On 11/22/07, Simetrical Simetrical+wikilist@gmail.com wrote:
Note that using any variable without explicitly initializing it is dangerous in PHP. If an installation has register_globals enabled, and has not initialized the variable elsewhere, an attacker can insert any desired value into the variable by just editing the URL. The better approach is to initialize the variable in EditOwn.php, and require users to override it in LocalSettings.php after the require_once line.
Oh, I see I wasn't the only one who noticed. Of course, changing the extension will break any existing installs that set the option before the include line.