Last modified: 2014-02-28 18:03:10 UTC
The Web installer's behavior was changed in https://www.mediawiki.org/wiki/Special:Code/MediaWiki/69322 to offer LocalSettings.php as a download instead of writing it itself. Unless there's a reason not to, shouldn't it try to write the file itself and offer it as a download only if it fails?
If I am not wrong, then you are saying that the file should be created and saved automatically instead of us, copying and pasting it from the downloads to your http://localhost, right ?
Right.
Created attachment 14583 [details] This copies the LocalSettings.php file automatically. In addition to copying the file to the desired location, it also gives an option to download the file in case the copying does not take place due to any reasons whatsoever!
Hi Mayank! Thanks for your patch! You are welcome to use Developer access https://www.mediawiki.org/wiki/Developer_access to submit this as a Git branch directly into Gerrit: https://www.mediawiki.org/wiki/Git/Tutorial Putting your branch in Git makes it easier to review it quickly. If you don't want to set up Git/Gerrit, you can also use https://tools.wmflabs.org/gerrit-patch-uploader/
Change 114966 had a related patch set uploaded by Mjnovice: Automatically copies the LocalSettings.php file to the desired location, fixes bug 60534. https://gerrit.wikimedia.org/r/114966
Change 114966 had a related patch set uploaded by Nemo bis: Automatically copy the LocalSettings.php file to the desired location https://gerrit.wikimedia.org/r/114966
(In reply to Jackmcbarn from comment #0) > Unless there's a reason not to The directory where MediaWiki is installed should not be writeable by the web server. That's considered a security vulnerability since then the source code of MediaWiki can be changed via the web interface if there is an exploit. Generally the installation directory should be read-only to the web server. Downloading LocalSettings.php rather than writing it is to encourage the idea that you must SSH into your server in order to change files. The other side of the argument is that when downloading LocalSettings.php you are transmitting the database password over plaintext, but assuming you already entered your database password on the installer form that is kind of a moot issue.
(In reply to Tyler Romeo from comment #7) > (In reply to Jackmcbarn from comment #0) > > Unless there's a reason not to > > The directory where MediaWiki is installed should not be writeable by the > web server. That's considered a security vulnerability since then the source > code of MediaWiki can be changed via the web interface if there is an > exploit. Generally the installation directory should be read-only to the web > server. > > Downloading LocalSettings.php rather than writing it is to encourage the > idea that you must SSH into your server in order to change files. The other > side of the argument is that when downloading LocalSettings.php you are > transmitting the database password over plaintext, but assuming you already > entered your database password on the installer form that is kind of a moot > issue. Thanks for pointing this out! Can we have a workaround say something which allows you to change the server writing permissions just for copying the LocalSettings.php and afterwards making it read-only ? Can this be done ?
(In reply to Mayank from comment #8) > Thanks for pointing this out! Can we have a workaround say something which > allows you to change the server writing permissions just for copying the > LocalSettings.php and afterwards making it read-only ? Can this be done ? I mean, that doesn't really solve the problem. The best possible thing we can do is maybe write LocalSettings.php to a temporary directory, and then tell the user to copy it over to the web root.
The way this is coded now, wouldn't it go completely unnoticed for users who don't have the directory writable? For users that already do, mainly MediaWiki developers (via XAMPP, etc.), it would be a convenience, and security wouldn't be a worry for them, since their installations don't tend to be public-facing.