Page MenuHomePhabricator
Create Task
Maniphest T101608

GeSHi's contrib directory is exposed on appservers
Closed, ResolvedPublic
Actions

Description

Nothing really fatal here and the potentially most problematic script - aliased.php - crashes early, however the overall quality of this stuff is low and e.g. http://en.wikipedia.org/static/1.26wmf7/extensions/SyntaxHighlight_GeSHi/geshi/contrib/langcheck.php takes 5-6 seconds to execute with no means to throttle, thus being a stealthy DoS vector.

Details

SubjectRepoBranchLines +/-
Kill geshi/contribmediawiki/extensions/SyntaxHighlight_GeSHiREL1_25+0 -2 K
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedNoneT101608 GeSHi's contrib directory is exposed on appservers

Event Timeline

MaxSem created this task.Jun 6 2015, 3:16 PM
MaxSem raised the priority of this task from to Needs Triage.
MaxSem updated the task description. (Show Details)
MaxSem added projects: Security-Extensions, acl*security.
MaxSem changed the visibility from "Public (No Login Required)" to "Custom Policy".
MaxSem changed the edit policy from "All Users" to "Custom Policy".
MaxSem changed Security from None to Software security bug.
MaxSem subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2015, 3:16 PM
csteipp triaged this task as Medium priority.Jul 14 2015, 8:25 PM
csteipp subscribed.

Can we add an .htaccess file into our copy of the repo?

Krenair subscribed.Jul 15 2015, 2:35 PM

That directory no longer exists...

MaxSem closed this task as Resolved.Jul 15 2015, 2:48 PM
MaxSem changed Security from Software security bug to None.
Legoktm subscribed.Jul 15 2015, 3:05 PM

GeSHi is still bundled with older versions of MediaWiki (1.23, 1.24) so this is probably still an issue in those versions...

csteipp added a comment.Jul 15 2015, 3:36 PM
In T101608#1454057, @Legoktm wrote:

GeSHi is still bundled with older versions of MediaWiki (1.23, 1.24) so this is probably still an issue in those versions...

Was there a specific commit removing it that we can backport, or was that included in the move to pygments? If the latter, let's remove or address the langcheck.php script specifically as a DoS for the older versions.

csteipp added a parent task: Restricted Task.Jul 15 2015, 3:37 PM
Krenair added a comment.Jul 15 2015, 3:50 PM

It was probably the move from actually using GeSHi to using pygments

csteipp added a comment.Jul 15 2015, 4:43 PM

Looks like https://gerrit.wikimedia.org/r/#/c/224826/ removed the directory. So that just needs to be backported.

MaxSem added a comment.Jul 15 2015, 4:47 PM

That's the only commit needed, because only 1.25 is affected (careless geshi update?)

csteipp mentioned this in T108198: XSS in GeSHi/contrib/cssgen.php.Aug 6 2015, 4:41 PM
MaxSem mentioned this in rESHG47183d0cac37: Kill geshi/contrib.Aug 6 2015, 5:31 PM
csteipp added subscribers: Grunny, ProgramCeltic.Aug 7 2015, 6:32 PM
csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:59 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits