Remove support for run-time automatic $wgServer default value
Closed, ResolvedPublic
Actions

Description

(Creating task retroactively for @Legoktm's existing Gerrit patch, per current CPT practices.)

This follows-up a security issue - T30798: Interface links can be redirected to hostile domains by cache poisoning on some server setups.

Removing this logic from the init path would also help with T189966: Audit and simplify MediaWiki initialisation code (Spring 2018).

Details

	Subject	Repo	Branch	Lines +/-
	Disable $wgServer autodetection to prevent cache poisoning attacks	mediawiki/core	REL1_34	+28 -5
	Disable $wgServer autodetection to prevent cache poisoning attacks	mediawiki/core	master	+28 -5

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	Legoktm	T232931 Remove support for run-time automatic $wgServer default value
Resolved	hashar	T233140 Quibble should not rely on dynamically detecting the value of $wgServer
Resolved	hashar	T235023 Selenium test "User should be able to log in @daily" fails with Quibble 0.0.37

Event Timeline

Krinkle created this task.Sep 14 2019, 7:37 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2019, 7:37 PM

Krinkle added a project: Performance-Team (Radar).Sep 14 2019, 7:37 PM

Krinkle moved this task from Untriaged to 2020 | MW 1.35 on the Technical-Debt (Deprecation process) board.

Krinkle moved this task from Limbo to Perf recommendation on the Performance-Team (Radar) board.

Change 524396 had a related patch set uploaded (by Krinkle; owner: Legoktm):
[mediawiki/core@master] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/524396

gerritbot added a project: Patch-For-Review.Sep 14 2019, 7:38 PM

Anomie moved this task from Inbox to Triage Meeting Inbox on the Platform Engineering board.Sep 16 2019, 1:25 PM

Currently putting this in "Blocked Externally" on the CPT Clinic Duty board. Once the blocker is resolved, this should go to "External Code Review Needed".

daniel mentioned this in T233140: Quibble should not rely on dynamically detecting the value of $wgServer.Sep 17 2019, 6:28 PM

Krinkle removed a subtask: T233140: Quibble should not rely on dynamically detecting the value of $wgServer.Sep 20 2019, 10:40 PM

Krinkle added a subtask: T233140: Quibble should not rely on dynamically detecting the value of $wgServer.

daniel triaged this task as Medium priority.Sep 30 2019, 2:55 PM

hashar closed subtask T233140: Quibble should not rely on dynamically detecting the value of $wgServer as Resolved.Oct 9 2019, 1:06 PM

WDoranWMF moved this task from Blocked Externally to External Code Review Needed on the Platform Team Workboards (Clinic Duty Team) board.Oct 29 2019, 3:22 PM

Change 524396 merged by jenkins-bot:
[mediawiki/core@master] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/524396

Maintenance_bot removed a project: Patch-For-Review.Oct 30 2019, 6:10 AM

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.5; 2019-11-05).Oct 30 2019, 7:00 AM

Change 547326 had a related patch set uploaded (by Jforrester; owner: Legoktm):
[mediawiki/core@REL1_34] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/547326

gerritbot added a project: Patch-For-Review.Oct 30 2019, 10:01 PM

Change 547326 merged by jenkins-bot:
[mediawiki/core@REL1_34] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/547326

Maintenance_bot removed a project: Patch-For-Review.Oct 31 2019, 1:10 AM

Anomie closed this task as Resolved.Oct 31 2019, 1:49 PM

Anomie assigned this task to Legoktm.

Anomie moved this task from External Code Review Needed to External Code Review Completed on the Platform Team Workboards (Clinic Duty Team) board.

ReleaseTaggerBot added a project: MW-1.34-notes.Nov 1 2019, 4:01 PM

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM