| Jackmcbarn | |
| Jan 28 2014, 4:55 PM |
| F12819: autocopy.patch | |
| Nov 22 2014, 2:51 AM |
The Web installer's behavior was changed in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/69322 to offer LocalSettings.php as a download instead of writing it itself. Unless there's a reason not to, shouldn't it try to write the file itself and offer it as a download only if it fails?
Version: 1.23.0
Severity: enhancement
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Automatically copy the LocalSettings.php file to the desired location | mediawiki/core | master | +50 -22 |
mayank25080562 wrote:
If I am not wrong, then you are saying that the file should be created and saved automatically instead of us, copying and pasting it from the downloads to your http://localhost, right ?
mayank25080562 wrote:
This copies the LocalSettings.php file automatically.
In addition to copying the file to the desired location, it also gives an option to download the file in case the copying does not take place due to any reasons whatsoever!
Attached:
Hi Mayank! Thanks for your patch!
You are welcome to use Developer access
https://www.mediawiki.org/wiki/Developer_access
to submit this as a Git branch directly into Gerrit:
https://www.mediawiki.org/wiki/Git/Tutorial
Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use https://tools.wmflabs.org/gerrit-patch-uploader/
Change 114966 had a related patch set uploaded by Mjnovice:
Automatically copies the LocalSettings.php file to the desired location, fixes bug 60534.
Change 114966 had a related patch set uploaded by Nemo bis:
Automatically copy the LocalSettings.php file to the desired location
(In reply to Jackmcbarn from comment #0)
Unless there's a reason not to
The directory where MediaWiki is installed should not be writeable by the web server. That's considered a security vulnerability since then the source code of MediaWiki can be changed via the web interface if there is an exploit. Generally the installation directory should be read-only to the web server.
Downloading LocalSettings.php rather than writing it is to encourage the idea that you must SSH into your server in order to change files. The other side of the argument is that when downloading LocalSettings.php you are transmitting the database password over plaintext, but assuming you already entered your database password on the installer form that is kind of a moot issue.
mayank25080562 wrote:
(In reply to Tyler Romeo from comment #7)
(In reply to Jackmcbarn from comment #0)
Unless there's a reason not to
The directory where MediaWiki is installed should not be writeable by the
web server. That's considered a security vulnerability since then the source
code of MediaWiki can be changed via the web interface if there is an
exploit. Generally the installation directory should be read-only to the web
server.Downloading LocalSettings.php rather than writing it is to encourage the
idea that you must SSH into your server in order to change files. The other
side of the argument is that when downloading LocalSettings.php you are
transmitting the database password over plaintext, but assuming you already
entered your database password on the installer form that is kind of a moot
issue.
Thanks for pointing this out! Can we have a workaround say something which allows you to change the server writing permissions just for copying the LocalSettings.php and afterwards making it read-only ? Can this be done ?
(In reply to Mayank from comment #8)
Thanks for pointing this out! Can we have a workaround say something which
allows you to change the server writing permissions just for copying the
LocalSettings.php and afterwards making it read-only ? Can this be done ?
I mean, that doesn't really solve the problem. The best possible thing we can do is maybe write LocalSettings.php to a temporary directory, and then tell the user to copy it over to the web root.
The way this is coded now, wouldn't it go completely unnoticed for users who don't have the directory writable? For users that already do, mainly MediaWiki developers (via XAMPP, etc.), it would be a convenience, and security wouldn't be a worry for them, since their installations don't tend to be public-facing.
I always thought that manually moving the LocalSettings.php was intentionally a manual step, as a sort of server-side confirmation of the enabling of MediaWiki.
Change 114966 had a related patch set uploaded (by Paladox):
Automatically copy the LocalSettings.php file to the desired location
The discussion is ongoing, but for clarity I'll change the status of the report so that we don't forget there are major concerns and most people don't seem convinced about the proposed solution and feasibility in general.
The best possible thing we can do is maybe write LocalSettings.php to a temporary directory, and then tell the user to copy it over to the web root.
Is renaming a file on the server substantially easier than uploading the file directly? In my limited experience it's equally easy in FTP clients and in web-based file managers by web hosts. The only difference I can think of is that maybe one has a Windows machine at home and a Linux server, and Windows messes up the file upon download (e.g. wrong extension, maybe even encoding). Is this the sort of issue being considered?
Tim Starling wrote on gerrit:
No, we intentionally never did it in the first place. The old behaviour was to write it to the config directory and request that the user move it into the MW root, but this meant that the config directory needed to be web-writable, and the ownership on the LocalSettings.php file usually ended up being web-writable too since most people didn't bother to change it when they moved it. The new behaviour, introduced with the new installer, was to offer it as a download, so that no script files need to be web-writable.
Web-writable script directories are a commonly exploited means of escalation from arbitrary file write to arbitrary execution. Such escalation often crosses application boundaries -- a file write vulnerability in one application will be exploited by scanning for writable script files in another application.
If nobody knows about the feature, then it doesn't encourage users to make their webroot writable. As soon as anybody finds out about it, say by being documented in the installation instructions, then it becomes encouraged. If we need to keep it a secret, then what is the point in having it?
@dbarratt and I would like to be able to write a LocalSettings file directly from the installer for use with the mediawiki-docker setup.
Currently in the README we have to provide an example as below:
volumes: - /var/www/html/images # After initial setup, download LocalSettings.php to the same directory as # this yaml and uncomment the following line and use compose to restart # the mediawiki service # - ./LocalSettings.php:/var/www/html/LocalSettings.php
If LocalSettings could be written directly by the installer we can remove this silly step, and have LocalSettings.php load the settings created by the installer and have a separate override file that the user of the docker image can mount to change settings.
I'm going to re open this so that the ticket pops back up on people's radars.
We could implement this but leave the default workflow requiring the user to download and upload the file?
Perhaps the installer should check to see if the web server has permission to create/edit the file and if so, do it, otherwise prompt the user to download?
If the web server already has permission to write, I don't see how it opens up any security vulnerabilities by using those permissions.
Nowadays, more and more web hosting providers use PHP-FPM (and/or php-cgi) to run PHP for each user separately, eliminating the traditional problems with write permissions for www-data when using mod_php. I think therefore it would prove much more useful now than 8 years ago to change behaviour and simplify installation.
MediaWiki is a tool that's useful for many kinds of users, including those with less technical abilities. The graphical installer MediaWiki supplies makes installation quite simple and straight-forward. I find that having to transfer or copypaste over a configuration file detracts from that user-friendly experience.
I would expect that nowadays in most cases users would have sufficient writing permissions, and that similar to other popular tools such as WordPress, MediaWiki could detect whether writing was possible and then decide based on the outcome whether to offer a download or write the file itself (potentially with a manual option to download regardless if so desired)
Change #114966 abandoned by Hashar:
[mediawiki/core@master] Automatically copy the LocalSettings.php file to the desired location
Change #114966 restored by Thcipriani:
[mediawiki/core@master] Automatically copy the LocalSettings.php file to the desired location