r49833 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r49832‎ \| r49833 \| r49834 >
Date:	19:50, 24 April 2009
Author:	catrope
Status:	reverted (Comments)
Tags:
Comment:	API: (bug 13049) This'll hopefully fix the 403 Forbidden error in api.php for the setups that were getting them (most notably FastCGI and IIS). Patch by Chris Wrinn
Modified paths:	/trunk/phase3/CREDITS (modified) (history) /trunk/phase3/RELEASE-NOTES (modified) (history) /trunk/phase3/api.php (modified) (history)

Diff [purge]

Index: trunk/phase3/CREDITS
—	—	@@ -61,6 +61,7 @@
62	62	* Brent G
63	63	* Brianna Laugher
64	64	* Carlin
	65	+* Chris Wrinn
65	66	* church of emacs
66	67	* Daniel Arnold
67	68	* Danny B.
Index: trunk/phase3/api.php
—	—	@@ -51,10 +51,10 @@
52	52	//
53	53	// Ensure that all access is through the canonical entry point...
54	54	//
55		~~-if( isset( $_SERVER['SCRIPT_URL'] ) ) {~~
56		~~- $url = $_SERVER['SCRIPT_URL'];~~
	55	+if( isset( $_SERVER['SCRIPT_NAME'] ) ) {
	56	+ $url = $_SERVER['SCRIPT_NAME'];
57	57	} else {
58		~~- $url = $_SERVER['PHP_SELF'];~~
	58	+ $url = $_SERVER['URL'];
59	59	}
60	60	if( strcmp( "$wgScriptPath/api$wgScriptExtension", $url ) ) {
61	61	wfHttpError( 403, 'Forbidden',
Index: trunk/phase3/RELEASE-NOTES
—	—	@@ -425,6 +425,7 @@
426	426	* (bug 18546) Added timestamp of new revision to action=edit output
427	427	* (bug 18554) Also list hidden revisions in list=usercontribs for privileged
428	428	users
	429	+* (bug 13049) "API must be accessed from the primary script entry point" error
429	430
430	431	=== Languages updated in 1.15 ===
431	432

Follow-up revisions

Revision	Commit summary	Author	Date
r53195	Add the 403 fix from r49833 to RawPage as well.	btongminh	21:39, 13 July 2009
r55178	* Fixed XSS vulnerability introduced by r49833. Only pre-release versions of ...	tstarling	13:23, 17 August 2009

Comments

#Comment by Brion VIBBER (talk | contribs) 22:49, 27 April 2009

This looks like it'll fail wildly if SCRIPT_NAME is set to the PHP interpreter, as it's apparently supposed to for CGI mode. It also appears to introduce a new server variable called 'URL' which I'm not sure exists consistently.

How widely have you tested this?

#Comment by Catrope (talk | contribs) 10:20, 28 April 2009

For the record, this has been tested to work on IIS/CGI (patch author's setup), Apache/CGI on Windows and Apache/module on Linux (my setups). We didn't test any setups involving FastCGI (which is the setup the bug was reported on by Bryan in the first place), but that should probably be done.

#Comment by Bryan (talk | contribs) 22:09, 12 July 2009

Just tested it as working. See bugzilla comments.

#Comment by Simetrical (talk | contribs) 00:54, 14 July 2009

Just because it works for you doesn't mean it works for everyone. There are a lot of possible setups out there. It seems like a much better idea to use the same settings as were always used, by default, and only fall back to these other ones if those are detected as being incorrect or absent.

#Comment by Bryan (talk | contribs) 18:18, 14 July 2009

Could do something like this:

if( isset( $_SERVER['SCRIPT_URL'] ) ) {
	$url1 = $_SERVER['SCRIPT_URL'];
} else {
	$url1 = $_SERVER['PHP_SELF'];
}
if( isset( $_SERVER['SCRIPT_NAME'] ) ) {
	$url2 = $_SERVER['SCRIPT_NAME'];
} else {
	$url2 = $_SERVER['URL'];
}
$urlCmp = "$wgScriptPath/api$wgScriptExtension";

if( strcmp( $urlCmp, $url1 ) != 0 || strcmp( $urlCmp, $url2 ) != 0 ) {
	wfHttpError( 403, 'Forbidden',
		'API must be accessed through the primary script entry point.' );
	return;
}

#Comment by Catrope (talk | contribs) 18:25, 14 July 2009

Is there a reason to use strcmp instead of != ?

#Comment by Weberho (talk | contribs) 11:38, 12 May 2009

With mod-rewrite I'm getting the forbidden error. I'm rewriting with apache from https://server/wiki/ to http://server/mediawiki/. I have set $wgScriptPath to "/wiki". in the problematic code the variable "$url" is set to "/wiki/api.php" and the string comparison fails. As I do not really understand what the comparison is for, I temporarily hardcoded /mediawiki/ instead of $wgScriptPath/ there and it works. It could be a solution to replace the $wgScriptPath variable with the php-script's path

#Comment by Catrope (talk | contribs) 11:57, 12 May 2009

If the 'real' path to your PHP files is /mediawiki , that's what your $wgScriptPath should be. And if your $wgScriptPath is misconfigured, it's not very surprising that this check fails.

#Comment by Weberho (talk | contribs) 12:20, 12 May 2009

It's configured as described at http://www.mediawiki.org/wiki/Manual:Short_URL/Apache_Rewrite_rules . Everything is working properly for some years now except access to the api.php

#Comment by Catrope (talk | contribs) 13:06, 12 May 2009

Then that guide is wrong. $wgScriptPath should be the *real* path to index.php , not the fake path that only works because Apache rewrites it.

#Comment by Weberho (talk | contribs) 13:44, 12 May 2009

Setting the variable to the real path makes the complete wiki unuseable because it's value is a used as a prefix to the path - the real one is not accessible via http.

#Comment by Platonides (talk | contribs) 21:09, 20 June 2009

Wrong. $wgScriptPath is the URL path. For the filename path use $IP

#Comment by Weberho (talk | contribs) 05:31, 5 August 2009

I have found a solution for that issue as well as a solution for the same issue I had on includes/RawPage.php:

For sites, which are using Apache's "rewrite", it is neccessary to turn set "RewriteEngine On" for the complete VirtualHost; otherwise (when turned on only per directory) $_SERVER['SCRIPT_URL'] will be empty and $_SERVER['PHP_SELF'] will be used to determine $url.

Manual:Short_URL/Apache_Rewrite_rules is correct, $wgScriptPath must be set to the public visible url.

#Comment by Tim Starling (talk | contribs) 12:31, 16 August 2009

$_SERVER['URL'] clearly does not exist consistently, since it is IIS-specific. It is defined in the IIS documentation (http://msdn.microsoft.com/en-us/library/ms524602.aspx) but not in the CGI specification (http://hoohoo.ncsa.illinois.edu/cgi/env.html). SCRIPT_NAME supposedly exists in IIS as well, so I wonder if the else case was reached in any of the test setups.

#Comment by Tim Starling (talk | contribs) 13:26, 16 August 2009

According to comments in PHP's sapi/cgi/cgi_main.c, Apache does indeed screw up SCRIPT_NAME, but PHP has had code to correct for that since the dark ages (PHP 4.3.0), to restore the well-known and documented behaviour, which is that SCRIPT_NAME is the URL of the script and can be used for self-referring URLs. If the fixup code is activated, the original script name is put in ORIG_SCRIPT_NAME.

However, if the php.ini setting cgi.fix_pathinfo is off, then the PHP 4.2 behaviour is recovered and SCRIPT_NAME will be broken and unusable. But we can emulate the disabled behaviour, which is simply to use the apache-specific variable REDIRECT_URL instead, if it is available.

#Comment by Tim Starling (talk | contribs) 14:12, 16 August 2009

Note that this revision does appear to disable the security check entirely. SCRIPT_NAME does not include PATH_INFO. I propose we just remove the whole thing. It's only useful for IE 3 and earlier, IE 4 will respect the Content-Type header as long as it's not in the well-known danger list.

Status & tagging log

17:05, 4 January 2012 Johnduhart (talk | contribs) changed the tags for r49833 [removed: api]
13:35, 17 August 2009 Tim Starling (talk | contribs) changed the status of r49833 [removed: fixme added: reverted]
00:54, 14 July 2009 Simetrical (talk | contribs) changed the status of r49833 [removed: ok added: fixme]
22:09, 12 July 2009 Bryan (talk | contribs) changed the status of r49833 [removed: fixme added: ok]
22:49, 27 April 2009 Brion VIBBER (talk | contribs) changed the status of r49833 [removed: new added: fixme]
19:52, 24 April 2009 Catrope (talk | contribs) changed the tags for r49833 [added: api]