Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Wikipedia>
  3. Mediawiki
Question about $wgServer Variable
Adam at always24x7
Dec 6, 2004, 2:01 PM
Post #1 of 4 (2501 views)
Permalink
I've changed my LocalSettings.php file to change some settings based on the subdomain that it comes under. Example: texas.domain.com will swap out the logo to a texas based logo. Everything seems to work ok except for saving after editting a page. When the form gets submitted, the url for the article page changed from texas.domain.com to domain.com. I thought it had to do with the action on the form, but it doesn't. The search form on the page has an action very similar and the domain stays texas.domain.com. I went throught the code and traced it to the getFullURL() function in includes/Title.php. It builds the url from the $wgServer var and $this->getLocalUrl. The $wgServer var is set to just 'domain.com', so thats where things get messed up. $wgServer variable gets set in the includes/DefaultSettings.php file from the $wgProto.'://' . $_SERVER['SERVER_NAME'];
My question is I overwrote the $wgServer variable in my LocalSettings.php file to use $_SERVER["HTTP_HOST"] instead and preserve the subdomain. Does anyone know if this will mess anything up? It seems to work ok so far, and it fixed the problem with saving a page. Oh yeah I'm using mediawiki-1.3.2.

Adam
Re: Question about $wgServer Variable [ In reply to ]
brion at pobox
Dec 6, 2004, 4:18 PM
Post #2 of 4 (2451 views)
Permalink
On Dec 6, 2004, at 1:01 PM, Adam Edwards wrote:
> My question is I overwrote the $wgServer variable in my
> LocalSettings.php file to use $_SERVER["HTTP_HOST"] instead and
> preserve the subdomain. Does anyone know if this will mess anything
> up?

This value is provided by the client, so it may be possible to exploit,
depending on your server configuration. Cache poisoning attacks with
HTML/JavaScript injections might be a possibility if it's not properly
sanitized in output.

You should ensure that the variable can only have certain predefined
values before using it in this way.

> Oh yeah I'm using mediawiki-1.3.2.

Please upgrade to 1.3.8 immediately; there are numerous bug fixes and
some important security fixes.

-- brion vibber (brion @ pobox.com)

Attached Files:

RE: Question about $wgServer Variable [ In reply to ]
Adam at always24x7
Dec 6, 2004, 4:33 PM
Post #3 of 4 (2459 views)
Permalink
Thanks for your reply, and what you said brings up an important point. The way I use the variable is through only predifened values so I should be ok. Do you know of a better/more safe way to get the subdomain then through the _SERVER["HTTP_HOST"] variable? I also expected the upgrade "suggestion" ;).

Adam

-----Original Message-----
From: Brion Vibber [mailto:brion@pobox.com]
Sent: Monday, December 06, 2004 5:19 PM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] Question about $wgServer Variable


On Dec 6, 2004, at 1:01 PM, Adam Edwards wrote:
> My question is I overwrote the $wgServer variable in my
> LocalSettings.php file to use $_SERVER["HTTP_HOST"] instead and
> preserve the subdomain. Does anyone know if this will mess anything
> up?

This value is provided by the client, so it may be possible to exploit,
depending on your server configuration. Cache poisoning attacks with
HTML/JavaScript injections might be a possibility if it's not properly
sanitized in output.

You should ensure that the variable can only have certain predefined
values before using it in this way.

> Oh yeah I'm using mediawiki-1.3.2.

Please upgrade to 1.3.8 immediately; there are numerous bug fixes and
some important security fixes.

-- brion vibber (brion @ pobox.com)
Re: Question about $wgServer Variable [ In reply to ]
brion at pobox
Dec 6, 2004, 4:54 PM
Post #4 of 4 (2455 views)
Permalink
On Dec 6, 2004, at 3:33 PM, Adam Edwards wrote:
> Thanks for your reply, and what you said brings up an important point.
> The way I use the variable is through only predifened values so I
> should be ok. Do you know of a better/more safe way to get the
> subdomain then through the _SERVER["HTTP_HOST"] variable?

With Apache, if you set the an explicit value with a ServerName
directive (eg in a <VirtualHost> section) it will come through via
$_SERVER['SERVER_NAME'] this is what's picked up automatically by
MediaWiki.

If you're running multiple canonical hostnames out of the same
<VirtualHost> section, then using $_SERVER['HTTP_HOST'] and carefully
validating the value is probably the only good way to do it.

> I also expected the upgrade "suggestion" ;).

You could have pre-empted it by upgrading first. ;)

-- brion vibber (brion @ pobox.com)

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal