Kasimir, thanks for the tip.
That fixed it ("? >" instead of "?>").
Also, I found it only matters when the line *is commented out*, eg this
DOES causes problem (A):
#$wgSpamRegex = "/\<.*style.*?(display|position|overflow|visibility|
height)\s*:.*?>/i";
but uncommented it causes NO problem (B):
$wgSpamRegex = "/\<.*style.*?(display|position|overflow|visibility|
height)\s*:.*?>/i";
and *commented out* but "? >" instead of "?>" cause NO problem
(C):
#$wgSpamRegex = "/\<.*style.*?(display|position|overflow|visibility|
height)\s*:.*? >/i";
It is odd to me that a commented out line should do anything at all. I
guess I don't well understand the commenting out rules. It appears that
a simple # at the start of a line is not sufficient to hide everything
on that line. Is this a PHP comment issue?
For curious folks, I have put up a TEST SITE showing the problem caused
by the commented out line (A) above in LocalSettings.php, in a
MediaWiki 1.9.3 test site, here:
http://opengogy.org
(I'll leave that up, broken like that, for a day or two. Note that using
B or C above fixes the problem. This is just to show the problem. Also,
most of the LocalSettings.php you can see there is stuff I have
commented out at the moment, thus all those #.)
Try that link to see half of my LocalSettings.php file showing up at the
top of every page on that test wiki. It is weird and alarming to me
that LocalSettings.php can show in a browser like that just because of
a single "#... ?>" instead of a "#... ? >".
Perhaps this is an important security matter to highlight for green
novice like myself.
Thanks Kasimir for your spot on tip.
Roger
Kasimir Gabert wrote:
Hello Roger,
What you did is you escaped from running the PHP command to having it
be HTML. This will happen any time you have ?> not escaped in PHP.
It is not a flaw for most PHP use, but it can be if you escape out of
it before showing a password or something similar. To get around
this, move the ?> away from each other.
I hope that this helps,
Kasimir
On 3/7/07, Roger Chrisman <roger(a)rogerchrisman.com> wrote:
> I just had a scare...
>
> My LocalSettings.php file *displayed in the browser* at top of any
> wiki page view! (Actually I only saw it at top of Main_page and top
> of Search results page before I panicked and reverted the edit in
> LocalSettings.php that had caused this.)
>
> What happened
> ---------------------
>
> In LocalSettings.php I had edited my $wgSpamRegex from this:
>
> $wgSpamRegex = "/\<.*style.*?(display|position|overflow|visibility|
> height)\s*:.*?>/i";
>
> to this which caused this line and all below it in
> LocalSettings.php to show in browser!:
>
> $wgSpamRegex = "/(Tramadol|\<.*style.*?(display|position|overflow|
> visibility|height)\s*:.*?>)/i";
>
>
> Both entries were single lines of course; line breaks here for
> email.
>
> Did I screwed up the Regex while adding "(Tramadol|" and ")" to
it?
>
> Why did the new $wgSpamRegex line and everything below it in
> LocalSettings.php show up at top of *wiki page views in browser
> (Konqueror) window*?
>
> Luckily my MySQL pw and username are *above* that in
> LocalSettings.php so they did not get out.
>
> I'm running the wiki,
http://Wikigogy.org, with default MediaWiki
> and no extensions on a commercial web host and viewed it from home
> in Konqueror browser.
>
> * MediaWiki: 1.9.2
> * PHP: 5.2.1 (cgi)
> * MySQL: 4.1.21-standard-log
>
> I keep LocalSettings.php mode 600 and owned my myself.
>
> How did half of it get out?
>
> --
> Roger Chrisman :-)
http://Wikigogy.org - free
> resources for teachers of English as a second or foreign language
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l(a)lists.wikimedia.org
>
http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
--
Roger Chrisman :-)
http://Wikigogy.org - free resources
for teachers of English as a second or foreign language