[Mediawiki-l] Question about $wgServer Variable
Adam Edwards
Adam at always24x7.com
Mon Dec 6 23:33:14 UTC 2004
Thanks for your reply, and what you said brings up an important point. The way I use the variable is through only predifened values so I should be ok. Do you know of a better/more safe way to get the subdomain then through the _SERVER["HTTP_HOST"] variable? I also expected the upgrade "suggestion" ;).
Adam
-----Original Message-----
From: Brion Vibber [mailto:brion at pobox.com]
Sent: Monday, December 06, 2004 5:19 PM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] Question about $wgServer Variable
On Dec 6, 2004, at 1:01 PM, Adam Edwards wrote:
> My question is I overwrote the $wgServer variable in my
> LocalSettings.php file to use $_SERVER["HTTP_HOST"] instead and
> preserve the subdomain. Does anyone know if this will mess anything
> up?
This value is provided by the client, so it may be possible to exploit,
depending on your server configuration. Cache poisoning attacks with
HTML/JavaScript injections might be a possibility if it's not properly
sanitized in output.
You should ensure that the variable can only have certain predefined
values before using it in this way.
> Oh yeah I'm using mediawiki-1.3.2.
Please upgrade to 1.3.8 immediately; there are numerous bug fixes and
some important security fixes.
-- brion vibber (brion @ pobox.com)
More information about the MediaWiki-l
mailing list