If you are going to do this anyway, despite the warnings given, use some regex to strictly find all function & method invocations and only allow a very small whitelisted set. Err on the side of caution with the regex finding too many matches including false positives.
On Sun, 2 Jul 2017 07:57 Jean Valjean <[email protected]> wrote: > Well it does have a certain coolness factor to do everything through the > wiki. It's kind of like how Mark Zuckerberg wanted Facebookers to be able > to do everything they needed to do on the web without leaving Facebook. > Facebook would have email, messaging, games, video, search, and even > Wikipedia articles! > > https://thenextweb.com/opinion/2015/03/25/facebook-has-officially-declared-it-wants-to-own-every-single-thing-you-do-on-the-internet > > But why should Zuck be the only one to have such grand, sweeping ambitions? > Once MediaWiki becomes powerful enough, it can kill all other apps and rule > the world! http://www.npr.org/sections/alltechconsidered/2016/04/13/ > 474011009/facebooks-new-master-plan-kill-other-apps > <http://www.npr.org/sections/alltechconsidered/2016/04/13/474011009/facebooks-new-master-plan-kill-other-apps> > We can create MediaWiki > extensions for artificial intelligence, virtual reality, drones, you name > it. Why shouldn't there be artificially intelligent robotic aircraft that > anyone can edit? > https://www.fastcompany.com/3052885/mark-zuckerberg-facebook > > Facebook walls people off from each other through the proprietary nature of > its technology and the cliquish tendencies of its circles of friends. > MediaWiki brings everyone together through openness and its natural > tendency to foster online collectivist utopias. Therefore the time is > coming for a steel cage match between the two platforms, in which they > battle for dominance, with room for only one survivor. Once technology > advances to the point where the software becomes self-aware, this > deathmatch can move from being a theoretical possibility to a practical > reality. > > One might ask, "Why is it even necessary to revise LocalSettings.php so > often?" Ideally, there would be a configuration database, so that it > wouldn't be necessary to make so many changes to LocalSettings.php, but I > think the reason that never caught on is that there just aren't enough > MediaWiki installations out there for it to seem like a worthwhile idea. > It's not like WordPress, which probably has millions of installations. Or > hundreds of thousands, anyway. Thus, it seems like we're doomed to continue > manually editing PHP files for the foreseeable future. > > Sucks that they got rid of php_check_syntax(). That seems superior to php > -l. http://php.net/manual/en/function.php-check-syntax.php > > On Sat, Jul 1, 2017 at 7:32 PM, Brian Wolff <[email protected]> wrote: > > > Most people just use a git repo for version controlling their > > LocalSettings.php > > > > If you really really want to do this onwiki approach, try verifying the > > file with `php -l` before saving. > > > > -- > > brian > > > > On Saturday, July 1, 2017, Jean Valjean <[email protected]> > wrote: > > > Yeah, that's already happened a few times (typo taking the site down). > > What > > > I did on another wiki farm was have one wiki in charge of the other > > wiki's > > > config files, so that if you messed up LocalSettings.php, it wouldn't > > take > > > down the wiki that was modifying it. > > > > > > My goal was to have some sort of version control system in place so > that > > as > > > different people are changing the files, we know who did what when, and > > can > > > revert easily to a previous version. > > > > > > On Sat, Jul 1, 2017 at 7:04 PM, Brian Wolff <[email protected]> wrote: > > > > > >> Even ignoring the security issues, if one of your users makes a typo, > > they > > >> take down the site and they cannot revert because the site is then > down. > > >> > > >> From a security prespective, this is equivalent to giving your users > > shell > > >> access to your server. They can run any arbitrary program, do > anything, > > >> insert backdoors, etc. Additionally this setup requires the web user > to > > >> have write access to php enabled web directories which is also bad > > >> practise. > > >> > > >> -- > > >> bawolff > > >> > > >> On Saturday, July 1, 2017, Legoktm <[email protected]> > wrote: > > >> > On 07/01/2017 03:16 PM, Jean Valjean wrote: > > >> >> I want to let some of my administrators (in the wizards group) edit > > >> >> LocalSettings.php, so I used this snippet, which allows them to > make > > >> >> changes by editing the Project:Shared_config.php page. Then I > > protected > > >> the > > >> >> page so that only wizards can edit it. Do you think this presents > any > > >> >> security issues? > > >> > > > >> > Yes, it presents a huge security issue. Anyone who can modify your > > >> > LocalSettings.php can execute arbitrary PHP code. They could see any > > >> > private data in your database, easily get passwords, or even > > potentially > > >> > give themselves server access. > > >> > > > >> > I would highly recommend NOT doing this. > > >> > > > >> > -- Legoktm > > >> > > > >> > _______________________________________________ > > >> > MediaWiki-l mailing list > > >> > To unsubscribe, go to: > > >> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > >> > > > >> _______________________________________________ > > >> MediaWiki-l mailing list > > >> To unsubscribe, go to: > > >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > >> > > > _______________________________________________ > > > MediaWiki-l mailing list > > > To unsubscribe, go to: > > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
