Page MenuHomePhabricator

Setting for $wgServer in LocalSettings.php in our Wikibase Image may be insecure
Closed, ResolvedPublic

Description

Situation: In the documentation for https://www.mediawiki.org/wiki/Manual:$wgServer it states that "MediaWiki formerly tried to autodetect the name of the server, however this was vulnerable to cache poisoning attacks, and informally deprecated in 1.18. It was fully removed in MediaWiki 1.34.". However, we are still using an auto-detection method in the default LocalSettings.php in our Wikibase Image (see https://github.com/search?q=repo%3Awmde%2Fwikibase-release-pipeline%20wgServer&type=code).

Solution: Replace the autodetect setting with a passthrough of the env var we use in the image to indicate the address of the Wikibase/MediaWiki server (i.e. WIKIBASE_HOST?). Ref: https://phabricator.wikimedia.org/T357971 and https://phabricator.wikimedia.org/T315916

Event Timeline

lojo_wmde changed the task status from Open to In Progress.May 14 2024, 6:11 AM
lojo_wmde claimed this task.
lojo_wmde moved this task from Doing to In Review on the Wikibase Suite Team (Sprint-∞) board.