the mediawiki team has already reduced attack surface by making the sw less
functional, less fun, and basically broken so what is the difference?
practically none - some other upstart sw will take their place and engage
the cia triad with more efficiency and adroitness so api functions are
largely irrelevant in the longer term, sort of like ozzy osbourne and tony
bourdain. MW had a good run, perhaps they can regain some degree of
functionality that was lost in last few updates but the future is
unwritten.
On Thu, Aug 24, 2023 at 8:03?AM <mediawiki-l-request@lists.wikimedia.org>
wrote:
> Send MediaWiki-l mailing list submissions to
> mediawiki-l@lists.wikimedia.org
>
> To subscribe or unsubscribe, please visit
>
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>
> You can reach the person managing the list at
> mediawiki-l-owner@lists.wikimedia.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MediaWiki-l digest..."
>
> Today's Topics:
>
> 1. Disable api.php and rest.php? (Jeffrey Walton)
> 2. Re: Disable api.php and rest.php? (Amir Sarabadani)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 23 Aug 2023 17:13:49 -0400
> From: Jeffrey Walton <noloader@gmail.com>
> Subject: [MediaWiki-l] Disable api.php and rest.php?
> To: MediaWiki announcements and site admin list
> <mediawiki-l@lists.wikimedia.org>
> Message-ID:
> <
> CAH8yC8nLtkGYhP7dnXpo-hMvnND2Nht66v+UKoanBZSQ-37LXQ@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Everyone,
>
> I was looking at our Special:Version page, and got to thinking about
> api.php [1] and rest.php.[2] I don't believe anyone on our team is
> using the APIs, and I would like to disable them to reduce attack
> surface. Or disable them on external interfaces (or maybe allow on
> localhost/127.0.0.1).
>
> I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
> similar option for rest.php.[2]
>
> I have two questions. First, is it possible to disable api.php and
> rest.php in practice? Or restrict them to internal interfaces only?
>
> Second, what option controls rest.php?
>
> And maybe a third question, can we rename api.php and rest.php tosay,
> api.php.unused and rest.php.unused? Will that produce ill effects?
>
> Thanks in advance.
>
> [1] https://www.mediawiki.org/wiki/Manual:Api.php
> [2] https://www.mediawiki.org/wiki/Manual:Rest.php
>
> ------------------------------
>
> Message: 2
> Date: Thu, 24 Aug 2023 04:15:44 +0200
> From: Amir Sarabadani <ladsgroup@gmail.com>
> Subject: [MediaWiki-l] Re: Disable api.php and rest.php?
> To: noloader@gmail.com, MediaWiki announcements and site admin list
> <mediawiki-l@lists.wikimedia.org>
> Message-ID:
> <CA+ttme1kSV34WZb=oAuqba1mvbCOyjnR6_bre=
> TMRGMkxhYNaw@mail.gmail.com>
> Content-Type: multipart/alternative;
> boundary="0000000000006298f80603a1d0dc"
>
> You could technically decline access in apache (or whatever software you're
> using).
>
> But I need to warn: Many functionalities of mediawiki are done by calling
> the API in the backend, e.g. when you log out, it calls an API, when you
> watch a page, it calls another API, and all of those would break if you
> disable the api.php or rest.php
>
> HTH
>
> Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton <
> noloader@gmail.com>:
>
> > Hi Everyone,
> >
> > I was looking at our Special:Version page, and got to thinking about
> > api.php [1] and rest.php.[2] I don't believe anyone on our team is
> > using the APIs, and I would like to disable them to reduce attack
> > surface. Or disable them on external interfaces (or maybe allow on
> > localhost/127.0.0.1).
> >
> > I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
> > similar option for rest.php.[2]
> >
> > I have two questions. First, is it possible to disable api.php and
> > rest.php in practice? Or restrict them to internal interfaces only?
> >
> > Second, what option controls rest.php?
> >
> > And maybe a third question, can we rename api.php and rest.php tosay,
> > api.php.unused and rest.php.unused? Will that produce ill effects?
> >
> > Thanks in advance.
> >
> > [1] https://www.mediawiki.org/wiki/Manual:Api.php
> > [2] https://www.mediawiki.org/wiki/Manual:Rest.php
> > _______________________________________________
> > MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> > To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
> >
> >
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
> >
>
>
> --
> Amir (he/him)
> -------------- next part --------------
> A message part incompatible with plain text digests has been removed ...
> Name: not available
> Type: text/html
> Size: 2670 bytes
> Desc: not available
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
>
>
> ------------------------------
>
> End of MediaWiki-l Digest, Vol 239, Issue 2
> *******************************************
>
--
Best Regards,
Shep Husted
27 Hege Dr. #39
Lexington , NC
27292
lexingtonpc.net
linuxportland.com
maxgaming.info
functional, less fun, and basically broken so what is the difference?
practically none - some other upstart sw will take their place and engage
the cia triad with more efficiency and adroitness so api functions are
largely irrelevant in the longer term, sort of like ozzy osbourne and tony
bourdain. MW had a good run, perhaps they can regain some degree of
functionality that was lost in last few updates but the future is
unwritten.
On Thu, Aug 24, 2023 at 8:03?AM <mediawiki-l-request@lists.wikimedia.org>
wrote:
> Send MediaWiki-l mailing list submissions to
> mediawiki-l@lists.wikimedia.org
>
> To subscribe or unsubscribe, please visit
>
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>
> You can reach the person managing the list at
> mediawiki-l-owner@lists.wikimedia.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of MediaWiki-l digest..."
>
> Today's Topics:
>
> 1. Disable api.php and rest.php? (Jeffrey Walton)
> 2. Re: Disable api.php and rest.php? (Amir Sarabadani)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 23 Aug 2023 17:13:49 -0400
> From: Jeffrey Walton <noloader@gmail.com>
> Subject: [MediaWiki-l] Disable api.php and rest.php?
> To: MediaWiki announcements and site admin list
> <mediawiki-l@lists.wikimedia.org>
> Message-ID:
> <
> CAH8yC8nLtkGYhP7dnXpo-hMvnND2Nht66v+UKoanBZSQ-37LXQ@mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Everyone,
>
> I was looking at our Special:Version page, and got to thinking about
> api.php [1] and rest.php.[2] I don't believe anyone on our team is
> using the APIs, and I would like to disable them to reduce attack
> surface. Or disable them on external interfaces (or maybe allow on
> localhost/127.0.0.1).
>
> I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
> similar option for rest.php.[2]
>
> I have two questions. First, is it possible to disable api.php and
> rest.php in practice? Or restrict them to internal interfaces only?
>
> Second, what option controls rest.php?
>
> And maybe a third question, can we rename api.php and rest.php tosay,
> api.php.unused and rest.php.unused? Will that produce ill effects?
>
> Thanks in advance.
>
> [1] https://www.mediawiki.org/wiki/Manual:Api.php
> [2] https://www.mediawiki.org/wiki/Manual:Rest.php
>
> ------------------------------
>
> Message: 2
> Date: Thu, 24 Aug 2023 04:15:44 +0200
> From: Amir Sarabadani <ladsgroup@gmail.com>
> Subject: [MediaWiki-l] Re: Disable api.php and rest.php?
> To: noloader@gmail.com, MediaWiki announcements and site admin list
> <mediawiki-l@lists.wikimedia.org>
> Message-ID:
> <CA+ttme1kSV34WZb=oAuqba1mvbCOyjnR6_bre=
> TMRGMkxhYNaw@mail.gmail.com>
> Content-Type: multipart/alternative;
> boundary="0000000000006298f80603a1d0dc"
>
> You could technically decline access in apache (or whatever software you're
> using).
>
> But I need to warn: Many functionalities of mediawiki are done by calling
> the API in the backend, e.g. when you log out, it calls an API, when you
> watch a page, it calls another API, and all of those would break if you
> disable the api.php or rest.php
>
> HTH
>
> Am Mi., 23. Aug. 2023 um 23:14 Uhr schrieb Jeffrey Walton <
> noloader@gmail.com>:
>
> > Hi Everyone,
> >
> > I was looking at our Special:Version page, and got to thinking about
> > api.php [1] and rest.php.[2] I don't believe anyone on our team is
> > using the APIs, and I would like to disable them to reduce attack
> > surface. Or disable them on external interfaces (or maybe allow on
> > localhost/127.0.0.1).
> >
> > I see api.php can be disabled via $wgEnableAPI.[1] But I don't see a
> > similar option for rest.php.[2]
> >
> > I have two questions. First, is it possible to disable api.php and
> > rest.php in practice? Or restrict them to internal interfaces only?
> >
> > Second, what option controls rest.php?
> >
> > And maybe a third question, can we rename api.php and rest.php tosay,
> > api.php.unused and rest.php.unused? Will that produce ill effects?
> >
> > Thanks in advance.
> >
> > [1] https://www.mediawiki.org/wiki/Manual:Api.php
> > [2] https://www.mediawiki.org/wiki/Manual:Rest.php
> > _______________________________________________
> > MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> > To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
> >
> >
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
> >
>
>
> --
> Amir (he/him)
> -------------- next part --------------
> A message part incompatible with plain text digests has been removed ...
> Name: not available
> Type: text/html
> Size: 2670 bytes
> Desc: not available
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> To unsubscribe send an email to mediawiki-l-leave@lists.wikimedia.org
>
>
> ------------------------------
>
> End of MediaWiki-l Digest, Vol 239, Issue 2
> *******************************************
>
--
Best Regards,
Shep Husted
27 Hege Dr. #39
Lexington , NC
27292
lexingtonpc.net
linuxportland.com
maxgaming.info