Remove support for getenv('http_proxy') in MediaWiki

PHP (and other programming languages) are vulnerable to an exploit
when making external requests via a proxy when a client provides a
Proxy header. See https://httpoxy.org/ for more information.

MediaWiki now requires $wgHTTPProxy to be set when attempting to
use a proxy for requests and can no longer rely on http_proxy
environment variables. As it exists, this code is inherently unsafe
on case-insensitive platforms (eg: Windows) and hard to be sure of
for other platforms.

All users using a proxy for MediaWiki and *not* setting $wgHTTPProxy
are advised to do so immediately to mitigate this problem. This will
be required as of the next security release.

All extensions maintained in Git/Gerrit appear to be Doing The Right
Thing and not trying to use getenv('http_proxy') directly. This would
be a bad thing to start doing. Call Http::getProxy() if you need to
manually get a proxy from MW for external requests.

Bug: T140658
Change-Id: I122583ad98d867c5855c3e2f955fe47787668589

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index ff8e038..831ad58 100644 (file)
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -6,6 +6,9 @@ MediaWiki 1.28 is an alpha-quality branch and is not recommended for use in
 production.
 
 === Configuration changes in 1.28 ===
+* BREAKING CHANGE: $wgHTTPProxy is now *required* for all external requests
+  made by MediaWiki via a proxy. Relying on the http_proxy environment
+  variable is no longer supported.
 * The load.php entry point now enforces the existing policy of not allowing
   access to session data, which includes the session user and the session
   user's language. If such access is attempted, an exception will be thrown.

diff --git a/includes/HttpFunctions.php b/includes/HttpFunctions.php
index b12f49f..694bbb5 100644 (file)
--- a/includes/HttpFunctions.php
+++ b/includes/HttpFunctions.php
@@ -194,7 +194,7 @@ class Http {
        }
 
        /**
-        * Gets the relevant proxy from $wgHTTPProxy/http_proxy (when set).
+        * Gets the relevant proxy from $wgHTTPProxy
         *
         * @return mixed The proxy address or an empty string if not set.
         */
@@ -205,11 +205,6 @@ class Http {
                        return $wgHTTPProxy;
                }
 
-               $envHttpProxy = getenv( "http_proxy" );
-               if ( $envHttpProxy ) {
-                       return $envHttpProxy;
-               }
-
                return "";
        }
 }
@@ -393,7 +388,7 @@ class MWHttpRequest {
                        return;
                }
 
-               // Otherwise, fallback to $wgHTTPProxy/http_proxy (when set) if this is not a machine
+               // Otherwise, fallback to $wgHTTPProxy if this is not a machine
                // local URL and proxies are not disabled
                if ( Http::isLocalURL( $this->url ) || $this->noProxy ) {
                        $this->proxy = '';