Last modified: 2011-05-15 10:05:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T23086, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 21086 - security issue: generateSitemap.php does use wfWikiID in sitemap filenames
security issue: generateSitemap.php does use wfWikiID in sitemap filenames
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Maintenance scripts (Other open bugs)
1.16.x
All All
: Normal enhancement (vote)
: ---
Assigned To: Chad H.
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-10 16:42 UTC by Sorin Sbarnea
Modified: 2011-05-15 10:05 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Sorin Sbarnea 2009-10-10 16:42:27 UTC
generateSitemap.php does use wfWikiID() in order to generate in sitemaps filenames. 

This contains the name of the database and this is a security issue because it does make thename of the database (the name of the database could give some information about the server configuration).

My oppinion is that this should be removed or if somebody consider that it may be requred it can be crypted like: crypt(wfWikiID()).
Comment 1 Sorin Sbarnea 2009-10-10 16:56:16 UTC
Correction: crypt will not work because the output is not valid for filenames but md5() will do.
Comment 2 Brion Vibber 2009-10-14 18:50:34 UTC
wfWikiId() is used *everywhere* and should be perfectly safe in and of itself; changing this usage of it to something else would be useless.

If there's any needs to hide the raw DB name this needs to be done by changing what wfWikiId() returns.
Comment 3 Chad H. 2009-11-29 16:15:26 UTC
Added $wgWikiId in r59548 to override wfWikiId()'s output if you don't want it to be $wgDBname.

Marking this FIXED, as the original problem can be resolved now.
Comment 4 Tim Starling 2010-01-12 05:22:22 UTC
Reverted in r60960, commit message copied below:

wfWikiID() is used as a way to identify and connect to a given database in LoadBalancer and various extensions, that's why it must contain the database name and table prefix. Perhaps its use as a public identifier should be optional, but in that case the public identifier needs to be customised, not the return value of wfWikiID().
Comment 5 Platonides 2010-01-12 19:52:46 UTC
This should be linked with similar bug 20594 
Comment 6 Chad H. 2011-05-13 17:55:04 UTC
Made it possible to override wfWikiId() in r88015.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links