[Mediawiki-l] Extension manager

Gary Kirk gary.kirk at gmail.com
Sat Jun 9 19:22:55 UTC 2007


Someone earlier mentioned introducing $wgDisableExtensionManager for
people who want or need to disable it.

On 09/06/07, Michael B Allen <mba2000 at ioplex.com> wrote:
> On Sat, 9 Jun 2007 10:11:31 -0700
> Jan Steinman <Jan at Bytesmiths.com> wrote:
>
> > > From: Dantman <dan_the_man at telus.net>
> > >
> > > Adding and removing things from LocalSettings.php might be
> > > troublesome.
> >
> > How about a single line in LocalSettings.php that includes a "don't
> > touch me" file that is maintained only via the ExtensionManager?
> >
> > Part of the manual installation would be to include this one line, as
> > well as remove any existing extension inclusions.
>
> I haven't read this whole thread so pardon if I'm restating something
> that's been discussed already but being someone who has extensions for
> several LAMP apps that allow you to administer extensions, there's one
> fundamental problem that always get's in the way:
>
> To be able to upload a package file, the web server needs write access
> to the extensions directory. This is fatally flawed because anyone who
> can run a web script can now overwrite your auth plugin with their own
> hacked version of it.
>
> So whatever you do, just make sure you can always do it the old-fashioned
> way - putting the file to the extensions dir and adding two lines to
> LocalSettings.php.
>
> Mike
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


-- 
Gary Kirk



More information about the MediaWiki-l mailing list