Page MenuHomePhabricator

generated LocalSettings.php should not be world-readable
Closed, ResolvedPublic

Description

Author: debian

Description:
Forwarded from Debian (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550940):

After running the web-based initial configuration of mediawiki
(/var/lib/mediawiki/config/index.php), it created a LocalSettings.php
and instructed me to place it in /etc/mediawiki:

~$ ls -l /etc/mediawiki/LocalSettings.php
-rw-rw-rw- 1 www-data www-data 4536 14 okt 10.54 /etc/mediawiki/LocalSettings.php

This file contains MySQL passwords and should therefore not be world-readable.

I notice that README.Debian suggests changing this, but the file
should not be created world-readable in the first place.


Version: 1.16.x
Severity: normal
OS: Linux
Platform: PC

Details

Reference
bz24133

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:04 PM
bzimport set Reference to bz24133.
bzimport added a subscriber: Unknown Object (MLST).

Fixed in r69322. We don't write LocalSettings.php to the webserver at all in the new installer.