[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?

John phoenixoverride at gmail.com
Sat Jul 1 22:18:55 UTC 2017


Yes, making localsettings.php world readable/editable is a huge security
issue.

On Sat, Jul 1, 2017 at 6:16 PM, Jean Valjean <jeanvaljean2718 at gmail.com>
wrote:

> I want to let some of my administrators (in the wizards group) edit
> LocalSettings.php, so I used this snippet, which allows them to make
> changes by editing the Project:Shared_config.php page. Then I protected the
> page so that only wizards can edit it. Do you think this presents any
> security issues?
>
> (I was also going to have it save the old version to a bak file, but I had
> to comment that code out because I was getting a call to a function on a
> non-object error, for some reason)
>
> function editLocalSettingsOnPageContentSaveComplete( $article, $user,
> $content,
>         $summary, $isMinor, $isWatch, $section, $flags,
>         $revision, $status, $baseRevId ) {
>         if (
>                 $article->getTitle()->getFullText() !== 'Project:Shared
> config.php' ) {
>                 return true;
>         }
> #        $oldRevision = Revision::newFromId( $baseRevId );
> #        $oldRevisionContent = $oldRevision->getContent( Revision::RAW );
> #        $oldRevisionContents = ContentHandler::getContentText(
> $oldRevisionContent );
> #        $oldRevisioncontents = str_replace( '<source lang="php"' . ">\n",
> '', $oldRevisionContents );
> #        $oldRevisioncontents = str_replace( '</source' . '>', '',
> $oldRevisionContents );
> #        file_put_contents ( '/home/wiki/shared_config.bak',
> $oldRevisionContents );
>         $contents = ContentHandler::getContentText( $content );
>         $contents = str_replace( '<source lang="php"' . ">\n", '',
> $contents );
>         $contents = str_replace( '</source' . '>', '', $contents );
>         file_put_contents ( '/home/wiki/shared_config.php',
>                         $contents );
>         return true;
> }
> $wgHooks['PageContentSaveComplete'][] =
>         'editLocalSettingsOnPageContentSaveComplete';
>
> # add an additional protection level restricting edit/move/etc. to users
> with the "wizards" permission
> $wgRestrictionLevels[] = 'wizards';
> # give the "wizards" permission to users in the "wizard" group
> $wgGroupPermissions['developer']['wizards'] = true;
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list