Yes, making localsettings.php world readable/editable is a huge security issue.
On Sat, Jul 1, 2017 at 6:16 PM, Jean Valjean <[email protected]> wrote: > I want to let some of my administrators (in the wizards group) edit > LocalSettings.php, so I used this snippet, which allows them to make > changes by editing the Project:Shared_config.php page. Then I protected the > page so that only wizards can edit it. Do you think this presents any > security issues? > > (I was also going to have it save the old version to a bak file, but I had > to comment that code out because I was getting a call to a function on a > non-object error, for some reason) > > function editLocalSettingsOnPageContentSaveComplete( $article, $user, > $content, > $summary, $isMinor, $isWatch, $section, $flags, > $revision, $status, $baseRevId ) { > if ( > $article->getTitle()->getFullText() !== 'Project:Shared > config.php' ) { > return true; > } > # $oldRevision = Revision::newFromId( $baseRevId ); > # $oldRevisionContent = $oldRevision->getContent( Revision::RAW ); > # $oldRevisionContents = ContentHandler::getContentText( > $oldRevisionContent ); > # $oldRevisioncontents = str_replace( '<source lang="php"' . ">\n", > '', $oldRevisionContents ); > # $oldRevisioncontents = str_replace( '</source' . '>', '', > $oldRevisionContents ); > # file_put_contents ( '/home/wiki/shared_config.bak', > $oldRevisionContents ); > $contents = ContentHandler::getContentText( $content ); > $contents = str_replace( '<source lang="php"' . ">\n", '', > $contents ); > $contents = str_replace( '</source' . '>', '', $contents ); > file_put_contents ( '/home/wiki/shared_config.php', > $contents ); > return true; > } > $wgHooks['PageContentSaveComplete'][] = > 'editLocalSettingsOnPageContentSaveComplete'; > > # add an additional protection level restricting edit/move/etc. to users > with the "wizards" permission > $wgRestrictionLevels[] = 'wizards'; > # give the "wizards" permission to users in the "wizard" group > $wgGroupPermissions['developer']['wizards'] = true; > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
