I didn't notice it up till now, but there is a bit of a poor coding
style in the Semantic extension's config files. Technically it could be
considered a register_globals vulnerability, abet a small one, but a
vulnerability nonetheless.
For those of you who don't understand the technical notion of the term.
A register_globals is one which basically allows someone viewing the
site to inject values into variables when a webserver has
register_globals enabled. This is because register_globals registers
variables in the query as global variables. We protect against this by
defining a default for all variables and have people change those after
they are defined.
These would be considered a register_globals vulnerabilities. All config
variables should be solidly defined inside of the settings file, config
changes should be used after loading the extension, and any needed
config alterations should be done from a ExtensionFunction in
$wgExtensionFunctions.
Firstly, the namespace configuration variables.
* In SMW $smwgNamespaceIndex
* In SF $sfgNamespaceIndex
* In SDD $sdgNamespaceIndex
In all 3 of these extensions when using the namespace configuration
variable an isset is made use of and people are told to place the config
"before" the loading of the extension.
These specific vulnerabilities are a bit small, but they still allow the
end user to modify a configuration variable they should not be allowed
to. If someone were to go to a page using the url query
?smwgNamespaceIndex=-2 and register_globals were defined, then for that
page view the main namespace would be considered Property, ie: all
semantics would be broken. Technically if they used
?smwgNamespaceIndex=-2&action=purge they would temporarily break all the
semantic stuff on the page for the next viewer and pollute the link tables.
Secondly, $smwgSMWBetaCompatible. This to uses an isset and does not
define it beforehand.
Here it is possible for someone to enable beta compatibility when they
are not supposed to.
Third, fourth, and fifth issues are autoloading issues in Semantic
GoogleMaps.
SGM is not using the proper hook for adding parserfunctions.
SGM is using $sfgFormPrinter->setInputTypeHook this causes the form
printer to be unstubbed early when we may not need it. If we don't have
an alternate way of doing this, then we should add a similar hook to the
Form Printer as the Parser's FirstCallInit method. As well a constant to
indicate that support for it exists.
SGM is also testing $smwgResultFormats which will not be set beforehand
before SM 1.2.2 and things could be broken if someone decides to put
smwgResultFormats into the query.
We should either add a new constant to indicate we support the new
global, or use class_exists( 'SMWQueryProcessor' ) and if it exists
check if SMWQueryProcessor::$formats isset.
Next is a small style note. We have a $sdgListSeparator for Semantic
Drilldown, and a $sfgListSeparator for Semantic Forms. Both are set with
the comma(,). I do understand that because SMW does not have this
variable we cannot use a common one since one of the extensions might
not be defined. But we could use a more generic name and have
LocalSettings define a different one after both extensions have been
loaded. Or even better, use a 'list_separator' system message. This
would even allow the comma to be internationalized or rather, customized
on the user side of the wiki. This is really a UI thing and shouldn't
require a config change to alter it.
Just a personal note, but I kinda dislike how we do autoloading inside
of enableSemantics(). All these variable settings should be root level
rather than inside of a function. I personally dislike the whole notion
of a enableSemantics() functions, I don't see any valid need for it to
exist. There is nothing inside of that function that can't be done
outside of it.
Also, it's probably a bad idea to set hooks inside of an
ExtensionFunction, as many of those as possible should be done outside
of it.
--
~Daniel Friesen(Dantman, Nadir-Seen-Fire) of:
-The Nadir-Point Group (http://nadir-point.com)
--It's Wiki-Tools subgroup (http://wiki-tools.com)
--The ElectronicMe project (http://electronic-me.org)
--Games-G.P.S. (http://ggps.org)
-And Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG)
--Animepedia (http://anime.wikia.com)
--Narutopedia (http://naruto.wikia.com)
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Semediawiki-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/semediawiki-devel
