On Wed, Oct 14, 2009 at 8:28 PM, Tim Starling <[email protected]> wrote: <snip> > Wikimedia has finally stopped checking out the entire extensions > directory and exposing it to the web, but there might be other sites > out there still doing the same insecure practice. It may make sense to > split off an "extensions-contrib" directory where unreviewed > extensions can be put, with less chance of jeopardising the security > of servers. <snip>
A similar approach, with slightly different nomenclature, would be to create an "extensions-approved" directory restricted to core contributors for the 60 odd extensions used by Wikimedia. http://www.mediawiki.org/wiki/Category:Extensions_used_on_Wikimedia Obviously any extension used on the live site has essentially the same security implications as the core code. As there are already a few hundred extensions in SVN, I think it is fair to regard many existing extensions in SVN as contribs that have never been studied in detail. -Robert Rohde _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
