Disable $wgServer autodetection to prevent cache poisoning attacks

Since MediaWiki 1.18, $wgServer has been automatically set by the web installer
when it generates LocalSettings.php, so this shouldn't be an issue for most
wikis. The CLI installer now supports a --server optional parameter to
specify $wgServer, otherwise it'll be set to 'http://localhost' by default.

Users will see a fatal error pointing them to the on-wiki $wgServer
documentation that I've updated as well.

Originally this functionality was slated for removal in 1.20, but now is
just a good time as any. It also calls into other parts of MediaWiki before
most things are initialized, making it difficult to librarize some code.

Bug: T30798
Bug: T232931
Change-Id: Ia5d616e7fafbab01655067c24c5a3a073b254f21

RELEASE-NOTES-1.34

@@ -76,6 +76,10 @@ $wgPasswordPolicy['policies']['default']['PasswordNotInLargeBlacklist'] = false;
   containing some HTML markup in metadata. As a result, the $wgAllowTitlesInSVG
   setting is no longer applied and is now always true. Note that MSIE 7 may
   still be able to misinterpret certain malformed PNG files as HTML.
+* (T30798) $wgServer must now always be set in LocalSettings.php. This is most
+  likely the case already for any wiki installed after 1.18. The autodetection
+  system was informally deprecated since 1.18 and vulnerable to cache poisoning
+  attacks. Older wikis may need to update their LocalSettings.php file.
 * Introduced $wgVerifyMimeTypeIE to allow disabling the MSIE 6/7 file type
   detection heuristic on upload, which is more conservative than the checks
   that were changed above.

includes/DefaultSettings.php

@@ -95,15 +95,14 @@ $wgAssumeProxiesUseDefaultProtocolPorts = true;
  * $wgServer = 'http://example.com';
  * @endcode
  *
- * This is usually detected correctly by MediaWiki. If MediaWiki detects the
- * wrong server, it will redirect incorrectly after you save a page. In that
- * case, set this variable to fix it.
+ * This must be set in LocalSettings.php. The MediaWiki installer does this
+ * automatically since 1.18.
  *
  * If you want to use protocol-relative URLs on your wiki, set this to a
  * protocol-relative URL like '//example.com' and set $wgCanonicalServer
  * to a fully qualified URL.
  */
-$wgServer = WebRequest::detectServer();
+$wgServer = false;
 
 /**
  * Canonical URL of the server, to use in IRC feeds and notification e-mails.

includes/Setup.php

@@ -626,6 +626,15 @@ define( 'MW_SERVICE_BOOTSTRAP_COMPLETE', 1 );
 
 MWExceptionHandler::installHandler();
 
+// T30798: $wgServer must be explicitly set
+if ( $wgServer === false ) {
+	throw new FatalError(
+		'$wgServer must be set in LocalSettings.php. ' .
+		'See <a href="https://www.mediawiki.org/wiki/Manual:$wgServer">' .
+		'https://www.mediawiki.org/wiki/Manual:$wgServer</a>.'
+	);
+}
+
 if ( $wgCanonicalServer === false ) {
 	$wgCanonicalServer = wfExpandUrl( $wgServer, PROTO_HTTP );
 }

includes/installer/CliInstaller.php

@@ -278,7 +278,8 @@ class CliInstaller extends Installer {
 	}
 
 	protected function envGetDefaultServer() {
-		return null; // Do not guess if installing from CLI
+		// Use a basic value if the user didn't pass in --server
+		return 'http://localhost';
 	}
 
 	public function dirIsExecutable( $dir, $url ) {

includes/installer/Installer.php

@@ -1821,6 +1821,10 @@ abstract class Installer {
 
 		// Don't try to use any object cache for SessionManager either.
 		$GLOBALS['wgSessionCacheType'] = CACHE_NONE;
+
+		// Set a dummy $wgServer to bypass the check in Setup.php, the
+		// web installer will automatically detect it and not use this value.
+		$GLOBALS['wgServer'] = 'https://🌻.invalid';
 	}
 
 	/**

maintenance/install.php

@@ -60,6 +60,12 @@ class CommandLineInstaller extends Maintenance {
 			false,
 			true
 		);
+		$this->addOption(
+			'server',
+			'The base URL of the web server the wiki will be on (http://localhost)',
+			false,
+			true
+		);
 
 		$this->addOption( 'lang', 'The language to use (en)', false, true );
 		/* $this->addOption( 'cont-lang', 'The content language (en)', false, true ); */