Mailing List Archive

> 2 thing I am trying to accomplish.
>
> 1. Parse a RSS feed from another site to display it on mine.
>
> 2. Put the latest Forum posts from my boards on the wiki main page.

I basically wanted to do the exact same thing and I posted the same
question a few days ago ... the answer I was given is that for
security reasons you can't include PHP in any editable page, whether
you are sysop or not (someone please tell me I am wrong?? ;) )

That being said, I thought of two other options:

1. Using a flash movie to pull the php data and display it.
2. Tinker with the php in the page generation files directly.

I haven't had time yet to fully explore either option, but that's all
I can help you with for now!

Taneem Talukdar
http://www.dheo.com/

On Mon, 25 Oct 2004 08:27:44 -0600, Taneem A T <thezeropoint@gmail.com> wrote:
> > 2 thing I am trying to accomplish.
> >
> > 1. Parse a RSS feed from another site to display it on mine.
> >
> > 2. Put the latest Forum posts from my boards on the wiki main page.
>
> I basically wanted to do the exact same thing and I posted the same
> question a few days ago ... the answer I was given is that for
> security reasons you can't include PHP in any editable page, whether
> you are sysop or not (someone please tell me I am wrong?? ;) )
>
> That being said, I thought of two other options:
>
> 1. Using a flash movie to pull the php data and display it.
> 2. Tinker with the php in the page generation files directly.
>
> I haven't had time yet to fully explore either option, but that's all
> I can help you with for now!
>
> Taneem Talukdar
> http://www.dheo.com/
>

Well I have figured out how to enable full html code. This allows me
to add javascript. However I do not know enough about javascript to
make it include a php file. I have gotten it to open a new window
with my code but have yet to get it in the wiki page itself.

I think if I could somehow use javascript to include the php file I
could solve my problem. However I do not know if this is possible
with javascript.

Shane

On Mon, 25 Oct 2004 07:44:33 -0700, shane freese <shane.freese@gmail.com> wrote:
> On Mon, 25 Oct 2004 08:27:44 -0600, Taneem A T <thezeropoint@gmail.com> wrote:
> > > 2 thing I am trying to accomplish.
> > > 1. Parse a RSS feed from another site to display it on mine.
> > > 2. Put the latest Forum posts from my boards on the wiki main page.
> >
> > I basically wanted to do the exact same thing and I posted the same
> > question a few days ago ... the answer I was given is that for
> > security reasons you can't include PHP in any editable page, whether
> > you are sysop or not (someone please tell me I am wrong?? ;) )

Well, you have the source, it's up to you - but it *would* be pretty risky.

Somebody described how they'd done exactly this a few weeks ago: see
http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025771.html
and its follow-ups; but they then had problems with the pages being
cached, as discussed in the threads starting with
http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025786.html
and http://mail.wikipedia.org/pipermail/wikitech-l/2004-October/025787.html

> Well I have figured out how to enable full html code. This allows me
> to add javascript. However I do not know enough about javascript to
> make it include a php file. I have gotten it to open a new window
> with my code but have yet to get it in the wiki page itself.

This is, of course, just as dodgy as allowing arbitrary php code:
there are all sorts of evil things someone could do with uncontrolled
javascript, such as accessing cookie data and sending it somewhere
else (since the JavaScript would be on your site, this could probably
allow them to steal information necessary to log into your site as the
person viewing the article). But if you make sure you really really
trust everyone who can edit, this isn't a problem (it's not a wiki
either, but there you go).

> I think if I could somehow use javascript to include the php file I
> could solve my problem. However I do not know if this is possible
> with javascript.

It's certainly possible: people use "javascript feeds" all the time; I
think the basic trick is to grab the data from a special URL, and then
use document.write() to add it to the current page.

However, better than allowing arbitrary anything is just to build the
PHP script you want to execute into the code. You could probably
create a <feed>url:path/to/feed</feed> "extension" (see above
referenced threads), perhaps limiting it to relative paths (so nothing
can be included from somewhere other than your server). Or you could
be less flexible, and just have a magic word, checked for in
Parser.php::internalParse(), that runs a function of your own design;
hacky, but very simple to program.

Of course, you will then end up in the same caching conundrum as
Arvalux in the threads I already referenced: how to make sure the
pages in question are forced to remain uncached. Some kind of hack
with timestamps whereby the cache never thinks it has the latest
version seems to be the best anyone's come up with for this; or, if
you want to be less hacky, a cur_nocache flag in the database that's
set and unset in Parser.php::preSaveTransform() [.he says, quoting bits
of code from memory that he's never really looked at carefully]

Good luck...

--
Rowan Collins BSc
[IMSoP]

One thing I might try is to insert it into the skins, as opposed to
the wikitax itself, if possible. or try the above ideas to get it in
the code. (Locking a template containing a link to some script and
using that with some php outputting javascript would probably be the
easiest).


On Sun, 24 Oct 2004 21:09:29 -0700, shane freese <shane.freese@gmail.com> wrote:
> Hello all,
>
> I am trying to figure out a way to include a PHP script within either
> my template (under navigation) or in a wiki page.
>
> 2 thing I am trying to accomplish.
>
> 1. Parse a RSS feed from another site to display it on mine.
>
> 2. Put the latest Forum posts from my boards on the wiki main page.
>
> Can these be accomplished? I've been pulling my hair out for 3 hours
> now and haven't come up with a solution.
>
> Thanks,
>
> Shane
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@Wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>


--
-------------------------------------------------------------------
http://endeavour.zapto.org/astro73/
Thank you to JosephM for inviting me to Gmail!

I simply used what was linked to by Rowan. I added this function to
the bottom of Setup.php. It works just as I needed.

function ParsePHPTag($Content)
{
global $wgOut;
$wgOut->enableClientCache(false);
ob_start();
eval($Content);
$Result = ob_get_contents();
ob_end_clean();
return($Result);
}
$wgParser->setHook('php','ParsePHPTag');

I then just use the newly created <php></php> tags to include my php
script. This does pose a security risk so I wouldn't use it on an
open wiki, however my site isn't a wiki per say I just like the
flexibility of MediaWiki.

Shane


On Tue, 26 Oct 2004 15:33:48 -0400, Jamie Bliss
<astronouth7303@gmail.com> wrote:
> One thing I might try is to insert it into the skins, as opposed to
> the wikitax itself, if possible. or try the above ideas to get it in
> the code. (Locking a template containing a link to some script and
> using that with some php outputting javascript would probably be the
> easiest).
>
>
>
>
> On Sun, 24 Oct 2004 21:09:29 -0700, shane freese <shane.freese@gmail.com> wrote:
> > Hello all,
> >
> > I am trying to figure out a way to include a PHP script within either
> > my template (under navigation) or in a wiki page.
> >
> > 2 thing I am trying to accomplish.
> >
> > 1. Parse a RSS feed from another site to display it on mine.
> >
> > 2. Put the latest Forum posts from my boards on the wiki main page.
> >
> > Can these be accomplished? I've been pulling my hair out for 3 hours
> > now and haven't come up with a solution.
> >
> > Thanks,
> >
> > Shane
> > _______________________________________________
> > MediaWiki-l mailing list
> > MediaWiki-l@Wikimedia.org
> > http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
> >
>
>
> --
> -------------------------------------------------------------------
> http://endeavour.zapto.org/astro73/
> Thank you to JosephM for inviting me to Gmail!
>

Hello all,

This discussion took place a while ago, and we all agreed that while
the given code hack allows for easy PHP code inclusion in a wiki it's
hugely unsafe.

So I was thinking, could we modify the hack so that you couldn't put
in PHP directly into the Wiki but you could include an external PHP
file whose code would be executed?

That way, if you restricted include files to only originate from the
same directory or a subdirectory below the wiki only you as the admin
would be able to create any PHP code. Others on the wiki could still
include and execute the code, but you would be the only one to be able
to create or modify it. So it's safer.

Does this make sense?

Thanks,
Taneem A. Talukdar


On Tue, 26 Oct 2004 13:52:04 -0700, shane freese <shane.freese@gmail.com> wrote:
> I simply used what was linked to by Rowan. I added this function to
> the bottom of Setup.php. It works just as I needed.
>
>
>
> function ParsePHPTag($Content)
> {
> global $wgOut;
> $wgOut->enableClientCache(false);
> ob_start();
> eval($Content);
> $Result = ob_get_contents();
> ob_end_clean();
> return($Result);
> }
> $wgParser->setHook('php','ParsePHPTag');
>
> I then just use the newly created <php></php> tags to include my php
> script. This does pose a security risk so I wouldn't use it on an
> open wiki, however my site isn't a wiki per say I just like the
> flexibility of MediaWiki.
>
> Shane
>
> On Tue, 26 Oct 2004 15:33:48 -0400, Jamie Bliss
>
>
> <astronouth7303@gmail.com> wrote:
> > One thing I might try is to insert it into the skins, as opposed to
> > the wikitax itself, if possible. or try the above ideas to get it in
> > the code. (Locking a template containing a link to some script and
> > using that with some php outputting javascript would probably be the
> > easiest).
> >
> >
> >
> >
> > On Sun, 24 Oct 2004 21:09:29 -0700, shane freese <shane.freese@gmail.com> wrote:
> > > Hello all,
> > >
> > > I am trying to figure out a way to include a PHP script within either
> > > my template (under navigation) or in a wiki page.
> > >
> > > 2 thing I am trying to accomplish.
> > >
> > > 1. Parse a RSS feed from another site to display it on mine.
> > >
> > > 2. Put the latest Forum posts from my boards on the wiki main page.
> > >
> > > Can these be accomplished? I've been pulling my hair out for 3 hours
> > > now and haven't come up with a solution.
> > >
> > > Thanks,
> > >
> > > Shane
> > > _______________________________________________
> > > MediaWiki-l mailing list
> > > MediaWiki-l@Wikimedia.org
> > > http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
> > >
> >
> >
> > --
> > -------------------------------------------------------------------
> > http://endeavour.zapto.org/astro73/
> > Thank you to JosephM for inviting me to Gmail!
> >
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@Wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l
>

On Nov 9, 2004, at 7:21 AM, Taneem A T wrote:
> This discussion took place a while ago, and we all agreed that while
> the given code hack allows for easy PHP code inclusion in a wiki it's
> hugely unsafe.
>
> So I was thinking, could we modify the hack so that you couldn't put
> in PHP directly into the Wiki but you could include an external PHP
> file whose code would be executed?

If you do, be careful about validating the file name; in some
configurations (eg, by default) PHP will let you include and run code
from an arbitrary URL.

-- brion vibber (brion @ pobox.com)

On Tue, 9 Nov 2004 08:21:25 -0700, Taneem A T <thezeropoint@gmail.com> wrote:
> So I was thinking, could we modify the hack so that you couldn't put
> in PHP directly into the Wiki but you could include an external PHP
> file whose code would be executed?

Perhaps this would be a good reason to implement the ability to
include [some?] Special: pages as templates, as requested at
http://bugzilla.wikipedia.org/show_bug.cgi?id=813

That way, the PHP code could only be written by someone with access to
the wiki's source directory, and there would be no need to validate
filenames, as none would ever be directly given (they would be
produced by Title.php, presumably).

I don't know how easy this would be to implement cleanly, though,
given the mixed wiki-text/raw html output of current Special pages.
Maybe SpecialPage.php could have an "executeAsTemplate()" method,
which returned wikitext to be included if the page was requested as an
inclusion. That way, it could return "" by default, and potentially
format things differently than accessing the page normally; and a site
administrator could create Special: pages to do custom bits of php,
even giving them parameters (either using the sub-page style, like
[[Special:Whatlinkshere/foo]], or by having template parameters passed
to exeuteAsTemplate() - in an associative array or somesuch. Hm, I
think I'll shove this suggestion on the bug report...

--
Rowan Collins BSc
[IMSoP]