[MediaWiki-l] Special:Version leaks info on open_basedir

Ryan Schmidt skizzerz at gmail.com
Mon Dec 24 00:11:28 UTC 2018


In addition to Martin’s link to make git actually functional, those warnings are showing because you have display_errors turned on in your php.ini. On a production server, it is recommended that display_errors is off and that error logs are used instead. This prevents warnings and fatal errors from leaking info to site visitors.

Regards,
Ryan Schmidt

> On Dec 23, 2018, at 4:08 PM, Martin Urbanec <martin.urbanec at wikimedia.cz> wrote:
> 
> Hey,
> 
> have a look at
> https://www.mediawiki.org/w/index.php?title=Topic:Tbb9vyeslb873e9n&topic_showPostId=tbbefgxuarr3xzsv#flow-post-tbbefgxuarr3xzsv
> . This post should help you.
> 
> Best,
> Martin
> 
> ne 23. 12. 2018 v 23:55 odesĂ­latel Jeffrey Walton <noloader at gmail.com>
> napsal:
> 
>> Hi Everyone,
>> 
>> A while back we applied hardening per
>> http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
>> . Our php.ini includes the following:
>> 
>>    ;; #15 Limit PHP Access To File System
>>    ;; Allows recursive descent
>>    open_basedir="/var/www/html/:/var/lib/php/"
>> 
>> When (1) the cache is stale, and (2) we run Special:Version, then part
>> of our security configuration is provided:
>> https://cryptopp.com/special-version.png
>> 
>> Is there any way to close that hole?
>> 
>> I'm OK with allowing Git to run, but I don't know how to do it short
>> of opening up /usr/bin to the web server.
>> 
>> Thanks in advance.
>> 
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>> 
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l



More information about the MediaWiki-l mailing list