git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Kunal Mehta <legoktm@member.fsf.org>
	Fri, 19 Jul 2019 04:04:41 +0000 (00:04 -0400)
committer	James D. Forrester <jforrester@wikimedia.org>
	Wed, 30 Oct 2019 22:02:14 +0000 (15:02 -0700)
commit	326d52f9613c5227d75f97361be6ec6ef78b214e
tree	5653f81f03c6bbc42d8481e0605cd1b5fbec0c6f	tree \| snapshot
parent	13832025a46df3e0edd658dfb756159c2c5ac722	commit \| diff

Disable $wgServer autodetection to prevent cache poisoning attacks

Since MediaWiki 1.18, $wgServer has been automatically set by the web installer
when it generates LocalSettings.php, so this shouldn't be an issue for most
wikis. The CLI installer now supports a --server optional parameter to
specify $wgServer, otherwise it'll be set to 'http://localhost' by default.

Users will see a fatal error pointing them to the on-wiki $wgServer
documentation that I've updated as well.

Originally this functionality was slated for removal in 1.20, but now is
just a good time as any. It also calls into other parts of MediaWiki before
most things are initialized, making it difficult to librarize some code.

Bug: T30798
Bug: T232931
Change-Id: Ia5d616e7fafbab01655067c24c5a3a073b254f21
(cherry picked from commit 03078991c4408b8e4e72cc28584a9d011d9edf72)

RELEASE-NOTES-1.34		diff \| blob \| history
includes/DefaultSettings.php		diff \| blob \| history
includes/Setup.php		diff \| blob \| history
includes/installer/CliInstaller.php		diff \| blob \| history
includes/installer/Installer.php		diff \| blob \| history
maintenance/install.php		diff \| blob \| history