[Mediawiki-l] PHP code inclusion
Brion Vibber
brion at pobox.com
Tue Nov 9 21:16:13 UTC 2004
On Nov 9, 2004, at 7:21 AM, Taneem A T wrote:
> This discussion took place a while ago, and we all agreed that while
> the given code hack allows for easy PHP code inclusion in a wiki it's
> hugely unsafe.
>
> So I was thinking, could we modify the hack so that you couldn't put
> in PHP directly into the Wiki but you could include an external PHP
> file whose code would be executed?
If you do, be careful about validating the file name; in some
configurations (eg, by default) PHP will let you include and run code
from an arbitrary URL.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20041109/d54ce56e/attachment.pgp
More information about the MediaWiki-l
mailing list