Page MenuHomePhabricator

Security review the Extension:WikipediaExtracts
Closed, ResolvedPublic


Project Information

Description of the tool/project

The WikipediaExtracts extension allows you to insert content extracted directly from Wikipedia into any MediaWiki wiki.

Description of how the tool will be used at WMF

First two use cases are the Spanish and English Wikiversities. Many pages there contain copy-pasted content from Wikipedia, to give general descriptions of topics that are subsequently developed in various directions. This extensions would allow users to extract content from Wikipedia directly, specially definitions and introductions, therefore keeping the content up-to-date with the latest from Wikipedia, and properly attributing credit.


This extension has no dependencies, but in order to extract content from Wikipedia, it needs the Extension:TextExtracts to be enabled on Wikipedia (it currently is).

Has this project been reviewed before?

The extension has been code reviewed, but not security reviewed, see T149766

Working test environment



Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2016, 2:14 PM
Dereckson changed the task status from Open to Stalled.EditedNov 2 2016, 3:04 AM
Dereckson added a subscriber: Dereckson.

Code should be refactored before security review, per T149766.

Once done, we can do the security review.

@Sophivorus, @Dereckson, is this security review still needed?

If so, please update the description of this ticket and add the information requested at

Dereckson added a comment.EditedMar 21 2017, 7:45 PM

I've asked in T149766 to @Sophivorus if they're happy with the code refactoring/fixes. In January, at the same task, @Sophivorus feedback was progress was made, two wikis would like it, a security review would be useful.

Dereckson added a comment.EditedMar 24 2017, 4:07 PM

@dpatrick So yes, it's still needed:

@Sophivorus Are you confident you've addressed Legoktm concerns of robustness?

@Dereckson Absolutely, I just double-checked everything.

Dereckson updated the task description. (Show Details)Mar 24 2017, 4:10 PM
Sophivorus updated the task description. (Show Details)Mar 24 2017, 4:20 PM

Anyone remembers this task? The extension would still be useful at the English and Spanish Wikiversity.

Zerabat added a subscriber: Zerabat.EditedJul 9 2017, 5:19 PM

Anyone remembers this task? The extension would still be useful at the English and Spanish Wikiversity.

I don't know how many time lasts a security review, but 4 months have since passed.

Sophivorus added a comment.EditedSep 18 2017, 9:12 AM

Will this ever happen? Is there anything blocking it?

Aklapper changed the task status from Stalled to Open.Sep 18 2017, 9:33 AM

Restting task status "stalled" and "Security-Reviews (Waiting/Blocked)" as per T149424#3128455 and T149424#3128476

Bawolff added a subscriber: Bawolff.Oct 4 2017, 4:58 PM

I'm curious if this would be better served by $wgEnableScaryTranscluding ?

It's been more than a year already...

Reedy added a subscriber: Reedy.Nov 25 2017, 11:49 PM

I've just done a bit more cleanup in - parse_url is seemingly noisy, so could potentially have resulted in log noise, error suppression added.

I'm really not a fan of the way everything is just stuck into static member variables, and nearly everything uses them. Or, in some cases, like $parser, it's only used in one place

The extension probably needs a README or similar in the extension, to include some of the stuff on

I've added a vagrant role in so I can test it a bit more easily..

Sophivorus added a comment.EditedMay 9 2018, 3:14 AM

@Reedy Thanks for your review. Most static variables are gone, just one is left for convenience. Could you confirm for security please? Thanks!

Please. We could really use this feature at Wikiversity.

@Reedy / @Bawolff: Is this still "in progress"?

charlotteportero closed this task as Resolved.Jan 7 2019, 7:06 PM
charlotteportero claimed this task.

Interested parties, from a security perspective, the code was successfully reviewed, but there are minor departures from coding conventions that need further correction. Please contact @greg in Phabricator for assistance.

@Sophivorus To give further context, to move this forwards, this really needs a champion with deploy access to push it forward. @greg can help you in determining what other requirements beyond security review are needed in order to get this deployed.

determining what other requirements beyond security review are needed in order to get this deployed.

See documentation on