the mediawiki team has already reduced attack surface by making the sw less
functional, less fun, and basically broken so what is the difference?
practically none - some other upstart sw will take their place and engage
the cia triad with more efficiency and adroitness so api functions are
largely irrelevant in the longer term, sort of like ozzy osbourne and tony
bourdain. MW had a good run, perhaps they can regain some degree of
functionality that was lost in last few updates but the future is
unwritten.
On Thu, Aug 24, 2023 at 8:03 AM <mediawiki-l-request(a)lists.wikimedia.org>
wrote:
Send MediaWiki-l mailing list submissions to
mediawiki-l(a)lists.wikimedia.org
To subscribe or unsubscribe, please visit
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
You can reach the person managing the list at
mediawiki-l-owner(a)lists.wikimedia.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MediaWiki-l digest..."
Today's Topics:
1. Disable api.php and rest.php? (Jeffrey Walton)
2. Re: Disable api.php and rest.php? (Amir Sarabadani)
----------------------------------------------------------------------
Message: 1
Date: Wed, 23 Aug 2023 17:13:49 -0400
From: Jeffrey Walton <noloader(a)gmail.com>
Subject: [MediaWiki-l] Disable api.php and rest.php?
To: MediaWiki announcements and site admin list
<mediawiki-l(a)lists.wikimedia.org>
Message-ID:
<
CAH8yC8nLtkGYhP7dnXpo-hMvnND2Nht66v+UKoanBZSQ-37LXQ(a)mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about
api.php [1] and rest.php.[2] I don't believe anyone on our team is
using the APIs, and I would like to disable them to reduce attack
surface. Or disable them on external interfaces (or maybe allow on
localhost/127.0.0.1).
I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
similar option for rest.php.[2]
I have two questions. First, is it possible to disable api.php and
rest.php in practice? Or restrict them to internal interfaces only?
Second, what option controls rest.php?
And maybe a third question, can we rename api.php and rest.php tosay,
api.php.unused and rest.php.unused? Will that produce ill effects?
Thanks in advance.
[1]
https://www.mediawiki.org/wiki/Manual:Api.php
[2]
https://www.mediawiki.org/wiki/Manual:Rest.php
------------------------------
Message: 2
Date: Thu, 24 Aug 2023 04:15:44 +0200
From: Amir Sarabadani <ladsgroup(a)gmail.com>
Subject: [MediaWiki-l] Re: Disable api.php and rest.php?
To: noloader(a)gmail.com, MediaWiki announcements and site admin list
<mediawiki-l(a)lists.wikimedia.org>
Message-ID:
<CA+ttme1kSV34WZb=oAuqba1mvbCOyjnR6_bre=
TMRGMkxhYNaw(a)mail.gmail.com>
Content-Type: multipart/alternative;
boundary="0000000000006298f80603a1d0dc"
You could technically decline access in apache (or whatever software you're
using).
But I need to warn: Many functionalities of mediawiki are done by calling
the API in the backend, e.g. when you log out, it calls an API, when you
watch a page, it calls another API, and all of those would break if you
disable the api.php or rest.php
HTH
Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton <
noloader(a)gmail.com>gt;:
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about
api.php [1] and rest.php.[2] I don't believe anyone on our team is
using the APIs, and I would like to disable them to reduce attack
surface. Or disable them on external interfaces (or maybe allow on
localhost/127.0.0.1).
I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
similar option for rest.php.[2]
I have two questions. First, is it possible to disable api.php and
rest.php in practice? Or restrict them to internal interfaces only?
Second, what option controls rest.php?
And maybe a third question, can we rename api.php and rest.php tosay,
api.php.unused and rest.php.unused? Will that produce ill effects?
Thanks in advance.
[1]
https://www.mediawiki.org/wiki/Manual:Api.php
[2]
https://www.mediawiki.org/wiki/Manual:Rest.php
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l(a)lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-leave(a)lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
--
Amir (he/him)