Today I noticed an https-link showing up in the raw recentchanges feed at irc.wikimedia.org, it was this link:
https://commons.wikimedia.org/w/index.php?diff=56725539&oldid=53104016&rcid=57922460
Version: unspecified
Severity: major
Description
Description
Details
Details
- Reference
- bz29925
| Title | Reference | Author | Source Branch | Dest Branch | |
|---|---|---|---|---|---|
| Upgrade all buster images to composer 2.5.1 | repos/releng/dev-images!28 | jforrester | composer-2.5.1 | main |
Related Objects
Related Objects
Event Timeline
Comment Actions
(In reply to comment #1)
Why shouldn't the links be outputted as https?
Because it breaks their patrolling bots. Which is stupid, but whatever.
There is precedent for this, though: there is code in place to output normal http URLs to IRC instead of https://secure.wikimedia.org URLs. The relevant hack in MediaWiki is Title::getInternalUrl(), $wgInternalServer and the GetInternalUrl hook, all of which date back to 2005 AFAIK. The WMF configuration for this is in wmf-config/secure.php .
I've fixed this in CommonSettings.php as follows:
} elseif ( isset( $_SERVER['HTTP_X_FORWARDED_PROTO'] ) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https' ) {
// New HTTPS service on regular URLs
+ $wgInternalServer = $wgServer; // Keep this as HTTP for IRC notifications (bug 29925)
$wgServer = preg_replace( '/^http:/', 'https:', $wgServer );
} else {
- For non-SSL hosts...
Comment Actions
(In reply to comment #2)
(In reply to comment #1)
Why shouldn't the links be outputted as https?
Because it breaks their patrolling bots. Which is stupid, but whatever.
It doesn't brake most bots, it brakes the workflow of the users. Their cookie that keeps them logged in to a wiki doesn't apply when they suddenly get a link to a different protocol in the middle of the rest. The links on IRC should all have the same protocol (perhaps wgCanonicalServer?)
Comment Actions
Logged in users should be using https... Isn't it more likely that when this is fully rolled out that it's more likely passing out http links will break people's workflow?
Comment Actions
(In reply to comment #4)
Logged in users should be using https... Isn't it more likely that when this is
fully rolled out that it's more likely passing out http links will break
people's workflow?
Maybe, maybe not. But it's obvious that there should be a default configured somewhere, and that hyperlinks pushed to an environment independent from the user making the action should all have the same protocol and not the protocol of the user making the change (just like enotifs). Whether the default for udp-recentchanges is http or https will (or should) likely match the default for logged-in users in general.
So long as nobody is getting https by default, it makes sense that non-user specific links are also http.
Right now practically none of the mass readers/editors uses https or https://secure.wm.o
Comment Actions
(In reply to comment #3)
The links on IRC should all
have the same protocol (perhaps wgCanonicalServer?)
They use $wgCanonicalServer now, yes.