the mediawiki team has already reduced attack surface by making the sw less functional, less fun, and basically broken so what is the difference? practically none - some other upstart sw will take their place and engage the cia triad with more efficiency and adroitness so api functions are largely irrelevant in the longer term, sort of like ozzy osbourne and tony bourdain. MW had a good run, perhaps they can regain some degree of functionality that was lost in last few updates but the future is unwritten.
On Thu, Aug 24, 2023 at 8:03 AM mediawiki-l-request@lists.wikimedia.org wrote:
Send MediaWiki-l mailing list submissions to mediawiki-l@lists.wikimedia.org
To subscribe or unsubscribe, please visit
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
You can reach the person managing the list at mediawiki-l-owner@lists.wikimedia.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of MediaWiki-l digest..."
Today's Topics:
- Disable api.php and rest.php? (Jeffrey Walton)
- Re: Disable api.php and rest.php? (Amir Sarabadani)
Message: 1 Date: Wed, 23 Aug 2023 17:13:49 -0400 From: Jeffrey Walton noloader@gmail.com Subject: [MediaWiki-l] Disable api.php and rest.php? To: MediaWiki announcements and site admin list mediawiki-l@lists.wikimedia.org Message-ID: < CAH8yC8nLtkGYhP7dnXpo-hMvnND2Nht66v+UKoanBZSQ-37LXQ@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about api.php [1] and rest.php.[2] I don't believe anyone on our team is using the APIs, and I would like to disable them to reduce attack surface. Or disable them on external interfaces (or maybe allow on localhost/127.0.0.1).
I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a similar option for rest.php.[2]
I have two questions. First, is it possible to disable api.php and rest.php in practice? Or restrict them to internal interfaces only?
Second, what option controls rest.php?
And maybe a third question, can we rename api.php and rest.php tosay, api.php.unused and rest.php.unused? Will that produce ill effects?
Thanks in advance.
[1] https://www.mediawiki.org/wiki/Manual:Api.php [2] https://www.mediawiki.org/wiki/Manual:Rest.php
Message: 2 Date: Thu, 24 Aug 2023 04:15:44 +0200 From: Amir Sarabadani ladsgroup@gmail.com Subject: [MediaWiki-l] Re: Disable api.php and rest.php? To: noloader@gmail.com, MediaWiki announcements and site admin list mediawiki-l@lists.wikimedia.org Message-ID: <CA+ttme1kSV34WZb=oAuqba1mvbCOyjnR6_bre= TMRGMkxhYNaw@mail.gmail.com> Content-Type: multipart/alternative; boundary="0000000000006298f80603a1d0dc"
You could technically decline access in apache (or whatever software you're using).
But I need to warn: Many functionalities of mediawiki are done by calling the API in the backend, e.g. when you log out, it calls an API, when you watch a page, it calls another API, and all of those would break if you disable the api.php or rest.php
HTH
Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton < noloader@gmail.com>:
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about api.php [1] and rest.php.[2] I don't believe anyone on our team is using the APIs, and I would like to disable them to reduce attack surface. Or disable them on external interfaces (or maybe allow on localhost/127.0.0.1).
I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a similar option for rest.php.[2]
I have two questions. First, is it possible to disable api.php and rest.php in practice? Or restrict them to internal interfaces only?
Second, what option controls rest.php?
And maybe a third question, can we rename api.php and rest.php tosay, api.php.unused and rest.php.unused? Will that produce ill effects?
Thanks in advance.
[1] https://www.mediawiki.org/wiki/Manual:Api.php [2] https://www.mediawiki.org/wiki/Manual:Rest.php _______________________________________________ MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
-- Amir (he/him)
mediawiki-l@lists.wikimedia.org