Topic on Extension talk:VisualEditor/Flow

Security issue for private wikis

5
Tosfos (talkcontribs)

The current instructions suggest a workaround for forwarding cookies:

if ( !isset( $_SERVER['REMOTE_ADDR'] ) OR $_SERVER['REMOTE_ADDR'] == '127.0.0.1'	) {
	$wgGroupPermissions['*']['read'] = true;
	$wgGroupPermissions['*']['edit'] = true;
}

It seems like this solution is worse than the problem it is solving, as this will allow private wikis to be readable over the Parsoid port. When the browser visits that port, it will query the MediaWiki API with $_SERVER['REMOTE_ADDR'] set to 127.0.0.1. Of course, the Parsoid port could be closed to outside traffic. But it still seems like a bad idea and definitely should be noted in the instructions. Any thoughts?

Jdforrester (WMF) (talkcontribs)
Tosfos (talkcontribs)

Thanks so much! Definitely much better now. Just regarding this line:

All current options have significant, serious security implications.

Does forwarding cookies over HTTPS solve all security issues? If so, maybe that line should push users to that solution as the one safe option.

Jdforrester (WMF) (talkcontribs)

I'm not sure; it's certainly the least-bad option. Sorry I can't be more specific.

Tosfos (talkcontribs)

Thanks for your help with this. For now I added a note for users to use HTTPS.