Yeah, downloading the tarball and then applying a patch is probably the way to go. I could do it in a separate directory, and only proceed if the patch succeeds. It is doable. I'll spend some time on it when I have another free day
On Thu., Sep. 17, 2020, 9:59 p.m. Ralph Versteegen, <[email protected]> wrote: > > > On Fri, 18 Sep 2020 at 02:08, James Paige <[email protected]> wrote: > >> I would be happy to disable http completely, and always redirect http to >> https. >> >> People who have an OS so old that it can't support https are welcome to >> open a web browser on a separate device. >> >> I don't actually know how to do this just for the login page. I think I >> remember an option in the dreamhost config panel to do this for the whole >> site, but I would have to hunt for it. >> >> A *MUCH* bigger security concern is that I can't upgrade Mediawiki >> anymore. It has been years since running "git pull" on a large repo in a >> shell script on a dreamhost shared account was a viable option. >> > > Is the reason that you're using git to download mediawiki versions because > you use git to merge your local changes? > Are those local changes just in LocalSettings.php? > If it's just a couple files, it seems practical to write a small shell > script to download a tarball and do an interactive merge of those couple > files using sdiff. > > >> I had a clunky workaround where I would rsync the whole thing locally, >> upgrade it, rsync it back up to dreamhost, and then run the last stage of >> the upgrade. >> >> I am always terrified that I will break the whole thing every time I do >> that, but maybe I will give it a try today since I happen to be on a >> vacation day and have time. >> >> I would really like to move the whole wiki to a place where the upgrades >> were automatically managed for me. I haven't had time to look into that (in >> years) >> >> On Thu, Sep 17, 2020 at 9:57 AM Adam Perry <[email protected]> wrote: >> >>> It is not a good idea to have an HTTP login page. Your credentials are >>> sent in plain text when you log in via HTTP. >>> >>> I realize that the OHR wiki isn't the most high-profile target for >>> hackers, but it's still a bad idea. We don't need to allow wiki editing to >>> everyone able to use the engine if it means compromising security. >>> >>> >>> On Wed, Sep 16, 2020, 8:45 PM Ralph Versteegen <[email protected]> >>> wrote: >>> >>>> Holly reported, and I can confirm, that you can't log into the wiki, or >>>> create an account, when accessing it over HTTP instead of HTTPS. (I think I >>>> remember seeing this already quite a while ago.) You get the following >>>> message: >>>> >>>> "There seems to be a problem with your login session; this action has >>>> been canceled as a precaution against session hijacking. Please resubmit >>>> the form." >>>> >>>> It is nice to be able to access the wiki via HTTP, since HTTPS is >>>> inaccessible from ancient OSes such as some of those we support. If the >>>> login page could redirect from HTTP to HTTPS... >>>> >>>> Hmm, maybe I should file such things on github instead... >>>> _______________________________________________ >>>> Ohrrpgce mailing list >>>> [email protected] >>>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >>>> >>> _______________________________________________ >>> Ohrrpgce mailing list >>> [email protected] >>> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >>> >> _______________________________________________ >> Ohrrpgce mailing list >> [email protected] >> http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >> > _______________________________________________ > Ohrrpgce mailing list > [email protected] > http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org >
_______________________________________________ Ohrrpgce mailing list [email protected] http://lists.motherhamster.org/listinfo.cgi/ohrrpgce-motherhamster.org
