Page MenuHomePhabricator

GeSHi's contrib directory is exposed on appservers
Closed, ResolvedPublic

Description

Nothing really fatal here and the potentially most problematic script - aliased.php - crashes early, however the overall quality of this stuff is low and e.g. http://en.wikipedia.org/static/1.26wmf7/extensions/SyntaxHighlight_GeSHi/geshi/contrib/langcheck.php takes 5-6 seconds to execute with no means to throttle, thus being a stealthy DoS vector.

Event Timeline

MaxSem created this task.Jun 6 2015, 3:16 PM
MaxSem raised the priority of this task from to Needs Triage.
MaxSem updated the task description. (Show Details)
MaxSem changed the visibility from "Public (No Login Required)" to "Custom Policy".
MaxSem changed the edit policy from "All Users" to "Custom Policy".
MaxSem changed Security from None to Software security bug.
MaxSem added a subscriber: MaxSem.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 6 2015, 3:16 PM
csteipp triaged this task as Normal priority.Jul 14 2015, 8:25 PM
csteipp added a subscriber: csteipp.

Can we add an .htaccess file into our copy of the repo?

That directory no longer exists...

MaxSem closed this task as Resolved.Jul 15 2015, 2:48 PM
MaxSem changed Security from Software security bug to None.

GeSHi is still bundled with older versions of MediaWiki (1.23, 1.24) so this is probably still an issue in those versions...

GeSHi is still bundled with older versions of MediaWiki (1.23, 1.24) so this is probably still an issue in those versions...

Was there a specific commit removing it that we can backport, or was that included in the move to pygments? If the latter, let's remove or address the langcheck.php script specifically as a DoS for the older versions.

csteipp added a parent task: Restricted Task.Jul 15 2015, 3:37 PM

It was probably the move from actually using GeSHi to using pygments

Looks like https://gerrit.wikimedia.org/r/#/c/224826/ removed the directory. So that just needs to be backported.

That's the only commit needed, because only 1.25 is affected (careless geshi update?)

csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 10 2015, 9:59 PM
csteipp changed the edit policy from "Custom Policy" to "All Users".