Bail out early if $wgArticlePath is non-absolute
Closed, ResolvedPublic
Actions

Description

Setting $wgArticlePath to something like "wiki/$1" accidentally can cause a lot of hassle to people setting up short urls.

There is absolutely no valid reason to set $wgArticlePath to a relative path. We should make Setup.php or some other part of MW bail out early with an informative error message if it is not absolute.

Version: 1.22.0
Severity: trivial

Details

Reference: bz46998

Subject	Repo	Branch	Lines +/-
Validate that $wgVariantArticlePath is absolute, too	mediawiki/core	master	+9 -7
Validates wgArticlePath does start with slash (/).	mediawiki/core	REL1_26	+15 -0
Really validate that $wgArticlePath starts with a slash	mediawiki/core	REL1_25	+4 -4
Validates wgArticlePath does start with slash (/).	mediawiki/core	REL1_25	+15 -0
Really validate that $wgArticlePath starts with a slash	mediawiki/core	REL1_26	+4 -4
Really validate that $wgArticlePath starts with a slash	mediawiki/core	REL1_23	+4 -4
Validates wgArticlePath does start with slash (/).	mediawiki/core	REL1_23	+14 -0
Really validate that $wgArticlePath starts with a slash	mediawiki/core	REL1_24	+4 -4
Validates wgArticlePath does start with slash (/).	mediawiki/core	REL1_24	+14 -0
Validates wgArticlePath does start with slash (/).	mediawiki/core	master	+15 -0
Really validate that $wgArticlePath starts with a slash	mediawiki/core	master	+4 -4

Show related patches Customize query in gerrit

Related Objects

Mentioned In: T123326: Throwing an exception in Setup.php causes a fatal in LBFactory.php
T117899: XSS from wikitext when $wgArticlePath='$1'

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 22 2014, 1:21 AM

• bzimport added projects: MediaWiki-General, good first task.

• bzimport set Reference to bz46998.

• bzimport added a subscriber: Unknown Object (MLST).

DanielFriesen created this task.Apr 8 2013, 12:28 AM

Change 135196 had a related patch set uploaded by devunt:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/135196

devunt claimed this task.May 14 2015, 9:00 PM

Change 135196 had a related patch set uploaded (by devunt):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/135196

matmarex mentioned this in T117899: XSS from wikitext when $wgArticlePath='$1'.Nov 5 2015, 7:29 PM

Change 135196 merged by jenkins-bot:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/135196

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 10 2015, 11:21 PM

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2015-11-17_(1.27.0-wmf.7)).Nov 11 2015, 12:00 AM

Change 252582 had a related patch set uploaded (by Bartosz Dziewoński):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/252582

matmarex subscribed.Nov 11 2015, 10:02 PM

Change 252582 merged by jenkins-bot:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/252582

matmarex closed this task as Resolved.Nov 12 2015, 12:17 AM

matmarex removed a project: Patch-For-Review.

matmarex set Security to None.

matmarex removed a subscriber: • wikibugs-l-list.

Change 259905 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259905

Change 259906 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259906

Change 259916 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259916

Change 259917 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259917

Change 259929 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259929

Change 259930 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259930

Change 259940 had a related patch set uploaded (by Chad):
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259940

Change 259941 had a related patch set uploaded (by Chad):
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259941

Change 259916 merged by Chad:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259916

Change 259917 merged by Chad:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259917

Change 259905 merged by Reedy:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259905

Change 259906 merged by Reedy:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259906

Change 259940 merged by Chad:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259940

Change 259941 merged by Chad:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259941

Change 259929 merged by Reedy:
Validates wgArticlePath does start with slash (/).

https://gerrit.wikimedia.org/r/259929

Change 259930 merged by Reedy:
Really validate that $wgArticlePath starts with a slash

https://gerrit.wikimedia.org/r/259930

ReleaseTaggerBot added projects: MW-1.24-release, MW-1.23-release, MW-1.26-release, MW-1.25-release.Dec 18 2015, 2:00 AM

Should the same be done with $wgVariantArticlePath, if it is not false?
It looks less likely to be an attack vector, and admins are less likely to set it to just '$1' as the '$2' is sort of necessary for it to be useful.