Gentlemen, what do you think of my single MediaWiki file tree for both my wikis, which must not only work on localhost, but on the production server too,
drwxr-xr-x 16 1024 2007-03-06 04:22 mediawiki lrwxrwxrwx 1 17 2007-03-06 04:22 radioscanningtw.jidanni.org -> mediawiki lrwxrwxrwx 1 17 2007-03-06 04:23 taizhongbus.jidanni.org -> mediawiki
$ cat mediawiki/LocalSettings.php ... #combined taizhongbus and radioscanningtw LocalSettings.php $jidanni_R='radioscanningtw.jidanni.org'; $jidanni_T='taizhongbus.jidanni.org'; #So works with web pages and maintenance scripts: $jidanni_haystack=$_SERVER['SCRIPT_FILENAME'].$_SERVER['PWD']; if(strpos($jidanni_haystack, $jidanni_R)){ $wgScriptPath="/$jidanni_R"; $wgSitename='台掃'; $wgLogo="$wgScriptPath/skins/common/images/ar-3000a.png"; $wgProxyKey=... $wgDBname=... }elseif(strpos($jidanni_haystack, $jidanni_T)){ $wgScriptPath="/$jidanni_T"; $wgSitename='中公'; $wgLogo="$wgScriptPath/skins/common/images/tzbus.png"; $wgProxyKey=... $wgDBname=... }else{ trigger_error(" Website broken again, please telephone me, (04)25854780. --- Wrong $jidanni_haystack: "$jidanni_haystack"", E_USER_ERROR); } ... switch ($wgServerName){ case 'localhost': $wgDBserver='localhost'; $wgDBuser=... $wgDBpassword=... $wgDBprefix=... break; default: $wgDBserver="mysql.$wgServerName"; $wgDBuser=... $wgDBpassword=... $wgDBprefix=... break; } Similarly in AdminSettings.php.
So what do you think? Asking for trouble? Will be sorry later? Heading for a fall?
I'd probably set one starting file for radioscanningtw.jidanni.org and another for taizhongbus.jidanni.org, containing its respective LocalSettings code:
define( 'MEDIAWIKI', true ); require_once( 'mediawiki/StartProfiler.php' ); require_once( 'mediawiki/includes/Defines.php' );
<Your LocalSettings content>
require_once( 'mediawiki/includes/OutputHandler.php' ); ob_start( 'wfOutputHandler' );
require_once( 'mediawiki/index.php');
Commenting from index.php require_once( './includes/WebStart.php' ); and adding to the top of the per-server file, the bunch of checkings includes/WebStart does. Our devs opinion will be more useful, as i'm sure the apaches doesn't have a mediawiki copy per wikipedia ;)
default: $wgDBserver="mysql.$wgServerName"; So what do you think? Asking for trouble? Will be sorry later? Heading for a fall?
I suppose you know what will be happening if someone finds a way to overwrite your $wgServer variable...
In my previous post, "multiple wikis, single MediaWiki file tree", I demonstrated my sparkling single LocalSettings.php, AdminSettings.php, and indeed entire MediaWiki file tree, for multiple wikis right there on the same server.
Platonides (P) responded with a more aggressive approach that rips up more of LocalSettings.php than I (D) dare. And in closing, he says
D> $wgDBserver="mysql.$wgServerName";
P> I suppose you know what will be happening if someone finds a way to P> overwrite your $wgServerName variable...
How could that happen? $wgServerName is born in the safe confines of DefaultSettings.php.
Dan Jacobson wrote:
D> $wgDBserver="mysql.$wgServerName";
P> I suppose you know what will be happening if someone finds a way to P> overwrite your $wgServerName variable...
How could that happen? $wgServerName is born in the safe confines of DefaultSettings.php.
I don't know, i wrote without even checking where was it set. It's a matter of making secure code. There are hundreds of exploits taking advantage of things the owner thought it "couldn't be done". Appending the result to a server on the default case is very bad. There's no need to do it in this way, so why do it? Tomorrow php could found a problem in the way $_REQUEST varaibles are used, compromising your system.
Let's focus on how $wgServer "is born in the safe confines":
#DefaulSettings if( isset( $_SERVER['SERVER_NAME'] ) ) { $wgServerName = $_SERVER['SERVER_NAME']; } elseif( isset( $_SERVER['HOSTNAME'] ) ) { $wgServerName = $_SERVER['HOSTNAME']; } elseif( isset( $_SERVER['HTTP_HOST'] ) ) { $wgServerName = $_SERVER['HTTP_HOST']; } elseif( isset( $_SERVER['SERVER_ADDR'] ) ) { $wgServerName = $_SERVER['SERVER_ADDR']; } else { $wgServerName = 'localhost'; }
It is built from one of several informations tthe server passes to it. What happens if you're using a server which doesn't give SERVER_NAME nor HOSTNAME to your script (the server doesn't support it or it is not being passed to the script if using FastCGI/Isapi/CGI...).
Then the value is taken from 'HTTP_HOST'. Notice the HTTP_ before? It's a parameter passed by the user on the http request. What happens if i send to the server X a request saying i'm quering it to server Y? If it uses Virtual Hosts, it will probably tell me there's no such domain on that server, but if the server is listening by ip, it could reach to the wiki. And now on the wiki i can arbitrary set your dbserver and steal your login data. There are a number of mitigating factors so you your wiki is probably not vulnerable, but you don't want to be if you change servers, do you?
On the line of "how could that happen?", you can read a report about an old mediawiki bug where ips were faked, the safe X-Forwarded-For provided by the squids was overwritten: http://en.wikipedia.org/wiki/User:Brion_VIBBER/Cool_Cat_incident_report
On 16/03/07, Platonides Platonides@gmail.com wrote:
Dan Jacobson wrote:
D> $wgDBserver="mysql.$wgServerName";
P> I suppose you know what will be happening if someone finds a way to P> overwrite your $wgServerName variable...
How could that happen? $wgServerName is born in the safe confines of DefaultSettings.php.
I don't know, i wrote without even checking where was it set. It's a matter of making secure code. There are hundreds of exploits taking advantage of things the owner thought it "couldn't be done". Appending the result to a server on the default case is very bad. There's no need to do it in this way, so why do it? Tomorrow php could found a problem in the way $_REQUEST varaibles are used, compromising your system.
[snip]
There are arguably genuine concerns in this, but ultimately, if your $wgServerName variable is not being set safely or at all, then you'd likely be overriding it or fixing Apache so it was properly detected.
Rob Church
wikitech-l@lists.wikimedia.org