Yes, making localsettings.php world readable/editable is a huge security issue.
On Sat, Jul 1, 2017 at 6:16 PM, Jean Valjean jeanvaljean2718@gmail.com wrote:
I want to let some of my administrators (in the wizards group) edit LocalSettings.php, so I used this snippet, which allows them to make changes by editing the Project:Shared_config.php page. Then I protected the page so that only wizards can edit it. Do you think this presents any security issues?
(I was also going to have it save the old version to a bak file, but I had to comment that code out because I was getting a call to a function on a non-object error, for some reason)
function editLocalSettingsOnPageContentSaveComplete( $article, $user, $content, $summary, $isMinor, $isWatch, $section, $flags, $revision, $status, $baseRevId ) { if ( $article->getTitle()->getFullText() !== 'Project:Shared config.php' ) { return true; } # $oldRevision = Revision::newFromId( $baseRevId ); # $oldRevisionContent = $oldRevision->getContent( Revision::RAW ); # $oldRevisionContents = ContentHandler::getContentText( $oldRevisionContent ); # $oldRevisioncontents = str_replace( '<source lang="php"' . ">\n", '', $oldRevisionContents ); # $oldRevisioncontents = str_replace( '</source' . '>', '', $oldRevisionContents ); # file_put_contents ( '/home/wiki/shared_config.bak', $oldRevisionContents ); $contents = ContentHandler::getContentText( $content ); $contents = str_replace( '<source lang="php"' . ">\n", '', $contents ); $contents = str_replace( '</source' . '>', '', $contents ); file_put_contents ( '/home/wiki/shared_config.php', $contents ); return true; } $wgHooks['PageContentSaveComplete'][] = 'editLocalSettingsOnPageContentSaveComplete';
# add an additional protection level restricting edit/move/etc. to users with the "wizards" permission $wgRestrictionLevels[] = 'wizards'; # give the "wizards" permission to users in the "wizard" group $wgGroupPermissions['developer']['wizards'] = true; _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l