Page MenuHomePhabricator
Create Task
Maniphest T357595

Investigate restricting match pattern on /wiki RewriteRule
Open, LowPublic
Actions

Description

While adding some redirect tests for T357436 (https://gerrit.wikimedia.org/r/c/operations/puppet/+/1003525), I came across some mildly surprising redirect behavior involving paths prefixed with /wiki.

In short:

This seems to result from a combination of:

  1. the RewriteRule at https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+/1dfae2f64dce3d769798110d2ccfbf80af6111e0/modules/mediawiki/templates/apache/mediawiki-vhost.conf.erb#51 matching /wikiblah and
  2. donatewiki's /w/index.php itself serving the redirect

It's #1 that's the surprising part.

Chatting with @RLazarus a bit, it seems like the intention was probably for this to match something a bit more restrictive (e.g., matching ^/wiki(/.*)?$).

The purpose of this task is to investigate whether that was indeed the intent and if so, whether it is safe to restrict the match pattern.

Details

SubjectRepoBranchLines +/-
mediawiki: Restrict /wiki RewriteRuleoperations/puppetproduction+10 -1
Customize query in gerrit

Related Objects

Event Timeline

Scott_French created this task.Feb 14 2024, 11:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 14 2024, 11:23 PM
Scott_French triaged this task as Low priority.Feb 14 2024, 11:23 PM
Scott_French updated the task description. (Show Details)Feb 14 2024, 11:28 PM
RLazarus added a comment.Feb 14 2024, 11:56 PM

the intention was probably for this to match something a bit more restrictive (e.g., matching ^/wiki(/.*)?$)

I'm looking at the diff where the RewriteRule was introduced, and I'm pretty sure this is right -- it's replacing a

ProxyPass       /wiki                fcgi://127.0.0.1:9000<%= @docroot %>/w/index.php retry=0

so we went from a path argument to a regex. But some history from @Joe would help to confirm. And we'd still need to make sure nothing else has started relying on this in the last five years.

Joe added a comment.Feb 16 2024, 8:28 AM
In T357595#9544806, @RLazarus wrote:

the intention was probably for this to match something a bit more restrictive (e.g., matching ^/wiki(/.*)?$)

I'm looking at the diff where the RewriteRule was introduced, and I'm pretty sure this is right -- it's replacing a

ProxyPass       /wiki                fcgi://127.0.0.1:9000<%= @docroot %>/w/index.php retry=0

so we went from a path argument to a regex. But some history from @Joe would help to confirm. And we'd still need to make sure nothing else has started relying on this in the last five years.

If you go back further in history, you'll find we used to use an Alias directive, which of course behaves slightly differently too.

As for your question: I don't think anything relies on this, or if something does, we should be ok breaking it.

gerritbot added a comment.Feb 28 2024, 1:39 AM

Change 1007026 had a related patch set uploaded (by RLazarus; author: RLazarus):

[operations/puppet@production] mediawiki: Restrict /wiki RewriteRule

https://gerrit.wikimedia.org/r/1007026

gerritbot added a project: Patch-For-Review.Feb 28 2024, 1:39 AM
RLazarus claimed this task.Feb 29 2024, 8:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits