[Mediawiki-l] PHP code inclusion through include files - a tentative solution

[Brion Vibber]

On Nov 9, 2004, at 11:25 PM, Taneem A T wrote:
> If you include the following snippet in setup.php:

You generally shouldn't modify Setup.php; extensions should be loaded 
in LocalSettings.php.

> function IncludePHP($Content)
> {
> global $wgOut;
> $wgOut->enableClientCache(false);
> ob_start();
>
> //match for only text and numbers, followed by a period followed by 
> 'php'
> if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){

Don't forget that "." is a special symbol in regular expressions, which 
matches any character except a newline. You need to use "\." to be sure 
it only matches a period.

> $Content = "include('$Content');";

Depending on PHP configuration this can produce an error message if the 
file is not present. (Such error messages can include the full path to 
the files on your server, which some consider dangerous information 
which crackers might be able to use to aid an exploit of your system 
through other means. You should set PHP not to display error messages 
if this bothers you; you can still log them.)

It also might produce very undesirable results given a request for 
something like "index.php" or "redirect.php" which is in the current 
directory or include path but is not supposed to be (re-)executed in 
the middle of the wiki.

You might want to prepend a (set by you) path to where the acceptable 
files are kept, and do a file_exists() check before running the 
include().

> eval($Content);

This eval() seems unnecessary; the statements can be executed directly.

-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20041109/00499023/attachment.pgp