Bail out early if $wgArticlePath is non-absolute
Closed, ResolvedPublic

Description

Setting $wgArticlePath to something like "wiki/$1" accidentally can cause a lot of hassle to people setting up short urls.

There is absolutely no valid reason to set $wgArticlePath to a relative path. We should make Setup.php or some other part of MW bail out early with an informative error message if it is not absolute.


Version: 1.22.0
Severity: trivial

Details

Reference
bz46998
bzimport raised the priority of this task from to Low.
bzimport set Reference to bz46998.
bzimport added a subscriber: Unknown Object (MLST).

Change 135196 had a related patch set uploaded by devunt:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/135196

devunt claimed this task.May 14 2015, 9:00 PM

Change 135196 had a related patch set uploaded (by devunt):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/135196

Change 135196 merged by jenkins-bot:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/135196

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 10 2015, 11:21 PM

Change 252582 had a related patch set uploaded (by Bartosz Dziewoński):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/252582

Change 252582 merged by jenkins-bot:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/252582

matmarex closed this task as Resolved.Nov 12 2015, 12:17 AM
matmarex removed a project: Patch-For-Review.
matmarex set Security to None.
matmarex removed a subscriber: wikibugs-l-list.

Change 259905 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259905

Change 259906 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259906

Change 259916 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259916

Change 259917 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259917

Change 259929 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259929

Change 259930 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259930

Change 259940 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259940

Change 259941 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259941

Change 259916 merged by Chad:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259916

Change 259917 merged by Chad:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259917

Change 259905 merged by Reedy:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259905

Change 259906 merged by Reedy:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259906

Change 259940 merged by Chad:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259940

Change 259941 merged by Chad:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259941

Change 259929 merged by Reedy:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259929

Change 259930 merged by Reedy:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259930

jayvdb added a subscriber: jayvdb.Dec 18 2015, 3:28 AM

Should the same be done with $wgVariantArticlePath, if it is not false?
It looks less likely to be an attack vector, and admins are less likely to set it to just '$1' as the '$2' is sort of necessary for it to be useful.

Yeah, probably.

Change 262064 had a related patch set uploaded (by Bartosz Dziewoński):
Validate that $wgVariantArticlePath is absolute, too

https://gerrit.wikimedia.org/r/262064

Change 262064 merged by jenkins-bot:
Validate that $wgVariantArticlePath is absolute, too

https://gerrit.wikimedia.org/r/262064