Mailing List Archive: Wikipedia: Wikitech

Re: [MediaWiki-CVS] SVN: [34405] trunk/phase3/includes/DatabaseSqlite.php

Index | Next | Previous | View Threaded

brion at wikimedia

May 7, 2008, 4:54 PM

Post #1 of 2 (255 views)
Permalink

Re: [MediaWiki-CVS] SVN: [34405] trunk/phase3/includes/DatabaseSqlite.php

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

nad[at]svn.wikimedia.org wrote:
> Add SQLite database class

Cool! :D

Couple notes after a quick pass over it...

> + if ("$wgSQLiteDataDir" == '') $wgSQLiteDataDir = dirname($_SERVER['DOCUMENT_ROOT']).'/data';
> + if (!is_dir($wgSQLiteDataDir)) mkdir($wgSQLiteDataDir,0700);

This default sounds a bit insecure, as the raw database files would be
exposed to the web unless PHP's running as a different user from the
static web server.

That means deleted data, user email-addresses, password hashes, etc
would be exposed to download.

> + /**
> + * Use MySQL's naming (accounts for prefix etc) but remove surrounding backticks
> + */
> + function tableName($name) {
> + $t = parent::tableName($name);
> + if (!empty($t)) $t = substr($t,1,-1);

I believe this will produce bad output for anything using an explicit
DB, eg `dbname`.`prefix_table`.

Dunno whether that'd actually work here anyway, though. :)

- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgiQRsACgkQwRnhpk1wk45EZQCg0OKYyarZJ7lTXgqn28W9/YHU
4ZQAniCaE+x+dNhh6E8kV+sIj2LsKv9u
=Wd1O
-----END PGP SIGNATURE-----

_______________________________________________
Wikitech-l mailing list
Wikitech-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

dan_the_man at telus

May 7, 2008, 4:58 PM

Post #2 of 2 (239 views)
Permalink

Re: [MediaWiki-CVS] SVN: [34405] trunk/phase3/includes/DatabaseSqlite.php [In reply to]

Brion Vibber wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> nad[at]svn.wikimedia.org wrote:
>
>> Add SQLite database class
>>
>
> Cool! :D
>
> Couple notes after a quick pass over it...
>
>
>> + if ("$wgSQLiteDataDir" == '') $wgSQLiteDataDir = dirname($_SERVER['DOCUMENT_ROOT']).'/data';
>> + if (!is_dir($wgSQLiteDataDir)) mkdir($wgSQLiteDataDir,0700);
>>
>
> This default sounds a bit insecure, as the raw database files would be
> exposed to the web unless PHP's running as a different user from the
> static web server.
>
> That means deleted data, user email-addresses, password hashes, etc
> would be exposed to download.
>
>
>
>> + /**
>> + * Use MySQL's naming (accounts for prefix etc) but remove surrounding backticks
>> + */
>> + function tableName($name) {
>> + $t = parent::tableName($name);
>> + if (!empty($t)) $t = substr($t,1,-1);
>>
>
> I believe this will produce bad output for anything using an explicit
> DB, eg `dbname`.`prefix_table`.
>
> Dunno whether that'd actually work here anyway, though. :)
>
I'd say something like what the other 2 database classes use for
tableName should be what is used.
> - -- brion vibber (brion @ wikimedia.org)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkgiQRsACgkQwRnhpk1wk45EZQCg0OKYyarZJ7lTXgqn28W9/YHU
> 4ZQAniCaE+x+dNhh6E8kV+sIj2LsKv9u
> =Wd1O
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l[at]lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>

~Daniel Friesen(Dantman) of:
-The Gaiapedia (http://gaia.wikia.com)
-Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG)
-and Wiki-Tools.com (http://wiki-tools.com)

_______________________________________________
Wikitech-l mailing list
Wikitech-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com