Another option is just removing the $wgServer back compat value.
The installer will automatically set $wgServer in LocalSettings.php. The default value in DefaultSettings.php is mostly for compat with really old installs before 1.16.
Allowing autodetection is a security vulnerability - albeit mostly difficult to exploit. The primary method is via cache poisioning and then either redirecting or otherwise tricking users about the fake domain. See the original ticket https://phabricator.wikimedia.org/T30798 . Another possibility is putting unsafe values in the host header to try and get an xss (followed by cache poisioning so its not just self xss). Im unsure off the top of my head what validation if any is done (im pretty sure its less strict than legal domains) so im not sure how practical that is.
Anyways 1.16 was a long time ago, put my vote as we should make a breaking change and just throw an exception if wgServer is not set in LocalSettings.php
-- Brian
P.s. people with access to security tasks may also find the phab comment at https://phabricator.wikimedia.org/T157426#3192740 interesting where some of the implications of $wgServer were discussed (note the task was primarily about something else and is unfortunately still secret)
On Tuesday, June 25, 2019, Kunal Mehta legoktm@member.fsf.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I (with Reedy's help) recently started work on librarizing MediaWiki's IP class into a separate composer package (wikimedia/ip-utils[1]). The main motivation was so that the Parsoid PHP port could use it[2].
However, I ran into an unexpected hitch[3], as it seems we're using the IP class before the composer autoloader is even intialized. Here's the basic initialization in Setup.php:
- AutoLoader.php (MediaWiki's)
- Defines.php
- DefaultSettings.php
- $wgServer = WebRequest::detectServer()
- Calls IP::splitHostAndPort()
- GlobalFunctions.php
- vendor/autoload.php (composer's)
My understanding is that composer's autoloader runs late so extensions registering themselves using it can add their stuff to the necessary globals.
And we call WebRequest::detectServer() in DefaultSettings.php so that in LocalSettings.php people can use the value of $wgServer for other stuff.
I see 3 main ways to move forward:
- Move vendor/autoload.php earlier in Setup.php, potentially breaking
extensions that still rely on composer autoloading for initialization. 2. Set $wgServer = false or something in DefaultSettings.php, and then fill it in later in Setup.php *after* the composer autoloader has been loaded, potentially breaking anyone relying on the value of $wgServer in LocalSettings.php. 3. (status quo) not librarize code that runs before composer autoloader initialization. :(
Advice/input welcome.
[1] https://packagist.org/packages/wikimedia/ip-utils [2] https://gerrit.wikimedia.org/g/mediawiki/services/parsoid/+/77064cfff717 6493a2828bb4f95f397dfce7d659/src/Utils/Title.php#46 [3] https://gerrit.wikimedia.org/r/c/mediawiki/core/+/519089/
- -- Legoktm
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAl0S1oQACgkQ8QX4EBsF Jpufrg/+J9RUUxRAtgJLEkyACE6GREis0eyEIZnWmMr3s9YpFPoqtWocFrUk6Wsn W7d9Oda/8CW0/d894gGMn8LWIj9oWq2gMPWzCVFpg8uu3r4967qxBp+ba29uMOJw Qpw6DhXtPvVAeUCy8P38Y5vM7TGmV+J1T5jDY21zimT1dRrJsI1KD+u/Ue3nYy/y B1ic3i7vJfhYErdhHgN98ETXfXOaDx4rgd2N7PLjVNx3IYCC8LNiR8wSLuydfdbk PLTT1bA2qi0h2wgcEr7Qtq9YstVotq8899rgKLtGDBwQi3qGNcdOgQGEMFDVfjfO CsiWocj6s4oc3ScVj+Eb9xtvIqhNx+oRbWE1vKd4TmtSdyzpv6xadV60tq5qNFEY I0cBDOWU5UFNHbvbyjK4dqIDEVhJ6LiEgLVBOj81U27s8mR4Dv/yFB3eac0ROk7p gaEeOjfhtVU558XfpEsmu1H05VJT3kXNxK8y0UQOjy11SErzsXv6vDzyzLDJM/W7 WF0I4nyjeqVsBjLBN9li+5AnU3cAKVOCfZ+/aRYyg89Du//nJRjm+4lxnuPrGlaG ES/nVUnkDZ9Yc/xA1yacm3Ytx9hpoY1mIZgxxxveyeU1KsNXAZ2BOGA2T7kU4yUw Uyg+byYwI+1uVOjAVd3BInGV2R2/GmeIn9FOpthBaw8wcz0Y/8c= =tU4+ -----END PGP SIGNATURE-----
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l