Page MenuHomePhabricator
Create Task
Maniphest T231855

Allow using relative paths in array config vars
Closed, ResolvedPublic
Actions

Description

extension.json config allows parsing relative paths via "path": true,.
Unfortunately, that functionality is limited to string values only - an array of strings (even when using "path": true,, won't get their paths transformed)

I think it's fair to expect that arrays of relative paths are also converted when using "path": true, in the config.
An existing use case it Wikibase's $wgWikibasePerRepositoryServiceWiringFiles, which is an array of paths.
Unless we're able to use an array of relative paths here in extension.json, we'd otherwise have to resort do doing it from PHP.

Details

ProjectBranchLines +/-Subject
mediawiki/coremaster+19 -3Registration: Allow relative paths in config arrays, not just strings
Customize query in gerrit

Event Timeline

matthiasmullie created this task.Sep 3 2019, 8:13 AM
Restricted Application added projects: Wikidata, Structured-Data-Backlog. · View Herald TranscriptSep 3 2019, 8:13 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Sep 3 2019, 8:15 AM

Change 525784 had a related patch set uploaded (by Matthias Mullie; owner: Matthias Mullie):
[mediawiki/core@master] Allow using relative paths in array config vars

https://gerrit.wikimedia.org/r/525784

gerritbot added a project: Patch-For-Review.Sep 3 2019, 8:15 AM
Reedy added a project: acl*security.Oct 7 2019, 7:37 PM
Reedy added a subscriber: Reedy.

While I'm happy for allowing an array of paths (that makes perfect sense), the relative-ness does give cause for concern

What's to stop a malicious extension reading arbitrary files from disk, and then doing whatever with them?

gerritbot added a comment.Oct 8 2019, 6:04 PM

Change 525784 merged by jenkins-bot:
[mediawiki/core@master] Registration: Allow relative paths in config arrays, not just strings

https://gerrit.wikimedia.org/r/525784

Maintenance_bot removed a project: Patch-For-Review.Oct 8 2019, 6:10 PM
Jdforrester-WMF added a subscriber: Jdforrester-WMF.Oct 8 2019, 6:51 PM
In T231855#5553392, @Reedy wrote:

While I'm happy for allowing an array of paths (that makes perfect sense), the relative-ness does give cause for concern

What's to stop a malicious extension reading arbitrary files from disk, and then doing whatever with them?

Existing functionality. File a new task?

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.2; 2019-10-15).Oct 8 2019, 7:00 PM
Reedy closed this task as Resolved.Oct 8 2019, 7:03 PM
Reedy assigned this task to matthiasmullie.
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL