The webserver should not need to directly serve files in the maintenance
directory (I would suggest that php files should still be able to include
stuff from maintenance, although strictly speaking i'm not sure how
necessary that is)
The scripts are designed so that nothing bad should happen if your
webserver has access, however if you are paranoid, I would suggest
restricting access.
Generally the only thing that needs to be directly accessible by the
webserver is the php files in the main directory, the images directory, the
extensions directory [mostly for backwards compat], the skins directory
[for backwards compat, not needed for most modern skins], maybe the
resources directory [particularly in debug mode] and the mw-config
directory during install and if using the web updater. Of course, the php
files in include need to be readable by the webserver, but they don't need
to be directly accessible. For example, Wikimedia sites restrict what's
accessible via stub endpoints in
https://github.com/wikimedia/operations-mediawiki-config/tree/master/w and
https://github.com/wikimedia/operations-mediawiki-config/blob/master/w/static.php to serve static files.
If you are using apache this might already be the case since there is a
.htaccess file in the maintenance directory.
On Thu, Dec 17, 2020 at 7:02 AM Jeffrey Walton <noloader@gmail.com> wrote:
> Hi Everyone,
>
> Forgive my ignorance... Should the webserver have access to the
> maintenance/ directory?
>
> The reason I ask is, I run scripts from maintenance/ manually, like
> update.php. But it is not clear to me if the webserver should be
> running anything on its own.
>
> Jeff
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>