Page MenuHomePhabricator

JSON pages need to be locked for editing by users without rights
Closed, DuplicatePublic

Description

I think JSON user (User:Username/pagename.json) pages need to move into JS pages' group. These pages look like on-duty pages for user and I think only the user can edit them ('editmyuserjs' right) and users with 'edituserjs' right. For security reasons.

Event Timeline

Iniquity created this task.Jan 21 2017, 5:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 21 2017, 5:09 PM

New feature request, I think this can't be done by changing a config variable.

Iniquity updated the task description. (Show Details)Jan 21 2017, 5:17 PM

What Json pages in particular pose security issues?

Krenair set Security to Software security bug.Jan 21 2017, 5:34 PM
Krenair added a project: Security.
Krenair changed the visibility from "Public (No Login Required)" to "Custom Policy".

What is the security issue here?

What Json pages in particular pose security issues?

These pages may contain user settings which used by scripts.

Scripts should not be putting any security-sensitive settings on openly-editable pages. That's a problem with the scripts, not MediaWiki's handling of json pages.

What Json pages in particular pose security issues?

These pages may contain user settings which used by scripts.

Can you provide some examples please?

Iniquity added a comment.EditedJan 21 2017, 7:45 PM

Scripts should not be putting any security-sensitive settings on openly-editable pages. That's a problem with the scripts, not MediaWiki's handling of json pages.

I know, but why JSON pages openly-editable? What difference between JSON page content and JS page content in user namespace?

Can you provide some examples please?

For example, this gadget has this localization page. If I want to save this gadget in 'User' namespace, and localize it in other way than one day somebody can come in and break the translation. Put the virus links, pictures smth else.

OK, this is not a security bug then. I'll mark it as a duplicate of T76554: Restrict editing of .json pages in the user namespace (like .js and .css).

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Restricted Application added a project: Security. · View Herald TranscriptJan 21 2017, 8:19 PM