Page MenuHomePhabricator

Disable MediaWiki until mw-config is deleted or config setting is set
Open, Needs TriagePublicFeature

Description

Feature summary:

MediaWiki should be inaccessible to anyone until any of the conditions are met:

  1. There is no LocalSettings.php file detected.
  2. The mw-config/ folder is deleted.
  3. The setting $wgEnableWebInstaller is set to true. (By default, it will be set to false in LocalSettings.php.)

I propose that the behavior for denying access to MediaWiki (to make it inaccessible) would be isomorphic to the current “MediaWiki is not installed” message, which is loaded by the Web Installer when a LocalSettings.php file is not detected. MediaWiki APIs should be disabled and index.php will continue to display this notice until one of the above criteria is met. It follows by transitivity that no user will be able to access the wiki pages, nobody will be able to log in, and the wiki cannot be modified in any way. The inaccessibility would be complete and uncompromising.

Use case(s):

When MediaWiki is operating normally, i.e. it has already been set up and no upgrades or database updates are needed, there is no reason to access mw-config/.

Benefits:

Most system administrators either don't use mw-config/ (because they use the install.php and update.php maintenance scripts) or use it and then forget to delete/hide mw-config/. Since there is no built-in access restriction for mw-config/, anyone can access it after the installation finishes, which poses a security hazard.

Many other web applications already require the admin/ folder or their setup/ folder to either be renamed or completely deleted before the software can be used.

Event Timeline

anyone can access it after the installation finishes, which poses a security hazard.

I agree that it doesn't make sense for this directory to be accessible outside installation or upgrade, but if there are specific security risks that are known then they should be fixed. Do you have any details?

@Samwilson I don't have any specific security risks identified at the moment. I thought I did, but it was actually just a misleading, scary-sounding message that this article mentions. It says if you visit /mw-config/index.php?page=Restart, you get this:

Restart installation
Do you want to clear all saved data that you have entered and restart the installation process?

This does not reset the wiki, but that could give the wrong idea to people. I'm also generally concerned about a hypothetical case of if there were a bug in the web installer that allowed unprivileged users to perform privileged actions. But to reiterate, I don't have any concrete examples right now, which is good news.

Anyway, I think the best practice is to delete mw-config/ after installation. If a sysadmin is upgrading to a new version of MediaWiki, they would get a new copy of mw-config/ anyway.

What does "inaccessible" mean exactly? Please be more clear on what you expect to happen where. Thanks.

@Samwilson I don't have any specific security risks identified at the moment. I thought I did, but it was actually just a misleading, scary-sounding message that this article mentions. It says if you visit /mw-config/index.php?page=Restart, you get this:

Restart installation
Do you want to clear all saved data that you have entered and restart the installation process?

This does not reset the wiki, but that could give the wrong idea to people. I'm also generally concerned about a hypothetical case of if there were a bug in the web installer that allowed unprivileged users to perform privileged actions. But to reiterate, I don't have any concrete examples right now, which is good news.

Anyway, I think the best practice is to delete mw-config/ after installation. If a sysadmin is upgrading to a new version of MediaWiki, they would get a new copy of mw-config/ anyway.

I don't have a local install to double check, But from memory, doesn't that actually get blocked from use once the localsettings file is place? and you need to quote a random fingerprint reference from the localsettings file to re-run the web installer or change a config in it

But from memory, doesn't that actually get blocked from use once the localsettings file is place? and you need to quote a random fingerprint reference from the localsettings file to re-run the web installer or change a config in it

I think we are talking about two different things here. You’re remembering correctly, I think you are referring to the upgrade key part. I was referring to the (somewhat misleading) option to be able to restart the installation process, but it could be interpreted as resetting MediaWiki. Anyway, I think we are digressing from the point of this task, and that’s partially my fault, but I hope that clears things up.

@Aklapper I have updated the description to clarify my proposal.

I should note that the creation of this task is partly inspired by a recent case where a public wiki with significant traffic had their LocalSettings.php publicly accessible. The upgrade key was visible to the world. The prompt asking for an upgrade key would have been futile against a bad actor who could then proceed to use the web installer on a production wiki. In my opinion, the upgrade key feature is confusing and nearly useless.