On 27/6/19 10:36 am, Brian Wolff wrote:
Another option is just removing the $wgServer back
compat value.
The installer will automatically set $wgServer in LocalSettings.php. The
default value in DefaultSettings.php is mostly for compat with really old
installs before 1.16.
Allowing autodetection is a security vulnerability - albeit mostly
difficult to exploit. The primary method is via cache poisioning and then
either redirecting or otherwise tricking users about the fake domain. See
the original ticket
https://phabricator.wikimedia.org/T30798 .
Interesting that I wrote there: "How about this: let's set $wgServer
in the installer in 1.18, and remove $wgServer autodetection from
DefaultSettings.php a bit later, say in 1.20."
It was indeed 1.18, not 1.16, in which $wgServer started being set in
LocalSettings.php. I added it to LocalSettingsGenerator.php here:
https://www.mediawiki.org/wiki/Special:Code/MediaWiki/90105
Anyway, it's past 1.20 so I guess that would be a good thing to do.
-- Tim Starling