Page MenuHomePhabricator
Create Task
Maniphest T231855

Allow using relative paths in array config vars
Closed, ResolvedPublic
Actions

Description

extension.json config allows parsing relative paths via "path": true,.
Unfortunately, that functionality is limited to string values only - an array of strings (even when using "path": true,, won't get their paths transformed)

I think it's fair to expect that arrays of relative paths are also converted when using "path": true, in the config.
An existing use case it Wikibase's $wgWikibasePerRepositoryServiceWiringFiles, which is an array of paths.
Unless we're able to use an array of relative paths here in extension.json, we'd otherwise have to resort do doing it from PHP.

Details

Related Gerrit Patches:
mediawiki/core : masterRegistration: Allow relative paths in config arrays, not just strings

Event Timeline

Restricted Application added projects: Wikidata, Structured-Data-Backlog. · View Herald TranscriptSep 3 2019, 8:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Sep 3 2019, 8:15 AM

Change 525784 had a related patch set uploaded (by Matthias Mullie; owner: Matthias Mullie):
[mediawiki/core@master] Allow using relative paths in array config vars

https://gerrit.wikimedia.org/r/525784

Reedy added a project: acl*security.Oct 7 2019, 7:37 PM
Reedy added a subscriber: Reedy.

While I'm happy for allowing an array of paths (that makes perfect sense), the relative-ness does give cause for concern

What's to stop a malicious extension reading arbitrary files from disk, and then doing whatever with them?

gerritbot added a comment.Oct 8 2019, 6:04 PM

Change 525784 merged by jenkins-bot:
[mediawiki/core@master] Registration: Allow relative paths in config arrays, not just strings

https://gerrit.wikimedia.org/r/525784

Jdforrester-WMF added a subscriber: Jdforrester-WMF.Oct 8 2019, 6:51 PM
In T231855#5553392, @Reedy wrote:

While I'm happy for allowing an array of paths (that makes perfect sense), the relative-ness does give cause for concern
What's to stop a malicious extension reading arbitrary files from disk, and then doing whatever with them?

Existing functionality. File a new task?

Reedy closed this task as Resolved.Oct 8 2019, 7:03 PM
Reedy assigned this task to matthiasmullie.
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL