Hello all,
I am trying to figure out a way to include a PHP script within either my template (under navigation) or in a wiki page.
2 thing I am trying to accomplish.
1. Parse a RSS feed from another site to display it on mine.
2. Put the latest Forum posts from my boards on the wiki main page.
Can these be accomplished? I've been pulling my hair out for 3 hours now and haven't come up with a solution.
Thanks,
Shane
2 thing I am trying to accomplish.
Parse a RSS feed from another site to display it on mine.
Put the latest Forum posts from my boards on the wiki main page.
I basically wanted to do the exact same thing and I posted the same question a few days ago ... the answer I was given is that for security reasons you can't include PHP in any editable page, whether you are sysop or not (someone please tell me I am wrong?? ;) )
That being said, I thought of two other options:
1. Using a flash movie to pull the php data and display it. 2. Tinker with the php in the page generation files directly.
I haven't had time yet to fully explore either option, but that's all I can help you with for now!
Taneem Talukdar http://www.dheo.com/
On Mon, 25 Oct 2004 08:27:44 -0600, Taneem A T thezeropoint@gmail.com wrote:
2 thing I am trying to accomplish.
Parse a RSS feed from another site to display it on mine.
Put the latest Forum posts from my boards on the wiki main page.
I basically wanted to do the exact same thing and I posted the same question a few days ago ... the answer I was given is that for security reasons you can't include PHP in any editable page, whether you are sysop or not (someone please tell me I am wrong?? ;) )
That being said, I thought of two other options:
- Using a flash movie to pull the php data and display it.
- Tinker with the php in the page generation files directly.
I haven't had time yet to fully explore either option, but that's all I can help you with for now!
Taneem Talukdar http://www.dheo.com/
Well I have figured out how to enable full html code. This allows me to add javascript. However I do not know enough about javascript to make it include a php file. I have gotten it to open a new window with my code but have yet to get it in the wiki page itself.
I think if I could somehow use javascript to include the php file I could solve my problem. However I do not know if this is possible with javascript.
Shane
On Mon, 25 Oct 2004 07:44:33 -0700, shane freese shane.freese@gmail.com wrote:
On Mon, 25 Oct 2004 08:27:44 -0600, Taneem A T thezeropoint@gmail.com wrote:
2 thing I am trying to accomplish.
- Parse a RSS feed from another site to display it on mine.
- Put the latest Forum posts from my boards on the wiki main page.
I basically wanted to do the exact same thing and I posted the same question a few days ago ... the answer I was given is that for security reasons you can't include PHP in any editable page, whether you are sysop or not (someone please tell me I am wrong?? ;) )
Well, you have the source, it's up to you - but it *would* be pretty risky.
Somebody described how they'd done exactly this a few weeks ago: see http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025771.html and its follow-ups; but they then had problems with the pages being cached, as discussed in the threads starting with http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025786.html and http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025787.html
Well I have figured out how to enable full html code. This allows me to add javascript. However I do not know enough about javascript to make it include a php file. I have gotten it to open a new window with my code but have yet to get it in the wiki page itself.
This is, of course, just as dodgy as allowing arbitrary php code: there are all sorts of evil things someone could do with uncontrolled javascript, such as accessing cookie data and sending it somewhere else (since the JavaScript would be on your site, this could probably allow them to steal information necessary to log into your site as the person viewing the article). But if you make sure you really really trust everyone who can edit, this isn't a problem (it's not a wiki either, but there you go).
I think if I could somehow use javascript to include the php file I could solve my problem. However I do not know if this is possible with javascript.
It's certainly possible: people use "javascript feeds" all the time; I think the basic trick is to grab the data from a special URL, and then use document.write() to add it to the current page.
However, better than allowing arbitrary anything is just to build the PHP script you want to execute into the code. You could probably create a <feed>url:path/to/feed</feed> "extension" (see above referenced threads), perhaps limiting it to relative paths (so nothing can be included from somewhere other than your server). Or you could be less flexible, and just have a magic word, checked for in Parser.php::internalParse(), that runs a function of your own design; hacky, but very simple to program.
Of course, you will then end up in the same caching conundrum as Arvalux in the threads I already referenced: how to make sure the pages in question are forced to remain uncached. Some kind of hack with timestamps whereby the cache never thinks it has the latest version seems to be the best anyone's come up with for this; or, if you want to be less hacky, a cur_nocache flag in the database that's set and unset in Parser.php::preSaveTransform() [he says, quoting bits of code from memory that he's never really looked at carefully]
Good luck...
One thing I might try is to insert it into the skins, as opposed to the wikitax itself, if possible. or try the above ideas to get it in the code. (Locking a template containing a link to some script and using that with some php outputting javascript would probably be the easiest).
On Sun, 24 Oct 2004 21:09:29 -0700, shane freese shane.freese@gmail.com wrote:
Hello all,
I am trying to figure out a way to include a PHP script within either my template (under navigation) or in a wiki page.
2 thing I am trying to accomplish.
Parse a RSS feed from another site to display it on mine.
Put the latest Forum posts from my boards on the wiki main page.
Can these be accomplished? I've been pulling my hair out for 3 hours now and haven't come up with a solution.
Thanks,
Shane _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
I simply used what was linked to by Rowan. I added this function to the bottom of Setup.php. It works just as I needed.
function ParsePHPTag($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start(); eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); } $wgParser->setHook('php','ParsePHPTag');
I then just use the newly created <php></php> tags to include my php script. This does pose a security risk so I wouldn't use it on an open wiki, however my site isn't a wiki per say I just like the flexibility of MediaWiki.
Shane
On Tue, 26 Oct 2004 15:33:48 -0400, Jamie Bliss astronouth7303@gmail.com wrote:
One thing I might try is to insert it into the skins, as opposed to the wikitax itself, if possible. or try the above ideas to get it in the code. (Locking a template containing a link to some script and using that with some php outputting javascript would probably be the easiest).
On Sun, 24 Oct 2004 21:09:29 -0700, shane freese shane.freese@gmail.com wrote:
Hello all,
I am trying to figure out a way to include a PHP script within either my template (under navigation) or in a wiki page.
2 thing I am trying to accomplish.
Parse a RSS feed from another site to display it on mine.
Put the latest Forum posts from my boards on the wiki main page.
Can these be accomplished? I've been pulling my hair out for 3 hours now and haven't come up with a solution.
Thanks,
Shane _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
--
http://endeavour.zapto.org/astro73/ Thank you to JosephM for inviting me to Gmail!
Hello all,
This discussion took place a while ago, and we all agreed that while the given code hack allows for easy PHP code inclusion in a wiki it's hugely unsafe.
So I was thinking, could we modify the hack so that you couldn't put in PHP directly into the Wiki but you could include an external PHP file whose code would be executed?
That way, if you restricted include files to only originate from the same directory or a subdirectory below the wiki only you as the admin would be able to create any PHP code. Others on the wiki could still include and execute the code, but you would be the only one to be able to create or modify it. So it's safer.
Does this make sense?
Thanks, Taneem A. Talukdar
On Tue, 26 Oct 2004 13:52:04 -0700, shane freese shane.freese@gmail.com wrote:
I simply used what was linked to by Rowan. I added this function to the bottom of Setup.php. It works just as I needed.
function ParsePHPTag($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start(); eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); } $wgParser->setHook('php','ParsePHPTag');
I then just use the newly created <php></php> tags to include my php script. This does pose a security risk so I wouldn't use it on an open wiki, however my site isn't a wiki per say I just like the flexibility of MediaWiki.
Shane
On Tue, 26 Oct 2004 15:33:48 -0400, Jamie Bliss
astronouth7303@gmail.com wrote:
One thing I might try is to insert it into the skins, as opposed to the wikitax itself, if possible. or try the above ideas to get it in the code. (Locking a template containing a link to some script and using that with some php outputting javascript would probably be the easiest).
On Sun, 24 Oct 2004 21:09:29 -0700, shane freese shane.freese@gmail.com wrote:
Hello all,
I am trying to figure out a way to include a PHP script within either my template (under navigation) or in a wiki page.
2 thing I am trying to accomplish.
Parse a RSS feed from another site to display it on mine.
Put the latest Forum posts from my boards on the wiki main page.
Can these be accomplished? I've been pulling my hair out for 3 hours now and haven't come up with a solution.
Thanks,
Shane _______________________________________________ MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
--
http://endeavour.zapto.org/astro73/ Thank you to JosephM for inviting me to Gmail!
MediaWiki-l mailing list MediaWiki-l@Wikimedia.org http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
On Nov 9, 2004, at 7:21 AM, Taneem A T wrote:
This discussion took place a while ago, and we all agreed that while the given code hack allows for easy PHP code inclusion in a wiki it's hugely unsafe.
So I was thinking, could we modify the hack so that you couldn't put in PHP directly into the Wiki but you could include an external PHP file whose code would be executed?
If you do, be careful about validating the file name; in some configurations (eg, by default) PHP will let you include and run code from an arbitrary URL.
-- brion vibber (brion @ pobox.com)
On Tue, 9 Nov 2004 08:21:25 -0700, Taneem A T thezeropoint@gmail.com wrote:
So I was thinking, could we modify the hack so that you couldn't put in PHP directly into the Wiki but you could include an external PHP file whose code would be executed?
Perhaps this would be a good reason to implement the ability to include [some?] Special: pages as templates, as requested at http://bugzilla.wikipedia.org/show_bug.cgi?id=813
That way, the PHP code could only be written by someone with access to the wiki's source directory, and there would be no need to validate filenames, as none would ever be directly given (they would be produced by Title.php, presumably).
I don't know how easy this would be to implement cleanly, though, given the mixed wiki-text/raw html output of current Special pages. Maybe SpecialPage.php could have an "executeAsTemplate()" method, which returned wikitext to be included if the page was requested as an inclusion. That way, it could return "" by default, and potentially format things differently than accessing the page normally; and a site administrator could create Special: pages to do custom bits of php, even giving them parameters (either using the sub-page style, like [[Special:Whatlinkshere/foo]], or by having template parameters passed to exeuteAsTemplate() - in an associative array or somesuch. Hm, I think I'll shove this suggestion on the bug report...
Hello all,
Thanks for the comments. I have modified the previous hack to do what we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){ $Content = "include('$Content');"; } else{ $Content = "echo " <strong>invalid include file specified <strong>";"; } eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); }
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to your wiki directory then use the syntax <includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki directory are executed. Everything else is rejected. It's a simple matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
On Tue, 9 Nov 2004 23:07:33 +0000, Rowan Collins rowan.collins@gmail.com wrote:
On Tue, 9 Nov 2004 08:21:25 -0700, Taneem A T thezeropoint@gmail.com wrote:
So I was thinking, could we modify the hack so that you couldn't put in PHP directly into the Wiki but you could include an external PHP file whose code would be executed?
Perhaps this would be a good reason to implement the ability to include [some?] Special: pages as templates, as requested at http://bugzilla.wikipedia.org/show_bug.cgi?id=813
That way, the PHP code could only be written by someone with access to the wiki's source directory, and there would be no need to validate filenames, as none would ever be directly given (they would be produced by Title.php, presumably).
I don't know how easy this would be to implement cleanly, though, given the mixed wiki-text/raw html output of current Special pages. Maybe SpecialPage.php could have an "executeAsTemplate()" method, which returned wikitext to be included if the page was requested as an inclusion. That way, it could return "" by default, and potentially format things differently than accessing the page normally; and a site administrator could create Special: pages to do custom bits of php, even giving them parameters (either using the sub-page style, like [[Special:Whatlinkshere/foo]], or by having template parameters passed to exeuteAsTemplate() - in an associative array or somesuch. Hm, I think I'll shove this suggestion on the bug report...
-- Rowan Collins BSc [IMSoP]
On Nov 9, 2004, at 11:25 PM, Taneem A T wrote:
If you include the following snippet in setup.php:
You generally shouldn't modify Setup.php; extensions should be loaded in LocalSettings.php.
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
Don't forget that "." is a special symbol in regular expressions, which matches any character except a newline. You need to use "." to be sure it only matches a period.
$Content = "include('$Content');";
Depending on PHP configuration this can produce an error message if the file is not present. (Such error messages can include the full path to the files on your server, which some consider dangerous information which crackers might be able to use to aid an exploit of your system through other means. You should set PHP not to display error messages if this bothers you; you can still log them.)
It also might produce very undesirable results given a request for something like "index.php" or "redirect.php" which is in the current directory or include path but is not supposed to be (re-)executed in the middle of the wiki.
You might want to prepend a (set by you) path to where the acceptable files are kept, and do a file_exists() check before running the include().
eval($Content);
This eval() seems unnecessary; the statements can be executed directly.
-- brion vibber (brion @ pobox.com)
$Content = "include('$Content');";
Depending on PHP configuration this can produce an error message if the file is not present. (Such error messages can include the full path to the files on your server, which some consider dangerous information..."
I thought of this and tested it - the server I'm on has debug messages turned off - all I get is a blank. However for my own purposes I could test if include() returns a true or false value (provided the included file returns nothing) and give a custom error message?
It also might produce very undesirable results given a request for something like "index.php" or "redirect.php" which is in the current directory or include path but is not supposed to be (re-)executed in the middle of the wiki.
Yes I should have remembered this - a simple solution I can think of is to specify a subfolder dedicated just to my own php files.
Apart from that, thanks for all the points - as you can probably tell, I'm just learning all this stuff, so your comments are really appreciated =)
Regards, Taneem Talukdar
Should I assume then that only trusted users (eg, sysops) can upload files?
The main security issue, I think, is not what is included, but what is in the file. To me, this seems obvious. (Think about how much info can be gleamed from the INI settings, or the $GLOBALS array).
You are certainly on the right track with this, I think.
If you want to anylize where it is pointing, I find explode() pretty helpful (though you will probably have to replace "\" with "/"). Don't forget that PHP will look in all the include directories, not just the current one.
On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T thezeropoint@gmail.com wrote:
Hello all,
Thanks for the comments. I have modified the previous hack to do what we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){ $Content = "include('$Content');"; } else{ $Content = "echo " <strong>invalid include file specified <strong>";"; } eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); }
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to your wiki directory then use the syntax <includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki directory are executed. Everything else is rejected. It's a simple matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
Should I assume then that only trusted users (eg, sysops) can upload files?
The main security issue, I think, is not what is included, but what is in the file. To me, this seems obvious. (Think about how much info can be gleamed from the INI settings, or the $GLOBALS array).
This is true - the wiki file upload settings are set to the defaults - can't upload anything except pictures and such. Only people with access to the server through ftp can actually upload any php files. So it's just the admins.
If you want to anylize where it is pointing, I find explode() pretty helpful (though you will probably have to replace "\" with "/"). Don't forget that PHP will look in all the include directories, not just the current one.
Thank you, I will look into using this =)
Taneem Talukdar
On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T thezeropoint@gmail.com wrote:
Hello all,
Thanks for the comments. I have modified the previous hack to do what we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content) { global $wgOut; $wgOut->enableClientCache(false); ob_start();
//match for only text and numbers, followed by a period followed by 'php' if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){ $Content = "include('$Content');"; } else{ $Content = "echo " <strong>invalid include file specified <strong>";"; } eval($Content); $Result = ob_get_contents(); ob_end_clean(); return($Result); }
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to your wiki directory then use the syntax <includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki directory are executed. Everything else is rejected. It's a simple matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
--
http://endeavour.zapto.org/astro73/ Thank you to JosephM for inviting me to Gmail!
mediawiki-l@lists.wikimedia.org