Remove support for getenv('http_proxy') in MediaWiki
PHP (and other programming languages) are vulnerable to an exploit
when making external requests via a proxy when a client provides a
Proxy header. See https://httpoxy.org/ for more information.
MediaWiki now requires $wgHTTPProxy to be set when attempting to
use a proxy for requests and can no longer rely on http_proxy
environment variables. As it exists, this code is inherently unsafe
on case-insensitive platforms (eg: Windows) and hard to be sure of
for other platforms.
All users using a proxy for MediaWiki and *not* setting $wgHTTPProxy
are advised to do so immediately to mitigate this problem. This will
be required as of the next security release.
All extensions maintained in Git/Gerrit appear to be Doing The Right
Thing and not trying to use getenv('http_proxy') directly. This would
be a bad thing to start doing. Call Http::getProxy() if you need to
manually get a proxy from MW for external requests.
Bug: T140658
Change-Id: I122583ad98d867c5855c3e2f955fe47787668589
dépôts / lhc / web / wiklou.git / commit