the mediawiki team has already reduced attack surface by making the sw less functional, less fun, and basically broken so what is the difference? practically none - some other upstart sw will take their place and engage the cia triad with more efficiency and adroitness so api functions are largely irrelevant in the longer term, sort of like ozzy osbourne and tony bourdain. MW had a good run, perhaps they can regain some degree of functionality that was lost in last few updates but the future is unwritten.

On Thu, Aug 24, 2023 at 8:03 AM <mediawiki-l-request@lists.wikimedia.org> wrote:
Send MediaWiki-l mailing list submissions to
        mediawiki-l@lists.wikimedia.org

To subscribe or unsubscribe, please visit
        https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/

You can reach the person managing the list at
        mediawiki-l-owner@lists.wikimedia.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of MediaWiki-l digest..."

Today's Topics:

   1. Disable api.php and rest.php? (Jeffrey Walton)
   2. Re: Disable api.php and rest.php? (Amir Sarabadani)


----------------------------------------------------------------------

Message: 1
Date: Wed, 23 Aug 2023 17:13:49 -0400
From: Jeffrey Walton <noloader@gmail.com>
Subject: [MediaWiki-l] Disable api.php and rest.php?
To: MediaWiki announcements and site admin list
        <mediawiki-l@lists.wikimedia.org>
Message-ID:
        <CAH8yC8nLtkGYhP7dnXpo-hMvnND2Nht66v+UKoanBZSQ-37LXQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hi Everyone,

I was looking at our Special:Version page, and got to thinking about
api.php [1] and rest.php.[2] I don't believe anyone on our team is
using the APIs, and I would like to disable them to reduce attack
surface. Or disable them on external interfaces (or maybe allow on
localhost/127.0.0.1).

I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
similar option for rest.php.[2]

I have two questions. First, is it possible to disable api.php and
rest.php in practice? Or restrict them to internal interfaces only?

Second, what option controls rest.php?

And maybe a third question, can we rename api.php and rest.php tosay,
api.php.unused and rest.php.unused? Will that produce ill effects?

Thanks in advance.

[1] https://www.mediawiki.org/wiki/Manual:Api.php
[2] https://www.mediawiki.org/wiki/Manual:Rest.php

------------------------------

Message: 2
Date: Thu, 24 Aug 2023 04:15:44 +0200
From: Amir Sarabadani <ladsgroup@gmail.com>
Subject: [MediaWiki-l] Re: Disable api.php and rest.php?
To: noloader@gmail.com, MediaWiki announcements and site admin list
        <mediawiki-l@lists.wikimedia.org>
Message-ID:
        <CA+ttme1kSV34WZb=oAuqba1mvbCOyjnR6_bre=TMRGMkxhYNaw@mail.gmail.com>
Content-Type: multipart/alternative;
        boundary="0000000000006298f80603a1d0dc"

You could technically decline access in apache (or whatever software you're
using).

But I need to warn: Many functionalities of mediawiki are done by calling
the API in the backend, e.g. when you log out, it calls an API, when you
watch a page, it calls another API, and all of those would break if you
disable the api.php or rest.php

HTH

Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton <
noloader@gmail.com>:

> Hi Everyone,
>
> I was looking at our Special:Version page, and got to thinking about
> api.php [1] and rest.php.[2] I don't believe anyone on our team is
> using the APIs, and I would like to disable them to reduce attack
> surface. Or disable them on external interfaces (or maybe allow on
> localhost/127.0.0.1).
>
> I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
> similar option for rest.php.[2]
>
> I have two questions. First, is it possible to disable api.php and
> rest.php in practice? Or restrict them to internal interfaces only?
>
> Second, what option controls rest.php?
>
> And maybe a third question, can we rename api.php and rest.php tosay,
> api.php.unused and rest.php.unused? Will that produce ill effects?
>
> Thanks in advance.
>
> [1] https://www.mediawiki.org/wiki/Manual:Api.php
> [2] https://www.mediawiki.org/wiki/Manual:Rest.php
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
>
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>


--
Amir (he/him)
-------------- next part --------------
A message part incompatible with plain text digests has been removed ...
Name: not available
Type: text/html
Size: 2670 bytes
Desc: not available

------------------------------

Subject: Digest Footer

_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org


------------------------------

End of MediaWiki-l Digest, Vol 239, Issue 2
*******************************************


--
Best Regards,
                 
Shep Husted
27 Hege Dr. #39
Lexington , NC
27292
lexingtonpc.net
linuxportland.com
maxgaming.info