https://bugzilla.wikimedia.org/show_bug.cgi?id=69289
--- Comment #1 from Chris Steipp <[email protected]> --- I set iss to $wgCanonicalServer, since that is the most stable and, canonical, representation of the server name. To get around the verification failure, you can either keep track of what the canonical server name is supposed to be (that's what I do in the php library I maintain- https://github.com/Stype/mwoauth-php). Or in Phabricator, we pull off the protocol and just compare the host portion of the url. We can't use $_SERVER['SERVER_NAME'] / $_SERVER['HTTP_HOST'], because those can be influenced by an attacker. If we use $wgServer, you have the same problem that you can't match the protocol. Probably the only realistic enhancement would be to use wgCanonicalServer, but update the protocol. That seems more confusing to me, but this issue has been reported (personally) to me enough times, that I'm open to changing it. Just not sure what the best answer is. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
