I just had a scare...
My LocalSettings.php file *displayed in the browser* at top of any wiki page view! (Actually I only saw it at top of Main_page and top of Search results page before I panicked and reverted the edit in LocalSettings.php that had caused this.)
What happened ---------------------
In LocalSettings.php I had edited my $wgSpamRegex from this:
$wgSpamRegex = "/<.*style.*?(display|position|overflow|visibility| height)\s*:.*?>/i";
to this which caused this line and all below it in LocalSettings.php to show in browser!:
$wgSpamRegex = "/(Tramadol|<.*style.*?(display|position|overflow| visibility|height)\s*:.*?>)/i";
Both entries were single lines of course; line breaks here for email.
Did I screwed up the Regex while adding "(Tramadol|" and ")" to it?
Why did the new $wgSpamRegex line and everything below it in LocalSettings.php show up at top of *wiki page views in browser (Konqueror) window*?
Luckily my MySQL pw and username are *above* that in LocalSettings.php so they did not get out.
I'm running the wiki, http://Wikigogy.org, with default MediaWiki and no extensions on a commercial web host and viewed it from home in Konqueror browser.
* MediaWiki: 1.9.2 * PHP: 5.2.1 (cgi) * MySQL: 4.1.21-standard-log
I keep LocalSettings.php mode 600 and owned my myself.
How did half of it get out?
Hello Roger,
What you did is you escaped from running the PHP command to having it be HTML. This will happen any time you have ?> not escaped in PHP. It is not a flaw for most PHP use, but it can be if you escape out of it before showing a password or something similar. To get around this, move the ?> away from each other.
I hope that this helps, Kasimir
On 3/7/07, Roger Chrisman roger@rogerchrisman.com wrote:
I just had a scare...
My LocalSettings.php file *displayed in the browser* at top of any wiki page view! (Actually I only saw it at top of Main_page and top of Search results page before I panicked and reverted the edit in LocalSettings.php that had caused this.)
What happened
In LocalSettings.php I had edited my $wgSpamRegex from this:
$wgSpamRegex = "/<.*style.*?(display|position|overflow|visibility| height)\s*:.*?>/i";
to this which caused this line and all below it in LocalSettings.php to show in browser!:
$wgSpamRegex = "/(Tramadol|<.*style.*?(display|position|overflow| visibility|height)\s*:.*?>)/i";
Both entries were single lines of course; line breaks here for email.
Did I screwed up the Regex while adding "(Tramadol|" and ")" to it?
Why did the new $wgSpamRegex line and everything below it in LocalSettings.php show up at top of *wiki page views in browser (Konqueror) window*?
Luckily my MySQL pw and username are *above* that in LocalSettings.php so they did not get out.
I'm running the wiki, http://Wikigogy.org, with default MediaWiki and no extensions on a commercial web host and viewed it from home in Konqueror browser.
- MediaWiki: 1.9.2
- PHP: 5.2.1 (cgi)
- MySQL: 4.1.21-standard-log
I keep LocalSettings.php mode 600 and owned my myself.
How did half of it get out?
-- Roger Chrisman :-) http://Wikigogy.org - free resources for teachers of English as a second or foreign language
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Kasimir, thanks for the tip.
That fixed it ("? >" instead of "?>").
Also, I found it only matters when the line *is commented out*, eg this DOES causes problem (A): #$wgSpamRegex = "/<.*style.*?(display|position|overflow|visibility| height)\s*:.*?>/i";
but uncommented it causes NO problem (B): $wgSpamRegex = "/<.*style.*?(display|position|overflow|visibility| height)\s*:.*?>/i";
and *commented out* but "? >" instead of "?>" cause NO problem (C): #$wgSpamRegex = "/<.*style.*?(display|position|overflow|visibility| height)\s*:.*? >/i";
It is odd to me that a commented out line should do anything at all. I guess I don't well understand the commenting out rules. It appears that a simple # at the start of a line is not sufficient to hide everything on that line. Is this a PHP comment issue?
For curious folks, I have put up a TEST SITE showing the problem caused by the commented out line (A) above in LocalSettings.php, in a MediaWiki 1.9.3 test site, here:
(I'll leave that up, broken like that, for a day or two. Note that using B or C above fixes the problem. This is just to show the problem. Also, most of the LocalSettings.php you can see there is stuff I have commented out at the moment, thus all those #.)
Try that link to see half of my LocalSettings.php file showing up at the top of every page on that test wiki. It is weird and alarming to me that LocalSettings.php can show in a browser like that just because of a single "#... ?>" instead of a "#... ? >".
Perhaps this is an important security matter to highlight for green novice like myself.
Thanks Kasimir for your spot on tip.
Roger
Kasimir Gabert wrote:
Hello Roger,
What you did is you escaped from running the PHP command to having it be HTML. This will happen any time you have ?> not escaped in PHP. It is not a flaw for most PHP use, but it can be if you escape out of it before showing a password or something similar. To get around this, move the ?> away from each other.
I hope that this helps, Kasimir
On 3/7/07, Roger Chrisman roger@rogerchrisman.com wrote:
I just had a scare...
My LocalSettings.php file *displayed in the browser* at top of any wiki page view! (Actually I only saw it at top of Main_page and top of Search results page before I panicked and reverted the edit in LocalSettings.php that had caused this.)
What happened
In LocalSettings.php I had edited my $wgSpamRegex from this:
$wgSpamRegex = "/<.*style.*?(display|position|overflow|visibility| height)\s*:.*?>/i";
to this which caused this line and all below it in LocalSettings.php to show in browser!:
$wgSpamRegex = "/(Tramadol|<.*style.*?(display|position|overflow| visibility|height)\s*:.*?>)/i";
Both entries were single lines of course; line breaks here for email.
Did I screwed up the Regex while adding "(Tramadol|" and ")" to it?
Why did the new $wgSpamRegex line and everything below it in LocalSettings.php show up at top of *wiki page views in browser (Konqueror) window*?
Luckily my MySQL pw and username are *above* that in LocalSettings.php so they did not get out.
I'm running the wiki, http://Wikigogy.org, with default MediaWiki and no extensions on a commercial web host and viewed it from home in Konqueror browser.
- MediaWiki: 1.9.2
- PHP: 5.2.1 (cgi)
- MySQL: 4.1.21-standard-log
I keep LocalSettings.php mode 600 and owned my myself.
How did half of it get out?
-- Roger Chrisman :-) http://Wikigogy.org - free resources for teachers of English as a second or foreign language
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Roger Chrisman wrote:
Luckily my MySQL pw and username are *above* that in LocalSettings.php so they did not get out.
You can take the passwords and user IDs out of LocalSettings and move them to another another file in another directory. In LocalSettings.php, put something like:
require_once( "externalIncludes/mySQLDetails.php" );
$wgDBserver = $db_host; $wgDBname = $db_name; $wgDBuser = $db_user; $wgDBpassword = $db_password;
Then in the directory externalIncludes put a file mySQLDetails.php with content:
<?php $db_host="hostname"; $db_name="dbname"; $db_user="username"; $db_password="password"; ?>
Of course, the actual values are what you are using for your configuration.
You can ensure that that directory is not accessible directly so no one can view the file.
Mike
mediawiki-l@lists.wikimedia.org