Developer

Five security tips from MediaWiki's lead developer

Brion Vibber, the Wikimedia Foundation's lead developer, is the guiding hand behind the ongoing improvement of MediaWiki. MediaWiki is one of the most widely-used Web applications in the world, and is the software basis for Wikipedia. On the Wikitech mailing list, he offered some insight into how he ensures secure development of the MediaWiki software.

Brion Vibber, the Wikimedia Foundation's lead developer, is the guiding hand behind the ongoing improvement of MediaWiki. MediaWiki is one of the most widely-used Web applications in the world, and is the software basis for Wikipedia. On the Wikitech mailing list, he offered some insight into how he ensures secure development of the MediaWiki software.

Paraphrased slightly, the five key points are:

  • Don't construct SQL by hand; use query-building abstractions to ensure proper encoding.
  • Don't construct HTML output by hand; use wiki parser where suitable or XML-building abstractions to ensure proper encoding.
  • Don't use $_GET, $_POST, $_REQUEST, and similar values directly; use abstractions that provide some basic data type validation.
  • Don't use explicit include()s or require()s with configured paths; use class autoloader. When an explicit include is needed, always precede it with a constant check to avoid remote include vulnerabilities.
  • Make sure the fuzz testing tools get pulled out from time to time to look for HTML injection bugs (i.e. XSS vulnerabilities) and other such surprises.

All of this can really be boiled down to the following:

  1. Use tools that are designed to produce consistent, reliable, secure code. When there's a problem, fix the tool -- not just the code it produced. This helps guard against human error, reduces duplication of effort, and ensures your developers always know what's going on in the code so they won't introduce bugs later trying to extend others' work.
  2. Test the results, regardless of how good a job you think you did. Subject it to significant stress, looking for where it breaks and misbehaves.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

8 comments
apotheon
apotheon

Do you have any other practical tips to offer in addition to Brion Vibber's? How about tips for different development environments than the PHP-based, MySQL-backed MediaWiki Web application that probably services millions of HTTP requests every minute?

cousintroy
cousintroy

I was a web developer/coder turned Network Administrator and only recently decided to pursue a pet web project of mine. Its a combination of MySQL, PHP and reading about what Brion talks about on secure code is making me go back and see how I can use his techniques to better my code. And by the way, I am starting to become an avid user of MediaWiki...great piece of technology!

Sterling chip Camden
Sterling chip Camden

that the whole thing runs on PHP and MySQL. That's a testament to scalability, no matter how much hardware they're throwing at it.

apotheon
apotheon

It's also probably a testament to the sheer bloody-minded determination of the developers and netadmins.

apotheon
apotheon

Thanks for the correction. I edited to say "minute" instead of "hour". I intentionally undershot likely request rates because I couldn't find any corroboration at the time, and wanted to make sure I wasn't exaggerating.

Jared.Williams1
Jared.Williams1

They're upto 50k/s at peak times so its millions of HTTP requests per minute, not just hour.

Editor's Picks