Andrew Garrett wrote:
On Wed, Apr 23, 2008 at 9:40 PM, Mark Clements gmane@kennel17.co.uk wrote:
From an extension writer's point of view, the current situation is to put in a relative require_once() line to commandLine.inc and hope that the file is in the expected place.
global $IP; require_once( "$IP/maintenance/commandLine.inc" );
What am I missing?
Besides not working, that would be an arbitrary remote code execution vulnerability:
http://example.com/w/extensions/TheExtension/updateExtension.php?IP=http://e...
A better way to do it is:
require( dirname(__FILE__).'/../../maintenance/commandLine.inc' );
If that path doesn't exist, the sysadmin can create it. Scripts that rely on the working directory being $IP or whatever are really annoying.
-- Tim Starling