Another option is just removing the $wgServer back compat value. The installer will automatically set $wgServer in LocalSettings.php. The default value in DefaultSettings.php is mostly for compat with really old installs before 1.16.
Allowing autodetection is a security vulnerability - albeit mostly difficult to exploit. The primary method is via cache poisioning and then either redirecting or otherwise tricking users about the fake domain. See the original ticket https://phabricator.wikimedia.org/T30798 . Another possibility is putting unsafe values in the host header to try and get an xss (followed by cache poisioning so its not just self xss). Im unsure off the top of my head what validation if any is done (im pretty sure its less strict than legal domains) so im not sure how practical that is. Anyways 1.16 was a long time ago, put my vote as we should make a breaking change and just throw an exception if wgServer is not set in LocalSettings.php -- Brian P.s. people with access to security tasks may also find the phab comment at https://phabricator.wikimedia.org/T157426#3192740 interesting where some of the implications of $wgServer were discussed (note the task was primarily about something else and is unfortunately still secret) On Tuesday, June 25, 2019, Kunal Mehta <lego...@member.fsf.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I (with Reedy's help) recently started work on librarizing MediaWiki's > IP class into a separate composer package (wikimedia/ip-utils[1]). The > main motivation was so that the Parsoid PHP port could use it[2]. > > However, I ran into an unexpected hitch[3], as it seems we're using > the IP class before the composer autoloader is even intialized. Here's > the basic initialization in Setup.php: > > - - AutoLoader.php (MediaWiki's) > - - Defines.php > - - DefaultSettings.php > - $wgServer = WebRequest::detectServer() > - Calls IP::splitHostAndPort() > - - GlobalFunctions.php > - - vendor/autoload.php (composer's) > > My understanding is that composer's autoloader runs late so extensions > registering themselves using it can add their stuff to the necessary > globals. > > And we call WebRequest::detectServer() in DefaultSettings.php so that > in LocalSettings.php people can use the value of $wgServer for other > stuff. > > I see 3 main ways to move forward: > > 1. Move vendor/autoload.php earlier in Setup.php, potentially breaking > extensions that still rely on composer autoloading for initialization. > 2. Set $wgServer = false or something in DefaultSettings.php, and then > fill it in later in Setup.php *after* the composer autoloader has been > loaded, potentially breaking anyone relying on the value of $wgServer > in LocalSettings.php. > 3. (status quo) not librarize code that runs before composer > autoloader initialization. :( > > Advice/input welcome. > > [1] https://packagist.org/packages/wikimedia/ip-utils > [2] > https://gerrit.wikimedia.org/g/mediawiki/services/parsoid/+/77064cfff717 > 6493a2828bb4f95f397dfce7d659/src/Utils/Title.php#46 > [3] https://gerrit.wikimedia.org/r/c/mediawiki/core/+/519089/ > > - -- Legoktm > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAl0S1oQACgkQ8QX4EBsF > Jpufrg/+J9RUUxRAtgJLEkyACE6GREis0eyEIZnWmMr3s9YpFPoqtWocFrUk6Wsn > W7d9Oda/8CW0/d894gGMn8LWIj9oWq2gMPWzCVFpg8uu3r4967qxBp+ba29uMOJw > Qpw6DhXtPvVAeUCy8P38Y5vM7TGmV+J1T5jDY21zimT1dRrJsI1KD+u/Ue3nYy/y > B1ic3i7vJfhYErdhHgN98ETXfXOaDx4rgd2N7PLjVNx3IYCC8LNiR8wSLuydfdbk > PLTT1bA2qi0h2wgcEr7Qtq9YstVotq8899rgKLtGDBwQi3qGNcdOgQGEMFDVfjfO > CsiWocj6s4oc3ScVj+Eb9xtvIqhNx+oRbWE1vKd4TmtSdyzpv6xadV60tq5qNFEY > I0cBDOWU5UFNHbvbyjK4dqIDEVhJ6LiEgLVBOj81U27s8mR4Dv/yFB3eac0ROk7p > gaEeOjfhtVU558XfpEsmu1H05VJT3kXNxK8y0UQOjy11SErzsXv6vDzyzLDJM/W7 > WF0I4nyjeqVsBjLBN9li+5AnU3cAKVOCfZ+/aRYyg89Du//nJRjm+4lxnuPrGlaG > ES/nVUnkDZ9Yc/xA1yacm3Ytx9hpoY1mIZgxxxveyeU1KsNXAZ2BOGA2T7kU4yUw > Uyg+byYwI+1uVOjAVd3BInGV2R2/GmeIn9FOpthBaw8wcz0Y/8c= > =tU4+ > -----END PGP SIGNATURE----- > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
