On Nov 9, 2004, at 11:25 PM, Taneem A T wrote:
If you include the following snippet in setup.php:
You generally shouldn't modify Setup.php; extensions should be loaded in LocalSettings.php.
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
Don't forget that "." is a special symbol in regular expressions, which matches any character except a newline. You need to use "." to be sure it only matches a period.
$Content = "include('$Content');";
Depending on PHP configuration this can produce an error message if the file is not present. (Such error messages can include the full path to the files on your server, which some consider dangerous information which crackers might be able to use to aid an exploit of your system through other means. You should set PHP not to display error messages if this bothers you; you can still log them.)
It also might produce very undesirable results given a request for something like "index.php" or "redirect.php" which is in the current directory or include path but is not supposed to be (re-)executed in the middle of the wiki.
You might want to prepend a (set by you) path to where the acceptable files are kept, and do a file_exists() check before running the include().
eval($Content);
This eval() seems unnecessary; the statements can be executed directly.
-- brion vibber (brion @ pobox.com)