Should I assume then that only trusted users (eg, sysops) can upload files?
The main security issue, I think, is not what is included, but what is in the file. To me, this seems obvious. (Think about how much info can be gleamed from the INI settings, or the $GLOBALS array).
This is true - the wiki file upload settings are set to the defaults - can't upload anything except pictures and such. Only people with access to the server through ftp can actually upload any php files. So it's just the admins.
If you want to anylize where it is pointing, I find explode() pretty helpful (though you will probably have to replace "\" with "/"). Don't forget that PHP will look in all the include directories, not just the current one.
Thank you, I will look into using this =)
Taneem Talukdar
On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T thezeropoint@gmail.com wrote:
Hello all,
Thanks for the comments. I have modified the previous hack to do what we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){ $Content = "include('$Content');"; } else{ $Content = "echo " <strong>invalid include file specified <strong>";"; } eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); }
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to your wiki directory then use the syntax <includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki directory are executed. Everything else is rejected. It's a simple matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
--
http://endeavour.zapto.org/astro73/ Thank you to JosephM for inviting me to Gmail!