Send MediaWiki-l mailing list submissions to
mediawiki-l@lists.wikimedia.org
To subscribe or unsubscribe, please visit
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
You can reach the person managing the list at
mediawiki-l-owner@lists.wikimedia.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of MediaWiki-l digest..."
Today's Topics:
1. Disable api.php and rest.php? (Jeffrey Walton)
2. Re: Disable api.php and rest.php? (Amir Sarabadani)
----------------------------------------------------------------------
Message: 1
Date: Wed, 23 Aug 2023 17:13:49 -0400
From: Jeffrey Walton <noloader@gmail.com>
Subject: [MediaWiki-l] Disable api.php and rest.php?
To: MediaWiki announcements and site admin list
<mediawiki-l@lists.wikimedia.org>
Message-ID:
<CAH8yC8nLtkGYhP7dnXpo-hMvnND2Nht66v+UKoanBZSQ-37LXQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi Everyone,
I was looking at our Special:Version page, and got to thinking about
api.php [1] and rest.php.[2] I don't believe anyone on our team is
using the APIs, and I would like to disable them to reduce attack
surface. Or disable them on external interfaces (or maybe allow on
localhost/127.0.0.1).
I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
similar option for rest.php.[2]
I have two questions. First, is it possible to disable api.php and
rest.php in practice? Or restrict them to internal interfaces only?
Second, what option controls rest.php?
And maybe a third question, can we rename api.php and rest.php tosay,
api.php.unused and rest.php.unused? Will that produce ill effects?
Thanks in advance.
[1] https://www.mediawiki.org/wiki/Manual:Api.php
[2] https://www.mediawiki.org/wiki/Manual:Rest.php
------------------------------
Message: 2
Date: Thu, 24 Aug 2023 04:15:44 +0200
From: Amir Sarabadani <ladsgroup@gmail.com>
Subject: [MediaWiki-l] Re: Disable api.php and rest.php?
To: noloader@gmail.com, MediaWiki announcements and site admin list
<mediawiki-l@lists.wikimedia.org>
Message-ID:
<CA+ttme1kSV34WZb=oAuqba1mvbCOyjnR6_bre=TMRGMkxhYNaw@mail.gmail.com>
Content-Type: multipart/alternative;
boundary="0000000000006298f80603a1d0dc"
You could technically decline access in apache (or whatever software you're
using).
But I need to warn: Many functionalities of mediawiki are done by calling
the API in the backend, e.g. when you log out, it calls an API, when you
watch a page, it calls another API, and all of those would break if you
disable the api.php or rest.php
HTH
Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton <
noloader@gmail.com>:
> Hi Everyone,
>
> I was looking at our Special:Version page, and got to thinking about
> api.php [1] and rest.php.[2] I don't believe anyone on our team is
> using the APIs, and I would like to disable them to reduce attack
> surface. Or disable them on external interfaces (or maybe allow on
> localhost/127.0.0.1).
>
> I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
> similar option for rest.php.[2]
>
> I have two questions. First, is it possible to disable api.php and
> rest.php in practice? Or restrict them to internal interfaces only?
>
> Second, what option controls rest.php?
>
> And maybe a third question, can we rename api.php and rest.php tosay,
> api.php.unused and rest.php.unused? Will that produce ill effects?
>
> Thanks in advance.
>
> [1] https://www.mediawiki.org/wiki/Manual:Api.php
> [2] https://www.mediawiki.org/wiki/Manual:Rest.php
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
>
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>
--
Amir (he/him)
-------------- next part --------------
A message part incompatible with plain text digests has been removed ...
Name: not available
Type: text/html
Size: 2670 bytes
Desc: not available
------------------------------
Subject: Digest Footer
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
------------------------------
End of MediaWiki-l Digest, Vol 239, Issue 2
*******************************************