Skip to main content

Mediawiki & SimpleSecurity

With the latest release of MediaWiki, the SimpleSecurity extension reveals a really nasty bug: with every request to an article page, the php-cgi process handling the request would allocate as much memory as possible (until it hits the configured memory-limit. With multiple requests to the site, the machine begins to swap very heavily and will run out of memory eventually.

In the meantime I decided to disable the extension via LocalSettings.php, but how to protect all the articles ''SimpleSecurity'' was supposed to protect? Luckily it weren't that many articles with read restrictions and most of them were categorized too. Instead of protecting these articles on the Wiki-layer, the webserver now has to handle that task. Since we're running lighttpd, the following directives were added to the configuration:

  $HTTP["url"] =~ "^/phpmyadmin|^/wiki/(Category|Special|User)" {
     auth.require = ( "" => 
         ("method" => "digest", "realm" => "Restricted", "require" => "valid-user"))
  }
However, that alone would not protect from calling articles via index.php?title=Special. I was surpised to see that Lighttpd can match on the querystring too:
  $HTTP["querystring"] =~ "title\=(Category|Special|User)" { ...
It's not as nice as the SimpleSecurity configuration and one needs to restart the webserver for every change of the protected sites, but as long as #29960 is not fixed, that could be the only way to go here.