Chad has uploaded a new change for review.
https://gerrit.wikimedia.org/r/299817
Change subject: Remove support for getenv('http_proxy') in MediaWiki
......................................................................
Remove support for getenv('http_proxy') in MediaWiki
PHP (and other programming languages) are vulnerable to an exploit
when making external requests via a proxy when a client provides a
Proxy header. See https://httpoxy.org/ for more information.
MediaWiki now requires $wgHTTPProxy to be set when attempting to
use a proxy for requests and can no longer rely on http_proxy
environment variables. As it exists, this code is inherently unsafe
on case-insensitive platforms (eg: Windows) and hard to be sure of
for other platforms.
All users using a proxy for MediaWiki and *not* setting $wgHTTPProxy
are advised to do so immediately to mitigate this problem. This will
be required as of the next security release.
All extensions maintained in Git/Gerrit appear to be Doing The Right
Thing and not trying to use getenv('http_proxy') directly. This would
be a bad thing to start doing. Call Http::getProxy() if you need to
manually get a proxy from MW for external requests.
Bug: T140658
Change-Id: I5b782003098a1ddd4f4801bb606d6218741f4972
---
M RELEASE-NOTES-1.26
M includes/HttpFunctions.php
2 files changed, 4 insertions(+), 4 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/17/299817/1
diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26
index 5ee7f5f..1f238af 100644
--- a/RELEASE-NOTES-1.26
+++ b/RELEASE-NOTES-1.26
@@ -6,6 +6,9 @@
This is a maintenance release of the MediaWiki 1.26 branch.
=== Changes since 1.26.3 ===
+* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
+ made by MediaWiki via a proxy. Relying on the http_proxy environment
+ variable is no longer supported.
* (T124163) Fixed fatal error in DifferenceEngine under HHVM.
== MediaWiki 1.26.3 ==
diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index 3dff971..a00d3af 100644
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -46,7 +46,6 @@
* - postData An array of key-value pairs or a
url-encoded form data
* - proxy The proxy to use.
* Otherwise it will use $wgHTTPProxy (if set)
- * Otherwise it will use the environment
variable "http_proxy" (if set)
* - noProxy Don't use any proxy at all. Takes
precedence over proxy value(s).
* - sslVerifyHost Verify hostname against certificate
* - sslVerifyCert Verify SSL certificate
@@ -374,14 +373,12 @@
return;
}
- // Otherwise, fallback to $wgHTTPProxy/http_proxy (when set) if
this is not a machine
+ // Otherwise, fallback to $wgHTTPProxy (when set) if this is
not a machine
// local URL and proxies are not disabled
if ( Http::isLocalURL( $this->url ) || $this->noProxy ) {
$this->proxy = '';
} elseif ( $wgHTTPProxy ) {
$this->proxy = $wgHTTPProxy;
- } elseif ( getenv( "http_proxy" ) ) {
- $this->proxy = getenv( "http_proxy" );
}
}
--
To view, visit https://gerrit.wikimedia.org/r/299817
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I5b782003098a1ddd4f4801bb606d6218741f4972
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_26
Gerrit-Owner: Chad <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
