[Mediawiki-l] Question about $wgServer Variable

[Adam Edwards]

Thanks for your reply, and what you said brings up an important point.  The way I use the variable is through only predifened values so I should be ok.  Do you know of a better/more safe way to get the subdomain then through the _SERVER["HTTP_HOST"] variable?  I also expected the upgrade "suggestion" ;).

Adam

-----Original Message-----
From: Brion Vibber [mailto:brion at pobox.com]
Sent: Monday, December 06, 2004 5:19 PM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] Question about $wgServer Variable


On Dec 6, 2004, at 1:01 PM, Adam Edwards wrote:
> My question is I overwrote the $wgServer variable in my 
> LocalSettings.php file to use $_SERVER["HTTP_HOST"] instead and 
> preserve the subdomain.  Does anyone know if this will mess anything 
> up?

This value is provided by the client, so it may be possible to exploit, 
depending on your server configuration. Cache poisoning attacks with 
HTML/JavaScript injections might be a possibility if it's not properly 
sanitized in output.

You should ensure that the variable can only have certain predefined 
values before using it in this way.

>  Oh yeah I'm using mediawiki-1.3.2.

Please upgrade to 1.3.8 immediately; there are numerous bug fixes and 
some important security fixes.

-- brion vibber (brion @ pobox.com)