Another option is just removing the $wgServer back compat value.
The installer will automatically set $wgServer in LocalSettings.php. The
default value in DefaultSettings.php is mostly for compat with really old
installs before 1.16.
Allowing autodetection is a security vulnerability - albeit mostly
difficult to exploit. The primary method is via cache poisioning and then
either redirecting or otherwise tricking users about the fake domain. See
the original ticket
https://phabricator.wikimedia.org/T30798 . Another
possibility is putting unsafe values in the host header to try and get an
xss (followed by cache poisioning so its not just self xss). Im unsure off
the top of my head what validation if any is done (im pretty sure its less
strict than legal domains) so im not sure how practical that is.
Anyways 1.16 was a long time ago, put my vote as we should make a breaking
change and just throw an exception if wgServer is not set in
LocalSettings.php
--
Brian
P.s. people with access to security tasks may also find the phab comment at
https://phabricator.wikimedia.org/T157426#3192740 interesting where some of
the implications of $wgServer were discussed (note the task was primarily
about something else and is unfortunately still secret)
On Tuesday, June 25, 2019, Kunal Mehta <legoktm(a)member.fsf.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I (with Reedy's help) recently started work on librarizing MediaWiki's
IP class into a separate composer package (wikimedia/ip-utils[1]). The
main motivation was so that the Parsoid PHP port could use it[2].
However, I ran into an unexpected hitch[3], as it seems we're using
the IP class before the composer autoloader is even intialized. Here's
the basic initialization in Setup.php:
- - AutoLoader.php (MediaWiki's)
- - Defines.php
- - DefaultSettings.php
- $wgServer = WebRequest::detectServer()
- Calls IP::splitHostAndPort()
- - GlobalFunctions.php
- - vendor/autoload.php (composer's)
My understanding is that composer's autoloader runs late so extensions
registering themselves using it can add their stuff to the necessary
globals.
And we call WebRequest::detectServer() in DefaultSettings.php so that
in LocalSettings.php people can use the value of $wgServer for other
stuff.
I see 3 main ways to move forward:
1. Move vendor/autoload.php earlier in Setup.php, potentially breaking
extensions that still rely on composer autoloading for initialization.
2. Set $wgServer = false or something in DefaultSettings.php, and then
fill it in later in Setup.php *after* the composer autoloader has been
loaded, potentially breaking anyone relying on the value of $wgServer
in LocalSettings.php.
3. (status quo) not librarize code that runs before composer
autoloader initialization. :(
Advice/input welcome.
[1]
https://packagist.org/packages/wikimedia/ip-utils
[2]
https://gerrit.wikimedia.org/g/mediawiki/services/parsoid/+/77064cfff717
6493a2828bb4f95f397dfce7d659/src/Utils/Title.php#46
[3]
https://gerrit.wikimedia.org/r/c/mediawiki/core/+/519089/
- -- Legoktm
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAl0S1oQACgkQ8QX4EBsF
Jpufrg/+J9RUUxRAtgJLEkyACE6GREis0eyEIZnWmMr3s9YpFPoqtWocFrUk6Wsn
W7d9Oda/8CW0/d894gGMn8LWIj9oWq2gMPWzCVFpg8uu3r4967qxBp+ba29uMOJw
Qpw6DhXtPvVAeUCy8P38Y5vM7TGmV+J1T5jDY21zimT1dRrJsI1KD+u/Ue3nYy/y
B1ic3i7vJfhYErdhHgN98ETXfXOaDx4rgd2N7PLjVNx3IYCC8LNiR8wSLuydfdbk
PLTT1bA2qi0h2wgcEr7Qtq9YstVotq8899rgKLtGDBwQi3qGNcdOgQGEMFDVfjfO
CsiWocj6s4oc3ScVj+Eb9xtvIqhNx+oRbWE1vKd4TmtSdyzpv6xadV60tq5qNFEY
I0cBDOWU5UFNHbvbyjK4dqIDEVhJ6LiEgLVBOj81U27s8mR4Dv/yFB3eac0ROk7p
gaEeOjfhtVU558XfpEsmu1H05VJT3kXNxK8y0UQOjy11SErzsXv6vDzyzLDJM/W7
WF0I4nyjeqVsBjLBN9li+5AnU3cAKVOCfZ+/aRYyg89Du//nJRjm+4lxnuPrGlaG
ES/nVUnkDZ9Yc/xA1yacm3Ytx9hpoY1mIZgxxxveyeU1KsNXAZ2BOGA2T7kU4yUw
Uyg+byYwI+1uVOjAVd3BInGV2R2/GmeIn9FOpthBaw8wcz0Y/8c=
=tU4+
-----END PGP SIGNATURE-----
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l