[Mediawiki-l] PHP code inclusion through include files - a tentative solution
Jamie Bliss
astronouth7303 at gmail.com
Wed Nov 10 19:57:55 UTC 2004
Should I assume then that only trusted users (eg, sysops) can upload files?
The main security issue, I think, is not what is included, but what is
in the file. To me, this seems obvious. (Think about how much info can
be gleamed from the INI settings, or the $GLOBALS array).
You are certainly on the right track with this, I think.
If you want to anylize where it is pointing, I find explode() pretty
helpful (though you will probably have to replace "\\" with "/").
Don't forget that PHP will look in all the include directories, not
just the current one.
On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T <thezeropoint at gmail.com> wrote:
> Hello all,
>
> Thanks for the comments. I have modified the previous hack to do what
> we've discussed earlier today:
>
> If you include the following snippet in setup.php:
>
> function IncludePHP($Content)
> {
> global $wgOut;
> $wgOut->enableClientCache(false);
> ob_start();
>
> //match for only text and numbers, followed by a period followed by 'php'
> if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
> $Content = "include('$Content');";
> }
> else{
> $Content = "echo \" <strong>invalid include file specified <strong>\";";
> }
> eval($Content);
> $Result = ob_get_contents();
> ob_end_clean();
> return($Result);
> }
>
> $wgParser->setHook('includephp','IncludePHP');
>
> (to make it work, you put the php code in "filename.php", upload it to
> your wiki directory then use the syntax
> <includephp>filename.php</includephp>
>
> In my wiki, this works beautifully - only *.php files in my wiki
> directory are executed. Everything else is rejected. It's a simple
> matter of tweaking the regex to allow subfolders too.
>
> Comments about the effectiveness of this are appreciated ... =)
>
> Taneem Talukdar
>
--
-------------------------------------------------------------------
http://endeavour.zapto.org/astro73/
Thank you to JosephM for inviting me to Gmail!
More information about the MediaWiki-l
mailing list