Page MenuHomePhabricator
Create Task
Maniphest T180394

MediaWiki entry points should not be in the base repo directory
Open, Needs TriagePublic
Actions

Description

This has come up in a few places (T167038, T180237), but as far as I know no one has filed a task specifically for the idea.

Problem statement

Currently, MediaWiki's main entry points such as index.php, api.php, and load.php are in the repository's base directory. This makes it very difficult for anyone installing MediaWiki to follow good security practices and expose only the entry points via the web server, with all non-entry-point files stored elsewhere.

Solution (draft)

We should, instead, place these files in a subdirectory (name it "webroot" or "www" or "public_html", bikeshed later).

The drawback is that installation becomes more complex. Instead of just dumping MediaWiki into /var/www (or equivalent), someone has to set up symbolic links or configure the web server to serve MediaWiki's virtual base path from a different location, not only for the webroot itself but also for the various resources pointed to by configuration settings such as $wgResourceBasePath ($wgExtensionAssetsPath, and $wgStylePath), and $wgUploadPath.

Related Objects

Event Timeline

Anomie created this task.Nov 13 2017, 7:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 13 2017, 7:01 PM
Reedy awarded a token.Nov 13 2017, 7:02 PM
Reedy mentioned this in T180237: Have composer create a .htaccess file in vendor director.
MaxSem subscribed.Nov 13 2017, 7:31 PM
Tgr subscribed.Nov 14 2017, 12:00 AM

The drawback is that installation becomes more complex.

As long as you don't care of the security benefits, not really. If you dump a tarball into /var/www, MediaWiki will be available as example.com/index.php. If we move the entry points into, say, a directory called w, it will be available as example.com/w/index.php. No configuration needed. It will be a thorough BC break for existing installations, of course.

OTOH anyone who cares much about security has probably set up MediaWiki via symlinks or whatever; moving the entry points makes that marginally more convenient, at most (you need slightly less symlinks, but you still need to deal with assets which is the more problematic part).

If we want to support convenient non-webroot installation, that would probably require some mechanism to copy assets from core and skins/extensions into the webroot, and also set up entry point redirects there.

Kghbln subscribed.Nov 14 2017, 12:05 AM
Anomie mentioned this in T181451: RFC: WebAssembly and compiled JS code best practices.Nov 28 2017, 1:49 AM
Legoktm subscribed.Nov 28 2017, 8:29 AM
In T180394#3757123, @Tgr wrote:

If we want to support convenient non-webroot installation, that would probably require some mechanism to copy assets from core and skins/extensions into the webroot, and also set up entry point redirects there.

Another option could be to just proxy the rest of the assets that aren't JS/CSS through load.php anyways so skins/extensions never need to be in the webroot themselves. (And then replace debug mode somehow)

Krinkle added a project: TechCom-RFC.Jan 3 2018, 10:35 PM
Krinkle updated the task description. (Show Details)
Catrope subscribed.Jan 9 2018, 9:55 PM

Replacing debug mode needs to happen anyway :)

Ciencia_Al_Poder subscribed.Jan 9 2018, 10:22 PM
daniel subscribed.Feb 7 2018, 9:53 PM

@Anomie This seems ready for an IRC discussion. Does that sound useful to you? And do you have a preferred time slot for the discussion?

Anomie added a comment.Feb 7 2018, 9:59 PM

I file this mainly because it kept getting mentioned but we didn't have a task for it. I'd be happy for someone else to actually push it forward.

daniel moved this task from P1: Define to Under discussion on the TechCom-RFC board.Feb 8 2018, 4:21 PM

@Anomie ok, i'll put it in "under discussion" for now

kchapman moved this task from Under discussion to Old on the TechCom-RFC board.Jul 22 2019, 4:43 PM
Krinkle moved this task from Old to P2: Resource on the TechCom-RFC board.Apr 4 2020, 1:38 AM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits