Menu
▾
▴
#51 MediaWiki upgrade
MediaWiki software needs upgrading. I realize this is not exactly a bug of the ISFDB Python code but I am entering it here to track this.
Currently, the ISFDB wiki seems to be running MediaWiki 1.12.0rc1 (from winter 2008). Why is this an "rc" version? Anyway, the latest stable release seems to be 1.16.2. Upgrading across major versions requires certain steps but they are not hard (according to the manual). As an initial step, this could at least be upgraded to the latest in the 1.12 branch which is 1.12.4 and should be very painless as it only involves code changes (and not DB schema updates, etc.).
This needs to be updated as MediaWiki incorporates security updates and ISFDB has not had any updates to this in several years now. I am not sure if there is any impact from the Python code and tables as I know it somehow uses the mw_user data.
Discussion
Anonymous
I am assigning to you unless Al or Marc comes back you are the only one with administrative access to be able to do such a thing (unless I am mistaken and then feel free to reassign).
Changing from a Bug to FR.
I am not sure what you mean by administrative access.
I am currently not an administrator if the isfdb SourceForce project. Currently that appears to be: ahasuerus_isfdb, alvonruff, mkupper. Though I would not mind taking that on.
I am also not a mod on the ISDB web account (which is really the MediaWiki credentials shared with Python DB web interface). I have never been asked to be a mod/Sysop much less a Bureaucrat though I was considering making another account and requesting a Bot flag for a MediaWiki bot and/or ISFDB bot (technically not really needed but a way to track such accounts I suppose; for MediaWiki the Bot privilege lets one use the web API in certain ways that are otherwise unavailable).
I also do not have access to the ISFDB server where I am sure one would need access to update the MediaWiki code. I would likely need shell credentials at least if not root.
I have looked at the MediaWiki upgrade carefully much. Since the Python ISFDB interface borrows/shares credentials with the MediaWiki software it too would need to be updated as I know at some later point some of the way it handles login security changes which would break the ISFDB code. For this, I have thought of a number of solutions from simplistic to more "done right" or even potentially breaking the logins apart somehow (but obviously carefully to not break things).
If I did obtain access to make such an upgrade, I would probably attempt an incremental approach (e.g., upgrade to lastest MediaWiki that does not change the way it uses security hashes for login credentials before looking at how to take on more, etc.).
There are some security issues I also wanted to talk to someone about in a less public forum than this. Perhaps I shall shoot you an email.
If this should be assigned to someone else, I do not know who so for now I am leaving it here though I really have not been granted to authority needed to directly facilitate this sort of change (I can work on it indirectly with you or Al, etc. until it can be done or I get such access).
Ticket moved from /p/isfdb/feature-requests/251/
MartyD's comments on my Talk page on 2020-03-24:
For work, I just upgraded our MediaWiki. The starting point was a bit better than ISFDB's is, but not much:
I had previously upgraded MySQL for some other reason. Anyway, it went unbelievably smoothly. I just laid down a new mediawiki, copied over images, and copied and updated LocalSettings.php (and got some new versions of extensions) -- some syntax changes around skins and extensions. I did have to upgrade PHP, and I went to 7.4.4, tweaking the new php.ini to reflect my previous settings. Then I ran maintenance/update.php, which ground on for a bit, and I was all set.
It does force passwords to be 10+ chars (don't know if this can be changed -- I did not look). There's also a handy WikiEditor extension that provides a friendlier wikitext editing interface.
I tried it all out first in a separate environment on a copy of my live installation (I duplicated the original environment, then worked through the changes needed to upgrade that) to work out the kinks. It was surprisingly easy. ...
FWIW, we run MediaWiki and PHP on Windows. I suspect you could work out the kinks without having to go to Linux. The primary issue I ran into is that newer PHP was required for newer MediaWiki, but newer PHP was not entirely backward compatible, so the old MediaWiki version would not run on the new PHP (package and method changes, etc.) -- I was forced to update both at the same time.
Well, I changed the submitlogin.cgi to reflect the changes in the password system. Description in https://sourceforge.net/p/isfdb/support-requests/184/
As I told in another post, I managed to use the newest Media-Wiki with python 2.7, newest maria-db on my OpenIndian platform.
It requires Wiki-Upgrades, but this went smoth on my system. I had to install the DB first, and then add MediaWiki. Not the other way round, as current wiki explains. MediaWiki runs updates on configuration.
Nevertheless, MediaWiki has a newer (ok, old maintenant) Password-Check algorithm. But I managed to add the required code and postet it in another ticket.
From this on, I encountered no errors any more. But I'm not an expert :-(
Note that MediaWiki 1.35 is the current LTS. This requires PHP 7.3.19+ and MySQL 5.5.8+
Both of the installed extensions (ConfirmEdit and SyntaxHighlighting) are now bundled with MediaWiki So neither should pose an issue for upgrading.