Allow site config to be overridden by JSON

[edg2s]

Fixes #19

[MatmaRex]

I'm 99% sure this allows you to execute arbitrary PHP, just win some extra steps.

There are various config variables that let you read from (e.g. $wgExtensionMessagesFiles) or write to ($wgDebugLogFile) arbitrary files. Or maybe just add "eval" to $wgHooks for some hook that handles user input. I haven't figured out how exactly to exploit it, but it almost certainly can be done.

I think we should figure out a different way of whitelisting (#51 (comment)) or something.

[edg2s]

I'm 99% sure this allows you to execute arbitrary PHP, just win some extra steps.

As a V+1 user I can create a patch that does the same thing, so surely this is no less secure?

[MatmaRex]

Yes but we won't demo your patch unless it has V+2.

[edg2s]

I mean V+2 - you can write a pretty malicious patch and still get V+2 as long as you are trusted. If you aren't trusted you can't create a patch demo anyway.

[DemianX0]

1. Am I correct to assume as a non-trustedcontributor one can still create a demo from somebody's V+2 patch with arbitrary config.json, that could be malicious?

2. What's the abuse potential? I guess dumping these wikis, gaining access to passwords preferably not used anywhere.

[edg2s]

I think we should figure out a different way of whitelisting (#51 (comment)) or something.

The problem with the email whitelist is that OAuth doesn't give us the user email, so we would need to create a separate SUL-based account whitelist.

[edg2s]

See #112