Hi,
Danny B. and I adapted the script used for non-existing wikis (trunk/tools/web-scripts/missing.php) so it redirects to the respective test wiki at Wikimedia Incubator. This would be a huge usability improvement (however, only for languages configured in Wikimedia). For Wikiversity & Wikisource, the "wiki does not exist" message remains, because BetaWV and OldWikisource don't have a logical page naming system to redirect to.
So I would like to ask if someone can review & deploy this (Commits are here: https://www.mediawiki.org/wiki/Special:Code/MediaWiki?path=/trunk/tools/web-... it may be easier to just review current trunk version). That would be great :)
The relevant bug report is https://bugzilla.wikimedia.org/show_bug.cgi?id=30206 (the initial idea was to do it via DNS/Apache config)
Thank you, SPQRobin
On Sun, Dec 18, 2011 at 4:06 PM, Robin Pepermans robinp.1273@gmail.com wrote:
So I would like to ask if someone can review & deploy this (Commits are here: https://www.mediawiki.org/wiki/Special:Code/MediaWiki?path=/trunk/tools/web-... it may be easier to just review current trunk version). That would be great :)
I've simplified the code a bit in r106818 and added escaping (there wasn't any, so there were multiple XSS vulnerabilities) in r106819 and r106822.
The only remaining issue I see is that the script assumes the requested URL will be something like http://foobar.wikipedia.org/wiki/Bazquux , while it might legitimately be /w/index.php?.... or /w/api.php or whatever. These cases should be handled in some way. We may not be able to redirect to the incubator intelligently in these cases so we may have to fall back to the error page, but we should at least detect this case rather than pretending it doesn't exist.
Roan
Thank you. I thought $language and $project wouldn't need escaping because their values are known: $project can only be one of wikipedia, wikisource, ... and $language only one of http://noc.wikimedia.org/conf/langlist
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
2011/12/20 Roan Kattouw roan.kattouw@gmail.com
On Sun, Dec 18, 2011 at 4:06 PM, Robin Pepermans robinp.1273@gmail.com wrote:
So I would like to ask if someone can review & deploy this (Commits are here:
https://www.mediawiki.org/wiki/Special:Code/MediaWiki?path=/trunk/tools/web-...
it may be easier to just review current trunk version). That would be great :)
I've simplified the code a bit in r106818 and added escaping (there wasn't any, so there were multiple XSS vulnerabilities) in r106819 and r106822.
The only remaining issue I see is that the script assumes the requested URL will be something like http://foobar.wikipedia.org/wiki/Bazquux , while it might legitimately be /w/index.php?.... or /w/api.php or whatever. These cases should be handled in some way. We may not be able to redirect to the incubator intelligently in these cases so we may have to fall back to the error page, but we should at least detect this case rather than pretending it doesn't exist.
Roan
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Dec 20, 2011 at 9:51 PM, Robin Pepermans robinp.1273@gmail.com wrote:
Thank you. I thought $language and $project wouldn't need escaping because their values are known: $project can only be one of wikipedia, wikisource, ... and $language only one of http://noc.wikimedia.org/conf/langlist
That's usually true in practice, but only because such URLs are the only ones that DNS to our IP. That's probably easy to circumvent. You're right that this isn't nearly as easy to exploit as I thought it was, but I think it's not impossible, so better safe than sorry.
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
That logic looks good to me. Your change seems to have broken it again, though, see https://www.mediawiki.org/wiki/Special:Code/MediaWiki/106857#c28196 .
Roan
On Wed, Dec 21, 2011 at 4:36 PM, Roan Kattouw roan.kattouw@gmail.com wrote:
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
That logic looks good to me. Your change seems to have broken it again, though, see https://www.mediawiki.org/wiki/Special:Code/MediaWiki/106857#c28196 .
What about paths in /<variant>/<pagename> style? -Liangent
Fixed in r106957. I apparently made the commit too quickly, I also forgot a } with elseif.
For the /variant/ instead of /wiki/, I think it will work for the old secure server but for the normal URLs there is a preg_replace '/^/wiki//' so it won't recognise a variant there (it would default to the Main Page). However, I think such URLs are only configured for Chinese and Serbian, which have all projects except Wikiversity (which uses the static error page).
2011/12/21 Liangent liangent@gmail.com
On Wed, Dec 21, 2011 at 4:36 PM, Roan Kattouw roan.kattouw@gmail.com wrote:
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
That logic looks good to me. Your change seems to have broken it again, though, see https://www.mediawiki.org/wiki/Special:Code/MediaWiki/106857#c28196 .
What about paths in /<variant>/<pagename> style? -Liangent
Thanks Roan for deploying!
I was also wondering, if language codes were simply added to that "langlist", would they work with the missing.php script? Or do they need more configuration, e.g. in DNS?
2011/12/21 Robin Pepermans robinp.1273@gmail.com
Fixed in r106957. I apparently made the commit too quickly, I also forgot a } with elseif.
For the /variant/ instead of /wiki/, I think it will work for the old secure server but for the normal URLs there is a preg_replace '/^/wiki//' so it won't recognise a variant there (it would default to the Main Page). However, I think such URLs are only configured for Chinese and Serbian, which have all projects except Wikiversity (which uses the static error page).
2011/12/21 Liangent liangent@gmail.com
On Wed, Dec 21, 2011 at 4:36 PM, Roan Kattouw roan.kattouw@gmail.com wrote:
I tried to address URLs like /w/index.php?title= in r106857 but I'm not sure it is the correct way. It's difficult to test. If no /wiki/Page or $_GET['title'] defined, it will default to the Main Page.
That logic looks good to me. Your change seems to have broken it again, though, see https://www.mediawiki.org/wiki/Special:Code/MediaWiki/106857#c28196 .
What about paths in /<variant>/<pagename> style? -Liangent
On Wed, Dec 21, 2011 at 9:53 PM, Robin Pepermans robinp.1273@gmail.com wrote:
Thanks Roan for deploying!
I was also wondering, if language codes were simply added to that "langlist", would they work with the missing.php script? Or do they need more configuration, e.g. in DNS?
Any language code will automatically work, but of course a request for xyz.wikipedia.org will not reach our servers unless there's a DNS entry for it. I tested this using requests with a forged Host: header.
Roan
wikitech-l@lists.wikimedia.org