Last modified: 2014-09-23 23:31:29 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 14611 - Special:Version should show all third party software which it depends on
Special:Version should show all third party software which it depends on
Status: NEW
Product: MediaWiki
Classification: Unclassified
Special pages (Other open bugs)
unspecified
All All
: Low enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-reviewed
Depends on: 38730
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-22 16:29 UTC by Danny B.
Modified: 2014-09-23 23:31 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Patch to add setting to show/hide extended versioning (18.24 KB, patch)
2009-07-16 17:24 UTC, OverlordQ
Details

Description Danny B. 2008-06-22 16:29:19 UTC
Special:Version should show all third party software which it depends on in Software table, typically graphical engine (eg. ImageMagick), diff engine etc...
Comment 1 Siebrand Mazeland 2008-08-13 20:09:25 UTC
It will. Just add more wgExtensionCredits in your LocalSettings.php.

I think this report should be closed INVALID.
Comment 2 Chad H. 2008-08-13 20:17:16 UTC
For extensions, yes. However, the report is asking about 3rd party things that the software uses that should (possibly) be given at the top with the Apache/MySQL/PHP versions (GDv2, etc). I don't think an end-user should have to dig up all this information and put it into their LocalSettings by hand when the software can return all this for them.

Not to mention, they'd be mislabeled as extensions, which they're not.
Comment 3 Daniel Friesen 2008-08-14 17:41:31 UTC
Hmmm, this one sounds interesting.

CCing myself, if someone hasn't claimed this sometime later and I'm still interested I'll look into it.
Comment 4 Daniel Friesen 2008-08-14 19:07:37 UTC
On second look, this seams like this is more trouble than it's worth:

Trying to get the WebServer version:

The output of $_SERVER['SERVER_SOFTWARE'] is highly useless. For me it simply outputs 'nginx', I expect Apache also just outputs 'Apache'.

There's a slight chance of getting a process name using the pid from postix_getpid (Only works on *nix), but if PHP is being run in fcgi then that's just going to get the name of PHP.

Alternatively $_SERVER['SERVER_SOFTWARE'] could be used to understand what software is being run. Then we could code a bunch of different version checks. Though, those would fail if someone installs their WebServer off path.

I looked into Operating System as well for the hell of it. But that's pretty useless to. PHP_OS is highly useless, no version and on any *nix system it outputs 'Linux', which with all the distros is completely useless. posix_uname is also useless, the version is a release time, and the 'release' is a useless sort of version. And again, it outputs 'Linux' as the OS name.

Comment 5 Chad H. 2008-08-14 21:05:58 UTC
Getting the version of GD proves to be much easier it seems (if they're using GD for their image handling).

$info = gd_info();
$ver = $info['GD Version']
Comment 6 Aryeh Gregor (not reading bugmail, please e-mail directly) 2008-08-14 21:17:39 UTC
For most software, other than maybe PHP extensions, to reliably get versions you'd have to either execute shell commands (uname -a, httpd -v, convert -version, etc.) or do unreliable digging through system files.  So it's unlikely you're going to be able to get this to work on a typical shared host anyway.  But the idea is a good one, at least as an option, if only anyone cares enough to actually do it.
Comment 7 Shinjiman 2009-06-26 21:59:49 UTC
The version of image thumbnailing engine can be shown as of r52476. Or maybe more softwares or tools can be added to the field?
Comment 8 Shinjiman 2009-06-27 10:46:46 UTC
The version of diff3/diff can be shown as of r54286. I think the another idea is to put the SVG renderor's version into Special:Version. However the various path and parameters of the SVG renderor are need to handled properly to show the correct information. :)

Maybe the software used on math function can also be added?
Comment 9 Shinjiman 2009-06-28 16:28:55 UTC
The version of SVG image thumbnailing engine can be shown as of r52516. Only ImageMagick, rsvg and Inkscape are supported for showing the version that they are using.

P.S. on comment 8 that mentioned, the revision committed was r52486 instead of r54286. :)
Comment 10 Shinjiman 2009-06-28 18:43:17 UTC
The version information of the Math rendering engine can be shown as of r52525.
Comment 11 OverlordQ 2009-06-29 00:37:15 UTC
Please make this opt-in, some of us would not like to advertise to the world everything installed and running on our servers.

A config variable like $wgAdvertiseExploitVectors would be apropos
Comment 12 Michael Daly 2009-06-29 04:11:58 UTC
If it's going to be opt-in, try to arrange it so that admins can see everything at a glance while regular users can only see the more restrictive setting the admin has imposed.  That way it isn't exposed to the general public but allows the admin(s) to see what the configuration is.  When it comes to installing extensions and such, checking the Version page is one of the debugging steps.
Comment 13 Chad H. 2009-06-29 17:24:03 UTC
We don't need to integrate this with user rights, it's needless.

I'd suggest something similar to $wgSpecialVersionShowHooks where all this stuff is turned off by default, but can easily be enabled by any wiki admin who wants to (for debugging, etc). $wgAdvertiseExploitVectors is a crap name, though, something like $wgSpecialVersionShowExtendedSoftware would work fine.
Comment 14 Shinjiman 2009-06-29 17:28:51 UTC
(In reply to comment #12)
> If it's going to be opt-in, try to arrange it so that admins can see everything
> at a glance while regular users can only see the more restrictive setting the
> admin has imposed.  That way it isn't exposed to the general public but allows
> the admin(s) to see what the configuration is.  When it comes to installing
> extensions and such, checking the Version page is one of the debugging steps.

By assigning a new right for the group can be a good idea for that?
For this, it maybe assigned to sysops by default, and the rights can be extended to other groups by editing the local settings file.
Comment 15 Chad H. 2009-06-29 17:38:54 UTC
(In reply to comment #14)
> (In reply to comment #12)
> > If it's going to be opt-in, try to arrange it so that admins can see everything
> > at a glance while regular users can only see the more restrictive setting the
> > admin has imposed.  That way it isn't exposed to the general public but allows
> > the admin(s) to see what the configuration is.  When it comes to installing
> > extensions and such, checking the Version page is one of the debugging steps.
> 
> By assigning a new right for the group can be a good idea for that?
> For this, it maybe assigned to sysops by default, and the rights can be
> extended to other groups by editing the local settings file.
> 

I reiterate comment #13: we don't need a right for this. Do it with a single config var, off/on, just like hooks.
Comment 16 Michael Daly 2009-06-29 18:42:25 UTC
The idea that a configuration change is needed for the admin to see the full Version page and that everyone can see the full version page while it is temporarily enabled is not my idea of a good thing.  As I said - default for admins and enable/disable for others makes more sense.  If admins can do something that others can't, that should be handled by rights assignments to be consistent with the rest of the system.  Don't create multiple different means of permitting access to information.
Comment 17 Chad H. 2009-06-29 18:52:13 UTC
No one ever said that this should be +sysop only except for you.

How is something like this any different from $wgSpecialVersionShowHooks?
Comment 18 Aryeh Gregor (not reading bugmail, please e-mail directly) 2009-06-29 19:08:58 UTC
+sysop by default possibly makes more sense.  I'm not sure.  What are the use-cases for this?

1) An easy way for sysadmins to check the versions of all relevant software, in case they happen to want to know.  This seems marginal.

2) For someone confused about why their installation is working differently from Wikipedia, it might give them the idea to check the package versions.  This seems vaguely plausible, if it's enabled on Wikipedia for everyone.

3) For someone requesting support, an easy way for people helping them to get all the relevant version info and so spot any oddities.

For (1) and (2), it would certainly be more useful for it to be enabled for sysops by default.  For (3), it still seems easier: you could tell them to paste the info for you instead of having to edit LocalSettings.php, assuming the one asking for help is a sysop.  (The best for (3) would be to have it enabled for all viewers by default, but that's probably undesirable.)

I think making a new permission 'versiondetail' or something would be a good idea, set to sysops only by default and everyone on Wikipedia.  Maybe even better, extend it to encompass and supersede things like $wgShowExceptionDetails.  (It would need a better name then, though.)  It would be helpful for the average sysop on a MediaWiki wiki (most probably only have one or two) to be able to view this additional detail by default, but we can't make it world-viewable by default.  vBulletin does something like this with database error messages: it prints the failed query for admins only, others get a generic message.

So I'd be in favor of a new permission.  It makes more sense to me.
Comment 19 Aryeh Gregor (not reading bugmail, please e-mail directly) 2009-06-29 19:09:46 UTC
(It could include $wgSpecialVersionShowHooks too, of course, unless that's really verbose and debug-gy.)
Comment 20 Michael Daly 2009-06-29 19:28:20 UTC
Another use case - to see whether the wiki recognizes the 'require_once("...extensionName.php");' placed in LocalSettings.php worked at all.  If you have been answering help requests on msusers.com for a long time, you'd recognize how often this is a useful thing.  It's the fastest way to get the answer to the question "Are you sure the extension is installed?"  As such, this use case is only required for admins.

BTW - as far as differences with $wgSpecialVersionShowHooks:  If other features are not handled by rights, that should not influence whether new features should be handled by rights.  A global on/off and limited restrictions on actions are not the same thing.  Whether $wgSpecialVersionShowHooks should have been restricted to sysops or not is another question.  In general, if previous implementations of features have been handled incorrectly, that should be fixed, not used an as example of how to do things in the future.
Comment 21 Chad H. 2009-06-29 19:38:39 UTC
(In reply to comment #20)
> Another use case - to see whether the wiki recognizes the
> 'require_once("...extensionName.php");' placed in LocalSettings.php worked at
> all.  If you have been answering help requests on msusers.com for a long time,
> you'd recognize how often this is a useful thing.  It's the fastest way to get
> the answer to the question "Are you sure the extension is installed?"  As such,
> this use case is only required for admins.
> 

Whether or not an extension is installed is unrelated to the server information now being displayed. Absolutely _none_ of this bug relates to the installed extensions portion of Special:Version.

> BTW - as far as differences with $wgSpecialVersionShowHooks:  If other features
> are not handled by rights, that should not influence whether new features
> should be handled by rights.  A global on/off and limited restrictions on
> actions are not the same thing.  Whether $wgSpecialVersionShowHooks should have
> been restricted to sysops or not is another question.  In general, if previous
> implementations of features have been handled incorrectly, that should be
> fixed, not used an as example of how to do things in the future.
> 

I suppose I just disagree that this should be handled by rights: I prefer the implementation with $wgSpecialVersionShowHooks.
Comment 22 Daniel Friesen 2009-06-29 19:41:20 UTC
Frankly I don't see why "Oh no, the public knows I'm using ImageMagick to render my images" is such a big deal that it would be necessary to inject userrights checks into Special:Version, which AFAIK we have never done.

If you don't want people to see version information don't enable the feature, end of story. There are other ways to check what version of software you are running than asking MediaWiki to tell you what you installed and configured. Before this bug came around MW wouldn't even output that information, so I don't see why you need to enable it if you don't want other people to see it.

Special:Version isn't a sysadmin tool, it's a page for the general public to see what is running.
Comment 23 Aryeh Gregor (not reading bugmail, please e-mail directly) 2009-06-29 19:50:24 UTC
(In reply to comment #22)
> Frankly I don't see why "Oh no, the public knows I'm using ImageMagick to
> render my images" is such a big deal that it would be necessary to inject
> userrights checks into Special:Version, which AFAIK we have never done.

We're reporting the exact versions of a lot of software with this feature.  If it's outdated, this could be used by attackers.  A lot of people would not expect us to do it and would not want it; so we shouldn't do it by default.

(As for what we haven't done before with Special:Version, just ask Domas!  He used to use it for timing MediaWiki startup, but realized it eventually ended up running too much extra garbage and he had to invent [[Special:BlankPage]].  :) )

> If you don't want people to see version information don't enable the feature,
> end of story. There are other ways to check what version of software you are
> running than asking MediaWiki to tell you what you installed and configured.
> Before this bug came around MW wouldn't even output that information, so I
> don't see why you need to enable it if you don't want other people to see it.

IMO it would be potentially useful to be able to have this on by default, at least for sysops.  Those who wanted to display it to everyone could do so easily in any event.  It's not like group permissions checks are difficult or expensive to do.

> Special:Version isn't a sysadmin tool, it's a page for the general public to
> see what is running.

I disagree.  It's mainly useful for debugging of various kinds, by users at all levels.  A lot of people come into #mediawiki asking questions and don't know what version they're running, so we point them to Special:Version.  More info there could be helpful (although I've never heard of someone with a problematic version of diff . . .).
Comment 24 Shinjiman 2009-07-06 12:09:26 UTC
(In reply to comment #4)
> On second look, this seams like this is more trouble than it's worth:
> Trying to get the WebServer version:
> The output of $_SERVER['SERVER_SOFTWARE'] is highly useless. For me it simply
> outputs 'nginx', I expect Apache also just outputs 'Apache'.
> There's a slight chance of getting a process name using the pid from
> postix_getpid (Only works on *nix), but if PHP is being run in fcgi then that's
> just going to get the name of PHP.
> Alternatively $_SERVER['SERVER_SOFTWARE'] could be used to understand what
> software is being run. Then we could code a bunch of different version checks.
> Though, those would fail if someone installs their WebServer off path.
> I looked into Operating System as well for the hell of it. But that's pretty
> useless to. PHP_OS is highly useless, no version and on any *nix system it
> outputs 'Linux', which with all the distros is completely useless. posix_uname
> is also useless, the version is a release time, and the 'release' is a useless
> sort of version. And again, it outputs 'Linux' as the OS name.

On r52792 was added the feature to showing the version of the web server, if applicable.
Comment 25 Chad H. 2009-07-06 13:12:12 UTC
For what it's worth, it would be kinda cool and useful to centralize these things into a class somewhere. Maybe a version class with static methods.

Version::php(), Version::webserver(), etc etc. Then they've got a cleaner imeplemtation from the SpecialPage side of it, and they're more useful to things like the API.
Comment 26 OverlordQ 2009-07-16 17:24:35 UTC
Created attachment 6346 [details]
Patch to add setting to show/hide extended versioning

This patch does two things.

1) Adds an url when nginx is detected as the server to nginx homepage
2) Creates another setting (which will likely disqualify this patch) which allows you to enable the extended version information.  It defaults to off which only shows PHP,MediaWiki,Database as the page originally did.
Comment 27 Shinjiman 2009-07-17 14:52:13 UTC
Applied on r53398.

Additionally, the rights 'versiondetail' has been added for sysop by default on the commit too, as on comment 18. If maintainers do not want to show the information for the sysops, use "$wgGroupPermissions['sysop']['versiondetail'] = false;" to suppress them.
Comment 28 Gurch 2009-07-17 21:47:19 UTC
Yay, another thing the rest of us aren't worthy to see. :(
Comment 29 p858snake 2011-04-30 00:09:15 UTC
*Bulk BZ Change: +Patch to open bugs with patches attached that are missing the keyword*
Comment 30 Sumana Harihareswara 2011-11-10 02:57:00 UTC
Added "reviewed" keyword since patch was reviewed, and in fact applied, per comment 27.
Comment 31 Olivier Finlay Beaton 2011-11-10 03:57:10 UTC
Wanted to mention I have a statistics engine that aggregates Version information similar with what s23.org does.  I pull the webserver out of the headers, and mediawiki/php/database out of :version -- I would love to have more of these on by default.  People who are so concerned about attack vectors should really disable a) the version page completely b) the api.
Comment 32 Chad H. 2011-11-10 04:09:28 UTC
As long as we don't go the route we went before that ended up with the big revert in r54735. That was a little nuts.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links