Page MenuHomePhabricator

Remove support for run-time automatic $wgServer default value
Closed, ResolvedPublic

Description

(Creating task retroactively for @Legoktm's existing Gerrit patch, per current CPT practices.)

This follows-up a security issue - T30798: Interface links can be redirected to hostile domains by cache poisoning on some server setups.

Removing this logic from the init path would also help with T189966: Audit and simplify MediaWiki initialisation code (Spring 2018).

Event Timeline

Krinkle created this task.Sep 14 2019, 7:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2019, 7:37 PM

Change 524396 had a related patch set uploaded (by Krinkle; owner: Legoktm):
[mediawiki/core@master] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/524396

Anomie added a subscriber: Anomie.

Currently putting this in "Blocked Externally" on the CPT Clinic Duty board. Once the blocker is resolved, this should go to "External Code Review Needed".

daniel triaged this task as Medium priority.Sep 30 2019, 2:55 PM

Change 524396 merged by jenkins-bot:
[mediawiki/core@master] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/524396

Change 547326 had a related patch set uploaded (by Jforrester; owner: Legoktm):
[mediawiki/core@REL1_34] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/547326

Change 547326 merged by jenkins-bot:
[mediawiki/core@REL1_34] Disable $wgServer autodetection to prevent cache poisoning attacks

https://gerrit.wikimedia.org/r/547326