Should I assume then that only trusted users (eg, sysops) can upload files?
The main security issue, I think, is not what is included, but what is
in the file. To me, this seems obvious. (Think about how much info can
be gleamed from the INI settings, or the $GLOBALS array).
You are certainly on the right track with this, I think.
If you want to anylize where it is pointing, I find explode() pretty
helpful (though you will probably have to replace "\\" with "/").
Don't forget that PHP will look in all the include directories, not
just the current one.
On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T <thezeropoint(a)gmail.com> wrote:
Hello all,
Thanks for the comments. I have modified the previous hack to do what
we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content)
{
global $wgOut;
$wgOut->enableClientCache(false);
ob_start();
//match for only text and numbers, followed by a period followed by 'php'
if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
$Content = "include('$Content');";
}
else{
$Content = "echo \" <strong>invalid include file specified
<strong>\";";
}
eval($Content);
$Result = ob_get_contents();
ob_end_clean();
return($Result);
}
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to
your wiki directory then use the syntax
<includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki
directory are executed. Everything else is rejected. It's a simple
matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
--
-------------------------------------------------------------------
http://endeavour.zapto.org/astro73/
Thank you to JosephM for inviting me to Gmail!