[Mediawiki-l] PHP code inclusion through include files - a tentative solution

Wed Nov 10 19:57:55 UTC 2004

Should I assume then that only trusted users (eg, sysops) can upload files?

The main security issue, I think, is not what is included, but what is
in the file. To me, this seems obvious. (Think about how much info can
be gleamed from the INI settings, or the $GLOBALS array).

You are certainly on the right track with this, I think.

If you want to anylize where it is pointing, I find explode() pretty
helpful (though you will probably have to replace "\\" with "/").
Don't forget that PHP will look in all the include directories, not
just the current one.

On Wed, 10 Nov 2004 00:25:03 -0700, Taneem A T <thezeropoint at gmail.com> wrote:
> Hello all,
> 
> Thanks for the comments. I have modified the previous hack to do what
> we've discussed earlier today:
> 
> If you include the following snippet in setup.php:
> 
> function IncludePHP($Content)
> {
> global $wgOut;
> $wgOut->enableClientCache(false);
> ob_start();
> 
> //match for only text and numbers, followed by a period followed by 'php'
> if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
> $Content = "include('$Content');";
> }
> else{
> $Content = "echo \" <strong>invalid include file specified <strong>\";";
> }
> eval($Content);
> $Result = ob_get_contents();
> ob_end_clean();
> return($Result);
> }
> 
> $wgParser->setHook('includephp','IncludePHP');
> 
> (to make it work, you put the php code in "filename.php", upload it to
> your wiki directory then use the syntax
> <includephp>filename.php</includephp>
> 
> In my wiki, this works beautifully - only *.php files in my wiki
> directory are executed. Everything else is rejected. It's a simple
> matter of tweaking the regex to allow subfolders too.
> 
> Comments about the effectiveness of this are appreciated ... =)
> 
> Taneem Talukdar
> 

-- 
-------------------------------------------------------------------
http://endeavour.zapto.org/astro73/
Thank you to JosephM for inviting me to Gmail!