[MediaWiki-l] Any security problems involved in letting administrators edit LocalSettings.php via a wiki page?

Jean Valjean jeanvaljean2718 at gmail.com
Sat Jul 1 22:22:14 UTC 2017


Well I did take my passwords out of webroot.
https://www.mediawiki.org/wiki/Manual:Securing_database_passwords#Keep_MySQL_Passwords_Out_Of_Webroot

On Sat, Jul 1, 2017 at 6:18 PM, John <phoenixoverride at gmail.com> wrote:

> Yes, making localsettings.php world readable/editable is a huge security
> issue.
>
> On Sat, Jul 1, 2017 at 6:16 PM, Jean Valjean <jeanvaljean2718 at gmail.com>
> wrote:
>
> > I want to let some of my administrators (in the wizards group) edit
> > LocalSettings.php, so I used this snippet, which allows them to make
> > changes by editing the Project:Shared_config.php page. Then I protected
> the
> > page so that only wizards can edit it. Do you think this presents any
> > security issues?
> >
> > (I was also going to have it save the old version to a bak file, but I
> had
> > to comment that code out because I was getting a call to a function on a
> > non-object error, for some reason)
> >
> > function editLocalSettingsOnPageContentSaveComplete( $article, $user,
> > $content,
> >         $summary, $isMinor, $isWatch, $section, $flags,
> >         $revision, $status, $baseRevId ) {
> >         if (
> >                 $article->getTitle()->getFullText() !== 'Project:Shared
> > config.php' ) {
> >                 return true;
> >         }
> > #        $oldRevision = Revision::newFromId( $baseRevId );
> > #        $oldRevisionContent = $oldRevision->getContent( Revision::RAW );
> > #        $oldRevisionContents = ContentHandler::getContentText(
> > $oldRevisionContent );
> > #        $oldRevisioncontents = str_replace( '<source lang="php"' .
> ">\n",
> > '', $oldRevisionContents );
> > #        $oldRevisioncontents = str_replace( '</source' . '>', '',
> > $oldRevisionContents );
> > #        file_put_contents ( '/home/wiki/shared_config.bak',
> > $oldRevisionContents );
> >         $contents = ContentHandler::getContentText( $content );
> >         $contents = str_replace( '<source lang="php"' . ">\n", '',
> > $contents );
> >         $contents = str_replace( '</source' . '>', '', $contents );
> >         file_put_contents ( '/home/wiki/shared_config.php',
> >                         $contents );
> >         return true;
> > }
> > $wgHooks['PageContentSaveComplete'][] =
> >         'editLocalSettingsOnPageContentSaveComplete';
> >
> > # add an additional protection level restricting edit/move/etc. to users
> > with the "wizards" permission
> > $wgRestrictionLevels[] = 'wizards';
> > # give the "wizards" permission to users in the "wizard" group
> > $wgGroupPermissions['developer']['wizards'] = true;
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>


More information about the MediaWiki-l mailing list