Page MenuHomePhabricator

Install Extension:PhpTags on gu.wiki
Closed, DeclinedPublic

Description

Please install Extension:PhpTags on gu.wiki as we want to enable some functions like sunrise/sunset data based on which Hindu Calendar functions will be calculated and displayed.

Event Timeline

Dsvyas created this task.Feb 7 2016, 5:04 PM
Dsvyas raised the priority of this task from to Normal.
Dsvyas updated the task description. (Show Details)
Dsvyas added subscribers: Dsvyas, Aniket.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 7 2016, 5:04 PM

Setting project to "Wikimedia-Site-Requests" project as this request is about settings / configuration of a Wikimedia website.

For more information about how to request these kinds of changes, please see https://meta.wikimedia.org/wiki/Requesting_wiki_configuration_changes - this is missing a link to community consensus.

Aklapper raised the priority of this task from Normal to Needs Triage.Feb 7 2016, 11:27 PM
Aklapper updated the task description. (Show Details)
Aklapper set Security to None.
Restricted Application added subscribers: JEumerus, StudiesWorld, Matanya. · View Herald TranscriptFeb 7 2016, 11:27 PM

It looks like this extension has not been deployed on any Wikimedia site yet. Hence it needs to be reviewed first before this request can be fulfilled. Please see Review for deployment for how to proceed.

Can you explain why you need this extension specifically instead of using Scribunto/Lua?

Reedy closed this task as Declined.Feb 7 2016, 11:49 PM
Reedy claimed this task.
Reedy added a subscriber: Reedy.

This extension is not going to be deployed on Wikimedia wikis, period. There have been numerous similar requests in the past, to enable extensions that essentially allow arbitrary code to be run on a wiki. It's just a security nightmare waiting to happen

Per Legoktm above, we have Scribunto/Lua for things like this.

If you need help implementing something to do this, and/or need more things enabling/exposing in Scribunto, please file seperate appropriate tasks

Why all public answers contain phrase "allow arbitrary code to be run on a wiki"?
It only looks like "allow arbitrary code to be run on a wiki", but in general, it works identically to Magic Words.

I agree it can be hard for security review because there are some hard coded parts that were written to provide better performance (and probably because it looks like "allow arbitrary code to be run on a wiki").
Second aspect is: it allows a lot of variants of code combination and it is hard to check them all.
I wrote more than a thousand tests and still not come close to this. Sometimes people send me bug reports when PhpTag stops working or does not return the correct result, but none of them was related to security issues.

Of course, I admit that there may be bugs that may lead to arbitrary code execution, so at each stage of running code, it examines the data that would minimize the risks. But unless someone can guarantee that its code does not contain such errors?

Johsthao closed this task as a duplicate of T126250: <spam>.Feb 8 2016, 6:24 PM
JEumerus changed the task status from Duplicate to Declined.Feb 8 2016, 6:30 PM
matmarex reopened this task as Open.Feb 8 2016, 6:32 PM
Krenair closed this task as Declined.Feb 8 2016, 7:28 PM
Krenair added a subscriber: Krenair.