Chad has uploaded a new change for review.
https://gerrit.wikimedia.org/r/299789
Change subject: Remove support for getenv('http_proxy') in MediaWiki
......................................................................
Remove support for getenv('http_proxy') in MediaWiki
PHP (and other programming languages) are vulnerable to an exploit
when making external requests via a proxy when a client provides a
Proxy header. See https://httpoxy.org/ for more information.
MediaWiki now requires $wgHTTPProxy to be set when attempting to
use a proxy for requests and can no longer rely on http_proxy
environment variables. As it exists, this code is inherently unsafe
on case-insensitive platforms (eg: Windows) and hard to be sure of
for other platforms.
All users using a proxy for MediaWiki and *not* setting $wgHTTPProxy
are advised to do so immediately to mitigate this problem. This will
be required as of the next security release.
All extensions maintained in Git/Gerrit appear to be Doing The Right
Thing and not trying to use getenv('http_proxy') directly. This would
be a bad thing to start doing. Call Http::getProxy() if you need to
manually get a proxy from MW for external requests.
Bug: T140658
Change-Id: If9a968fce6f46836300e7963913774796213408f
---
M RELEASE-NOTES-1.27
M includes/HttpFunctions.php
2 files changed, 11 insertions(+), 7 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/89/299789/1
diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index ef903a4..2a6ed3a 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -1,3 +1,12 @@
+== MediaWiki 1.27.1 ==
+
+This is a maintenance release of the MediaWiki 1.27 branch.
+
+=== Changes since 1.27.0 ===
+* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
+ made by MediaWiki via a proxy. Relying on the http_proxy environment
+ variable is no longer supported.
+
== MediaWiki 1.27 ==
=== PHP version requirement ===
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index b12f49f..694bbb5 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -194,7 +194,7 @@
}
/**
- * Gets the relevant proxy from $wgHTTPProxy/http_proxy (when set).
+ * Gets the relevant proxy from $wgHTTPProxy
*
* @return mixed The proxy address or an empty string if not set.
*/
@@ -203,11 +203,6 @@
if ( $wgHTTPProxy ) {
return $wgHTTPProxy;
- }
-
- $envHttpProxy = getenv( "http_proxy" );
- if ( $envHttpProxy ) {
- return $envHttpProxy;
}
return "";
@@ -393,7 +388,7 @@
return;
}
- // Otherwise, fallback to $wgHTTPProxy/http_proxy (when set) if
this is not a machine
+ // Otherwise, fallback to $wgHTTPProxy if this is not a machine
// local URL and proxies are not disabled
if ( Http::isLocalURL( $this->url ) || $this->noProxy ) {
$this->proxy = '';
--
To view, visit https://gerrit.wikimedia.org/r/299789
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: If9a968fce6f46836300e7963913774796213408f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Chad <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
