Last modified: 2014-09-23 19:57:33 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T32039, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 30039 - ParserFunctions + Variables: tighter integration.


Summary:	ParserFunctions + Variables: tighter integration.

Status:	NEW

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	ParserFunctions (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Low enhancement (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:	patch, patch-reviewed

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-07-24 18:33 UTC by Van de Bugger
Modified:	2014-09-23 19:57 UTC (History)
CC List:	5 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Patch for ParserFunctions. (5.41 KB, patch) 2011-07-24 18:33 UTC, Van de Bugger	Details
Add an attachment (proposed patch, testcase, etc.)

Description Van de Bugger 2011-07-24 18:33:29 UTC

Created attachment 8822 [details]
Patch for ParserFunctions.

Hi,

Currently ParserFunctions have no notion about variables, which
resulting in lots of typing and lots of braces, for example:

{{ #ifexpr: {{ #var: a }} + {{ #var: a }} > 4 | ... }}

I always wanted #expr and #ifexpr functions recognize variables so I can
write 

{{ #ifexpr: a + a > 4 | ... }}

Attached patch implements this integration between ParserFunctions and
Variables.

Changes summary:

1. When if a word is a not predefined expression word (like `pi' or
`trunc'), it is checked whether Varaibles extension enabled and whether
such a variable exists. If variable exists, its value used.

2. New error message introduced: "Unexpected variable".

3. Second parameter added to ExprParser::doExpression, parser — it is
required by Variables (though it is not actually used). For
compatibility with older code, parameter is optional.

4. Variables extension is not required, if Variables extension is not
enabled, ParserFunctions does not recognize variables but does not issue
errors.

I have access to SVN. If the patch is generally ok, I can commit it.

Thanks,
Van.

Comment 1 Happy-melon 2011-07-29 02:20:24 UTC

In installations where ParserFunctions is installed but Variables is not, $wgExtVariables is undefined, and so referencing it is a register_globals vulnerability.

The ParserFunctions extension should not contain references to the Variables extension in the same way that core code should not contain references to extensions.  You should include hooks in ParserFunctions and hook functions in Variables which handle the actual processing (and could happily be used by other extensions).  It's fine to tweak the code flow in ParserFunctions to ensure you can pass the right things to the hook.

Comment 2 Van de Bugger 2011-07-29 18:18:00 UTC

Sorry, I am not an experienced PHP developer, so I did not get everything you wrote.

As I understand, vulnerability is only possible if Variables extension is not installed AND register_globals is ON. register_globals is OFF by default and I saw a lot of warnings that it should remain be OFF.

However, I do not object to introduce a hook if you point me an example what it is.

Another thing I though about is fully emulating Variables in ParserFunctions. Variables is trivial extension and is in public domain, so it is possible to just incorporate Variables into ParserFunctions.

Comment 3 John Du Hart 2011-08-23 20:23:56 UTC

Some information about hooks: http://www.mediawiki.org/wiki/Hooks

Basically you need a wfRunHooks call somewhere that lets you modify the behaviour of the ParserFunctions call from Variables.

Comment 4 Van de Bugger 2011-09-19 19:29:39 UTC

Sorry, did not catch. Manual:Hooks says:

> Hooks allow custom code to be executed when one of many defined events (like saving an article or a user logging in) occur.

In case of ParserFunctions/Variables integration, I do not see events. In this case one extension (namely, ParserFunctions) directly uses service provided by another extension (namely, Variables). 

Happy-melon said:

> The ParserFunctions extension should not contain references to the Variables
extension in the same way that core code should not contain references to
extensions.

?? Extensions use services provided by core directly. Extensions use global variables defined in core, like $wgAutoloadClasses, $wgGroupPermissions, $wgContLang, etc.

In this particular case, what is "core" and what is "extension"? (1) ParserFunctions extends Variables or (2) Variables extends ParserFunctions?

In the first case I do not see any issue if ParserFunctions uses services provided by Variables by using global variable $wgExtVariables.

In the seconds case ParserFunctions (namely, expression parser/evaluator) can be extended with plugins to introduce new functions, operators, names... It is an interesting idea -- extensions for extensions... It is suitable for big and complex extensions like SemanticMediaWiki, but ParserFunctions is rather simple extension... Do you really want make a monster from ParserFunctions? To me it is much simpler to move Variables functionality into ParserFunctions.

Comment 5 Van de Bugger 2011-09-29 19:07:32 UTC

BTW, I just scanned extension sources checked out from svn. DynamicPageList extension uses Variables directly via $wgExtVariables, as well as another extension, Loops.

Comment 6 Max Semenik 2012-04-20 19:32:28 UTC

rm patch-need-review, this patch isn't going to be accepted. We should switch to Lua anyway instead of inviting new exciting ways to make wikitext even slower.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links