Skip to content
This repository has been archived by the owner on Jun 27, 2021. It is now read-only.

Misconfiguration exposed risky data #1

Closed
conf-test opened this issue Apr 16, 2021 · 1 comment · Fixed by #2
Closed

Misconfiguration exposed risky data #1

conf-test opened this issue Apr 16, 2021 · 1 comment · Fixed by #2

Comments

@conf-test
Copy link
Contributor

conf-test commented Apr 16, 2021
edited
Loading

Hi,

I'm a security researcher and am doing some study of public docker images. I found some misconfigurations in your this image that may expose some risky data at runtime. The exposure I found include:

composer: /composer.lock
git: /extensions/OpenIDConnect/.gitignore
sql: /extensions/OpenIDConnect/sql/mysql/AddTable.sql
vendor: /extensions/MW-OAuth2Client/vendors/*
php internal error messages: extensions/MW-OAuth2Client/vendors/oauth2-client/vendor/phpunit/phpunit/tests/_files/DataProviderDebugTest.php

Those are all blocked in the official mediawiki docker image and here are some reference about these exposures:
https://stackoverflow.com/questions/11078572/should-i-use-phpunit-in-a-staging-production-environment
bolt/bolt#375
wp-cli/doctor-command#98

If you want, I can also help fix them. Please let me know what you think. Thanks!

Best,
~cf
@ta264
Copy link
Contributor

ta264 commented Apr 16, 2021

A PR would be great! Thanks!

@conf-test conf-test mentioned this issue Apr 17, 2021
Merged
@ta264 ta264 closed this as completed in #2 May 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

block sensitive file access conf-test/mediawiki-docker
2 participants
@ta264 @conf-test