[Mediawiki-l] PHP code inclusion through include files - a tentative solution
Brion Vibber
brion at pobox.com
Wed Nov 10 07:52:25 UTC 2004
On Nov 9, 2004, at 11:25 PM, Taneem A T wrote:
> If you include the following snippet in setup.php:
You generally shouldn't modify Setup.php; extensions should be loaded
in LocalSettings.php.
> function IncludePHP($Content)
> {
> global $wgOut;
> $wgOut->enableClientCache(false);
> ob_start();
>
> //match for only text and numbers, followed by a period followed by
> 'php'
> if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
Don't forget that "." is a special symbol in regular expressions, which
matches any character except a newline. You need to use "\." to be sure
it only matches a period.
> $Content = "include('$Content');";
Depending on PHP configuration this can produce an error message if the
file is not present. (Such error messages can include the full path to
the files on your server, which some consider dangerous information
which crackers might be able to use to aid an exploit of your system
through other means. You should set PHP not to display error messages
if this bothers you; you can still log them.)
It also might produce very undesirable results given a request for
something like "index.php" or "redirect.php" which is in the current
directory or include path but is not supposed to be (re-)executed in
the middle of the wiki.
You might want to prepend a (set by you) path to where the acceptable
files are kept, and do a file_exists() check before running the
include().
> eval($Content);
This eval() seems unnecessary; the statements can be executed directly.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20041109/00499023/attachment.pgp
More information about the MediaWiki-l
mailing list