Extension:Ploticus

From MediaWiki.org
Jump to: navigation, search
WARNING: the code or configuration described here poses a major security risk.

Problem: open to filesystem manipulation and possible arbitrary code execution attacks
Solution: sanitize user input to remove ploticus functions/commands that allow input/output to files on the filesystem, and remove commands that allow file permissions to be changed

Signed: Ryan lane 15:20, 23 June 2009 (UTC)
MediaWiki extensions manual - list
Crystal Clear action run.png
Ploticus

Release status: beta
Implementation Parser extension, Tag
Description Ploticus extension for just-in-time graph generation
Author(s) Flavien Scheurer
Last version 1.0 (2007-10-16)
MediaWiki 1.11.0
License Public domain
Download Extension:Ploticus
Check usage (experimental)

Contents

[edit] Warning

Although this extension removes the #shell and #system functions, other ploticus functions can output files, read files, etc. A combination of these functions could allow an attacker to write a file, and make it executable, allowing arbitrary code execution. The below functions are some of the ones I see during an initial look through the api:

#proc annotate
#proc axis
#proc drawcommands
#proc getdata
#proc page
#proc print
#proc processdata
$tmpfilename(tag)
$fileexists( dir, name )
$rename( pathname, newpathname )
$unlink( pathname )
$chmod( pathname, mode ) <-- this is *really* dangerous

Notice that there may be others; so if you are sanitizing the code, you should look in depth!

[edit] Ploticus.php

Ploticus extension for just-in-time graph generation

This extension is inspired from the EasyTimeline and the Gnuplot extensions.

Made by Flavien Scheurer, October 2007

[edit] Tested on

  • MediaWiki 1.11.0
  • Apache 2.2.4 on Windows Server 2003
  • PHP 5.2.4
  • Not tested on *nix but should work ok by switching path separator from \ to /.

[edit] Requirements

[edit] Syntax

<ploticus>...</ploticus>

[edit] Script handbook

http://ploticus.sourceforge.net/doc/scripthome.html

[edit] Installation

  • Install Ploticus if needed (avoid spaces in path).
  • Add in LocalSettings.php:
require_once('extensions/Ploticus.php');
$wgPloticusSettings->exePath = 'D:\Ploticus\bin\pl.exe';
$wgPloticusSettings->imageFormat = 'gif';

[edit] See also (other extensions)

[edit] Todo

  • Add support for clickable maps.
  • Cleanup previous generaget files in the Ploticus folder.
  • Add support for pretty PNG.

Please note that I'm no longer running MediaWiki. I've changed the license to "Public domain". Anyone willing to continue working on this feel free to do so.

[edit] Warning

  • Designed with security in mind, but this is my first public PHP script and should be reviewed!
<?php
 
/**
* Ploticus.php
* Ploticus extension for just-in-time graph generation
* This extension is inspired from the EasyTimeline and the Gnuplot extensions.
* Created Flavien Scheurer, October 2007, Public domain
* 
* Tested on:
*       - MediaWiki 1.11.0
*       - Apache 2.2.4 on Windows Server 2003
*       - PHP 5.2.4
*       - Not tested on *nix but should work ok by switching path separator from \ to /.
* Requirements:
*       - Ploticus 2.33 (http://ploticus.sourceforge.net/doc/download.html).
* Syntax:
*       <ploticus>...</ploticus>
* Script handbook:
*       http://ploticus.sourceforge.net/doc/scripthome.html
* Installation:
*       - Install Ploticus if needed (avoid spaces in path).
*       - Add in LocalSettings.php:
*               require_once('extensions/Ploticus.php');
*               $wgPloticusSettings->exePath = 'D:\Ploticus\bin\pl.exe';
*               $wgPloticusSettings->imageFormat = 'gif';
* Todo:
*       - Add support for clickable maps.
*       - Cleanup previous generaget files in the Ploticus folder.
*       - Add support for pretty PNG.
* Warning:
*       - Designed with security in mind, but this is my first public PHP script and should be reviewed!
*/
 
if (!defined('MEDIAWIKI')) die();
 
class PloticusSettings {
        function PloticusSettings () {
                // Set path to the Ploticus executable (can be overridden in LocalSettings.php).
                $this->exePath = 'D:\Ploticus\bin\pl.exe';
                // Set the image format (gif by default, png not supported on Windows, svg not supported on IE 6).
                $this->imageFormat = 'gif';
        }
}
 
$wgPloticusSettings = new PloticusSettings;
$wgExtensionFunctions[] = 'wfPloticusExtension';
$wgExtensionCredits['parserhook'][] = array(
        'name' => 'Ploticus',
        'version'=> '1.0',
        'author' => 'Flavien Scheurer',
        'url' => '[[Extension:Ploticus]]',
        'description' => 'Ploticus extension for just-in-time graph generation<br/>Syntax is &lt;ploticus&gt;...&lt;/ploticus&gt;<br/>Script handbook: http://ploticus.sourceforge.net/doc/scripthome.html',
        );
 
function wfPloticusExtension() {
        global $wgParser;
        $wgParser->setHook('ploticus', 'renderPloticus');
}
 
function renderPloticus( $ploticusData ) {
        global $wgPloticusSettings, $wgUploadDirectory, $wgUploadPath;
        // Remove potentially dangerous keywords.
        $replaces = array('`'  => '', 'system' => '', 'shell' => '');
        $ploticusData = strtr($ploticusData, $replaces);
        // Create the image directory.
        $ploticusDirectory = $wgUploadDirectory . '/ploticus/';
        if (!is_dir($ploticusDirectory)) {
                mkdir($ploticusDirectory, 0777); 
                chmod($ploticusDirectory, 0777);
        }
        // Generate a file name based on the hashed ploticus data.
        $name = md5($ploticusData);
        $graphFile = $ploticusDirectory . $name . '.' . $wgPloticusSettings->imageFormat;
        $graphURL = $wgUploadPath . '/ploticus/' . $name . '.' . $wgPloticusSettings->imageFormat;
        // Check if a previous plot is available.
        if (!file_exists($graphFile)) {
                $dataFile = $ploticusDirectory . $name . '.plo';
                $errorFile = $ploticusDirectory . $name . '.txt';
                // Verify that Ploticus is installed.
                if (!file_exists($wgPloticusSettings->exePath)) {
                        return ('<p><strong>Error: Could not find Ploticus in <em>' . $wgPloticusSettings->exePath . '</em></strong></p>');
                }
                // Write the ploticus data to a file.
                $handle = fopen($dataFile, 'w');
                fwrite($handle, $ploticusData);
                fclose($handle);
                //Set the command line.
                $commandline = wfEscapeShellArg($wgPloticusSettings->exePath) .
                        ' -' . $wgPloticusSettings->imageFormat .
                        ' ' . wfEscapeShellArg($dataFile) .
                        ' -o ' . wfEscapeShellArg($graphFile) .
                        ' 2>' . wfEscapeShellArg($errorFile);
                // Execute Ploticus.
                wfShellExec($commandline);
                // Read the error messages from the error file.
                $errorData = file_get_contents($errorFile);
                // Delete the ploticus data and error files.
                if (file_exists($dataFile)) { unlink($dataFile);}
                if (file_exists($errorFile)) { unlink($errorFile);}
        }
        // Prepare the output.
        if ($errorData != '') {
                return ('<p><strong>Error processing Ploticus data:</strong><br/><pre>' . $errorData . '</pre></p>');
        }
        else {
                return ('<p><img src="' . $graphURL . '" alt="Ploticus Chart"></p>');
        }
}
Language: English  • português do Brasil
Retrieved from "http://www.mediawiki.org/w/index.php?title=Extension:Ploticus&oldid=474341"
Personal tools
Namespaces

Variants
Actions
Navigation
Support
Download
Development
Communication
Print/export
Toolbox