Page MenuHomePhabricator
Create Task
Maniphest T297651

Deprecate $wgWhitelistRead and $wgWhitelistReadRegexp (and related code)
Closed, DeclinedPublicSecurity
Actions

Description

The global variables (and functionality behind) $wgWhitelistRead and $wgWhitelistReadRegexp should be deprecated due to:

  1. Their ability to introduce certain security issues under various MediaWiki configurations (e,g, the currently-protected T297416)
  2. These variables aren't as relevant as they once were due to certain auth-related pages now simply allowing reads by default and the ability to edit MediaWiki:Loginreqpagetext and any related messages.

The technical changes should be fairly simple (DefaultSettings and PermissionsManager mainly) and then obviously updating release notes and perhaps proactively reaching out to the maintainers of the handful of extensions which make use of either of these global variables.

Details

Risk Rating
Informational
Author Affiliation
WMF Technology Dept

Related Objects

Event Timeline

sbassett created this task.Dec 13 2021, 10:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 13 2021, 10:26 PM
sbassett mentioned this in T297416: Restrict access to most actions on $wgWhitelistRead pages on private wikis.Dec 13 2021, 10:26 PM
Zabe subscribed.Dec 13 2021, 10:26 PM
sbassett set Security to Software security bug.Dec 13 2021, 10:31 PM
sbassett added a project: Security-Team.
sbassett changed the visibility from "Public (No Login Required)" to "Custom Policy".
sbassett changed the subtype of this task from "Task" to "Security Issue".

Actually... let's protect this until the upcoming security release.

Jdforrester-WMF awarded a token.Dec 13 2021, 10:37 PM
Jdforrester-WMF subscribed.
Aklapper added a comment.Dec 14 2021, 8:12 AM

See also related discussion in T297416#7568198 mentioning a different approach than deprecating.

sbassett closed this task as Declined.Dec 15 2021, 8:14 PM
sbassett removed a project: Security-Team.

Declined in favor of the other approach @Aklapper mentions at T297416#7568198.

sbassett triaged this task as Lowest priority.Dec 15 2021, 8:14 PM
sbassett changed Author Affiliation from N/A to WMF Technology Dept.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed Risk Rating from N/A to Informational.
sbassett added a project: SecTeam-Processed.
Jdforrester-WMF added a comment.Dec 15 2021, 8:17 PM

We're going to be renaming this variables anyway given their language, but if people really want to keep this around as a variable, fine.

sbassett added a comment.Dec 15 2021, 8:21 PM
In T297651#7573605, @Jdforrester-WMF wrote:

We're going to be renaming this variables anyway given their language, but if people really want to keep this around as a variable, fine.

I'd guess we could re-open this task (or create a similar task) down the road. Personally, I don't love the idea of these globals sticking around indefinitely.

Jdforrester-WMF added a comment.Dec 15 2021, 8:22 PM
In T297651#7573618, @sbassett wrote:
In T297651#7573605, @Jdforrester-WMF wrote:

We're going to be renaming this variables anyway given their language, but if people really want to keep this around as a variable, fine.

I'd guess we could re-open this task (or create a similar task) down the road. Personally, I don't love the idea of these globals sticking around indefinitely.

I've never run a world-facing private wiki, so I'd be interested to hear from actual users about how much these variables are critical to their world. Probably "lots". :-(

Ladsgroup added a comment.Dec 15 2021, 8:28 PM

I honestly see this as a defense in depth principle. It's possible that future actions miss to add the given check, or current check mistakenly gets removed.

Legoktm added a comment.Dec 16 2021, 7:02 PM
In T297651#7573653, @Ladsgroup wrote:

It's possible that future actions miss to add the given check, or current check mistakenly gets removed.

The new check fails closed, so if someone misses it they're protected. I would hope someone trying to remove a check for read permissions is properly scrutinized as security sensitive. As noted in the other ticket, this check exists in the Action API and now REST API subsystems without much issue.

I think there is value in having a public "home page" for private wikis versus a private one, and it's nice if we didn't have to resort to message overrides for it because that will cause complications in the future if we want to rename the message or add more parameters, etc. If we were implementing this feature today I think something like $wgPublicMainPage = 'Foobar'; would be simpler (and then you could do neat tweaks like switching where the logo points if you're logged in or out).

Bugreporter subscribed.Dec 17 2021, 1:19 AM

This may also be a new message like MediaWiki:Publicmainpage (and the current MediaWiki:Loginreqpagetext be removed, see T17484: Redirect to Special:UserLogin when logging is in required to proceed, instead of showing an error message).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits