[[Extension:Runphp page/ru]]
Hello.
On 10th of September you've deleted Extension:Runphp page/ru (citing 'fundamentally unsafe' as your reason). While i agree with your argument, i disagree with its conclusion, the fact that something is unsafe means it should be labeled as such, not removed permanently. I can see several places where such an extension could be useful. For example in a wiki that is edited only by the very limited number of people, who simply use it as a "mini" collaborative site. If you have several admins with the access to the server already, you wouldn't worry if they would have access to the functionality of running a php script within MediaWiki. I am sure there are other uses as well. But the complete removal disables the ability of people to use it in any way (including the safe way). That's akin to deleting MultiUpload extensions because on a hosting where you prepay for the bandwidth and storage if you set them up on a public wiki, you can be DDOSed using them. Of course, you can, but the point is that there are uses where they are safe.
Thank you for your time. Beta M 08:01, 1 October 2011 (UTC)
Attacker doesn't need to have access to a site with this extension, the only thing he needs to know is its URL, then he can construct a link like http://example.com/wiki/api.php?action=parse&text=<runphp>whackSiteDown();</runphp> and trick an admin into clicking on it. No way, in no environment this can be acceptable to use, hosting a page for this extension would be like publishing a suicide how-to.
