be to implement cleanly, though, given the mixed wiki-text/raw html output of current Special pages. Maybe SpecialPage.php could have an "executeAsTemplate()" method, which returned wikitext to be included if the page was requested as an inclusion. That way, it could return "" by default, and potentially format things differently than accessing the page normally; and a site administrator could create Special: pages to do custom bits of php, even giving them parameters (either using the sub-page style, like [[Special:Whatlinkshere/foo]], or by having template parameters passed to exeuteAsTemplate() - in an associative array or somesuch. Hm, I think I'll shove this suggestion on the bug report...
-- Rowan Collins BSc [IMSoP]