Skip to content

Validate install.sh inputs to prevent PHP injection in LocalSettings.php#12

Open
tosfos wants to merge 1 commit intomasterfrom
fix-install-sh-php-injection-input-validation
Open

Validate install.sh inputs to prevent PHP injection in LocalSettings.php#12
tosfos wants to merge 1 commit intomasterfrom
fix-install-sh-php-injection-input-validation

Conversation

@tosfos
Copy link

@tosfos tosfos commented Feb 16, 2026

Summary

install.sh writes user-controlled action inputs (extension, type, extra_file) into LocalSettings.php without validation. A workflow (e.g. a PR) could pass e.g. extension: "'; phpinfo(); //" and execute arbitrary PHP in CI.

Fix: Validate before use:

  • extension: non-empty, only [a-zA-Z0-9_-]
  • type: exactly extension or skin
  • extra_file: if set, only [a-zA-Z0-9_./-], reject ..

Testing

  • Ran install.sh with malicious extension name → exit 1, error message.
  • Ran with invalid type / path traversal in extra_file → exit 1.
  • Valid inputs pass validation (script then fails on missing mediawiki/ when not in CI, as expected).

Jira + GitHub issue to be created when Jira is available. Work was performed by AI / Cursor Agent.

@tosfos @cursoragent
Validate install.sh inputs to prevent PHP injection in LocalSettings.php
46b0edc 
- extension: allow only [a-zA-Z0-9_-], reject empty
- type: allow only 'extension' or 'skin'
- extra_file: if set, allow only [a-zA-Z0-9_./-] and reject '..'

Prevents malicious workflow inputs from injecting PHP into generated
LocalSettings.php (e.g. extension="'; phpinfo(); //").

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tosfos