Hello all,
Thanks for the comments. I have modified the previous hack to do what
we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content)
{
global $wgOut;
$wgOut->enableClientCache(false);
ob_start();
//match for only text and numbers, followed by a period followed by 'php'
if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
$Content = "include('$Content');";
}
else{
$Content = "echo \" <strong>invalid include file specified <strong>\";";
}
eval($Content);
$Result = ob_get_contents();
ob_end_clean();
return($Result);
}
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to
your wiki directory then use the syntax
<includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki
directory are executed. Everything else is rejected. It's a simple
matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
On Tue, 9 Nov 2004 23:07:33 +0000, Rowan Collins
<rowan.collins@gmail.com> wrote:
> On Tue, 9 Nov 2004 08:21:25 -0700, Taneem A T <thezeropoint@gmail.com> wrote:
> > So I was thinking, could we modify the hack so that you couldn't put
> > in PHP directly into the Wiki but you could include an external PHP
> > file whose code would be executed?
>
> Perhaps this would be a good reason to implement the ability to
> include [some?] Special: pages as templates, as requested at
> http://bugzilla.wikipedia.org/show_bug.cgi?id=813
>
> That way, the PHP code could only be written by someone with access to
> the wiki's source directory, and there would be no need to validate
> filenames, as none would ever be directly given (they would be
> produced by Title.php, presumably).
>
> I don't know how easy this would be to implement cleanly, though,
> given the mixed wiki-text/raw html output of current Special pages.
> Maybe SpecialPage.php could have an "executeAsTemplate()" method,
> which returned wikitext to be included if the page was requested as an
> inclusion. That way, it could return "" by default, and potentially
> format things differently than accessing the page normally; and a site
> administrator could create Special: pages to do custom bits of php,
> even giving them parameters (either using the sub-page style, like
> [[Special:Whatlinkshere/foo]], or by having template parameters passed
> to exeuteAsTemplate() - in an associative array or somesuch. Hm, I
> think I'll shove this suggestion on the bug report...
>
> --
> Rowan Collins BSc
> [IMSoP]
>
Thanks for the comments. I have modified the previous hack to do what
we've discussed earlier today:
If you include the following snippet in setup.php:
function IncludePHP($Content)
{
global $wgOut;
$wgOut->enableClientCache(false);
ob_start();
//match for only text and numbers, followed by a period followed by 'php'
if(ereg("^([a-z]|[0-9])*.php$",$Content)==true){
$Content = "include('$Content');";
}
else{
$Content = "echo \" <strong>invalid include file specified <strong>\";";
}
eval($Content);
$Result = ob_get_contents();
ob_end_clean();
return($Result);
}
$wgParser->setHook('includephp','IncludePHP');
(to make it work, you put the php code in "filename.php", upload it to
your wiki directory then use the syntax
<includephp>filename.php</includephp>
In my wiki, this works beautifully - only *.php files in my wiki
directory are executed. Everything else is rejected. It's a simple
matter of tweaking the regex to allow subfolders too.
Comments about the effectiveness of this are appreciated ... =)
Taneem Talukdar
On Tue, 9 Nov 2004 23:07:33 +0000, Rowan Collins
<rowan.collins@gmail.com> wrote:
> On Tue, 9 Nov 2004 08:21:25 -0700, Taneem A T <thezeropoint@gmail.com> wrote:
> > So I was thinking, could we modify the hack so that you couldn't put
> > in PHP directly into the Wiki but you could include an external PHP
> > file whose code would be executed?
>
> Perhaps this would be a good reason to implement the ability to
> include [some?] Special: pages as templates, as requested at
> http://bugzilla.wikipedia.org/show_bug.cgi?id=813
>
> That way, the PHP code could only be written by someone with access to
> the wiki's source directory, and there would be no need to validate
> filenames, as none would ever be directly given (they would be
> produced by Title.php, presumably).
>
> I don't know how easy this would be to implement cleanly, though,
> given the mixed wiki-text/raw html output of current Special pages.
> Maybe SpecialPage.php could have an "executeAsTemplate()" method,
> which returned wikitext to be included if the page was requested as an
> inclusion. That way, it could return "" by default, and potentially
> format things differently than accessing the page normally; and a site
> administrator could create Special: pages to do custom bits of php,
> even giving them parameters (either using the sub-page style, like
> [[Special:Whatlinkshere/foo]], or by having template parameters passed
> to exeuteAsTemplate() - in an associative array or somesuch. Hm, I
> think I'll shove this suggestion on the bug report...
>
> --
> Rowan Collins BSc
> [IMSoP]
>