On 11/22/07, Simetrical <Simetrical+wikilist(a)gmail.com> wrote:
Note that using any variable without explicitly
initializing it is
dangerous in PHP. If an installation has register_globals enabled,
and has not initialized the variable elsewhere, an attacker can insert
any desired value into the variable by just editing the URL. The
better approach is to initialize the variable in EditOwn.php, and
require users to override it in LocalSettings.php after the
require_once line.
Oh, I see I wasn't the only one who noticed. Of course, changing the
extension will break any existing installs that set the option before
the include line.