Nothing really fatal here and the potentially most problematic script - aliased.php - crashes early, however the overall quality of this stuff is low and e.g. http://en.wikipedia.org/static/1.26wmf7/extensions/SyntaxHighlight_GeSHi/geshi/contrib/langcheck.php takes 5-6 seconds to execute with no means to throttle, thus being a stealthy DoS vector.
Description
Description
Details
Details
Subject | Repo | Branch | Lines +/- | |
---|---|---|---|---|
Kill geshi/contrib | mediawiki/extensions/SyntaxHighlight_GeSHi | REL1_25 | +0 -2 K |
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Restricted Task | |||||
Resolved | None | T101608 GeSHi's contrib directory is exposed on appservers |
Event Timeline
Comment Actions
GeSHi is still bundled with older versions of MediaWiki (1.23, 1.24) so this is probably still an issue in those versions...
Comment Actions
Was there a specific commit removing it that we can backport, or was that included in the move to pygments? If the latter, let's remove or address the langcheck.php script specifically as a DoS for the older versions.
Comment Actions
Looks like https://gerrit.wikimedia.org/r/#/c/224826/ removed the directory. So that just needs to be backported.
Comment Actions
That's the only commit needed, because only 1.25 is affected (careless geshi update?)