[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?

Jean Valjean jeanvaljean2718 at gmail.com
Sat Jul 1 22:16:41 UTC 2017


I want to let some of my administrators (in the wizards group) edit
LocalSettings.php, so I used this snippet, which allows them to make
changes by editing the Project:Shared_config.php page. Then I protected the
page so that only wizards can edit it. Do you think this presents any
security issues?

(I was also going to have it save the old version to a bak file, but I had
to comment that code out because I was getting a call to a function on a
non-object error, for some reason)

function editLocalSettingsOnPageContentSaveComplete( $article, $user,
$content,
        $summary, $isMinor, $isWatch, $section, $flags,
        $revision, $status, $baseRevId ) {
        if (
                $article->getTitle()->getFullText() !== 'Project:Shared
config.php' ) {
                return true;
        }
#        $oldRevision = Revision::newFromId( $baseRevId );
#        $oldRevisionContent = $oldRevision->getContent( Revision::RAW );
#        $oldRevisionContents = ContentHandler::getContentText(
$oldRevisionContent );
#        $oldRevisioncontents = str_replace( '<source lang="php"' . ">\n",
'', $oldRevisionContents );
#        $oldRevisioncontents = str_replace( '</source' . '>', '',
$oldRevisionContents );
#        file_put_contents ( '/home/wiki/shared_config.bak',
$oldRevisionContents );
        $contents = ContentHandler::getContentText( $content );
        $contents = str_replace( '<source lang="php"' . ">\n", '',
$contents );
        $contents = str_replace( '</source' . '>', '', $contents );
        file_put_contents ( '/home/wiki/shared_config.php',
                        $contents );
        return true;
}
$wgHooks['PageContentSaveComplete'][] =
        'editLocalSettingsOnPageContentSaveComplete';

# add an additional protection level restricting edit/move/etc. to users
with the "wizards" permission
$wgRestrictionLevels[] = 'wizards';
# give the "wizards" permission to users in the "wizard" group
$wgGroupPermissions['developer']['wizards'] = true;


More information about the MediaWiki-l mailing list