glensc
commented
4 years ago I think as first step these endpoints should be disabled by default and enabled only when someone explicitly enables them in config or at least restricted to 127.0.0.1 address by default.
The
/importand/deleteendpoints are something you generally don't want to leave exposed to the Internet. At Wikimedia, we've turned these off at the web server layer hoping that it can't be bypassed.That suffices for now, but I'd like to either integrate this into the software, or embrace it as the recommended practice and advertise/document it here so that other people can learn from it, and also so that it will be taken into account when making changes in the future.