On 27/6/19 10:36 am, Brian Wolff wrote: > Another option is just removing the $wgServer back compat value. > > The installer will automatically set $wgServer in LocalSettings.php. The > default value in DefaultSettings.php is mostly for compat with really old > installs before 1.16. > > Allowing autodetection is a security vulnerability - albeit mostly > difficult to exploit. The primary method is via cache poisioning and then > either redirecting or otherwise tricking users about the fake domain. See > the original ticket https://phabricator.wikimedia.org/T30798 .
Interesting that I wrote there: "How about this: let's set $wgServer in the installer in 1.18, and remove $wgServer autodetection from DefaultSettings.php a bit later, say in 1.20." It was indeed 1.18, not 1.16, in which $wgServer started being set in LocalSettings.php. I added it to LocalSettingsGenerator.php here: https://www.mediawiki.org/wiki/Special:Code/MediaWiki/90105 Anyway, it's past 1.20 so I guess that would be a good thing to do. -- Tim Starling _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
