Hi,
for a open source project I'm involved in we want to use the Wikimedia software for our webpage and for documentation of our software. Yesterday I received an email from a group member who volunteered to install wikimedia software that wikimedia needs to have
register_globals=on
which seems to be a security risk according to http://lists.evolt.org/archive/Week-of-Mon-20021209/130049.html.
Are there any plans to replace this code or can anyone who is more familiar with the code explain to me how much work it would need to change the code such that register_globals can be switched off? I assume that using the software with "register_gloabals=off" does not work at all, is that correct or would it only mean that some of wikimedias features are disabled?
Thanks and best regards, Marco
On Mar 2, 2004, at 13:29, Marco Krohn wrote:
Are there any plans to replace this code or can anyone who is more familiar with the code explain to me how much work it would need to change the code such that register_globals can be switched off?
It's planned to do so, but it's been a low priority and hasn't gotten done yet. Every bit of code that uses information provided from the URL, from a form, from the cookies, or from the session has to be checked and fixed; then it all has to be tested to make sure that subtle new bugs haven't been introduced.
It might be "easy" to make a workaround that would simply do what register_globals = On does, but this hasn't got done yet (and wouldn't really improve anything other than saving the trouble of changing the PHP settings).
I assume that using the software with "register_gloabals=off" does not work at all, is that correct or would it only mean that some of wikimedias features are disabled?
At present it doesn't work at all with register_globals=off.
-- brion vibber (brion @ pobox.com)
wikitech-l@lists.wikimedia.org