Should I assume then that only trusted users (eg, sysops) can upload files?
The main security issue, I think, is not what is included, but what is in the file. To me, this seems obvious. (Think about how much info can be gleamed from the INI settings, or the $GLOBALS array).
You are certainly on the right track with this, I think.
If you want to anylize where it is pointing, I find explode() pretty helpful (though you will probably have to replace "\" with "/"). Don't forget that PHP will look in all the include directories, not just the current one.
On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T thezeropoint@gmail.com wrote:
Hello all,
Thanks for the comments. I have modified the previous hack to do what we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){ $Content = "include('$Content');"; } else{ $Content = "echo " <strong>invalid include file specified <strong>";"; } eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); }
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to your wiki directory then use the syntax <includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki directory are executed. Everything else is rejected. It's a simple matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar