Page MenuHomePhabricator
Create Task
Maniphest T155900

JSON pages need to be locked for editing by users without rights
Closed, DuplicatePublic
Actions

Description

I think JSON user (User:Username/pagename.json) pages need to move into JS pages' group. These pages look like on-duty pages for user and I think only the user can edit them ('editmyuserjs' right) and users with 'edituserjs' right. For security reasons.

Related Objects

Event Timeline

Iniquity created this task.Jan 21 2017, 5:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 21 2017, 5:09 PM
Urbanecm subscribed.Jan 21 2017, 5:11 PM

New feature request, I think this can't be done by changing a config variable.

Iniquity updated the task description. (Show Details)Jan 21 2017, 5:17 PM
Krenair subscribed.Jan 21 2017, 5:34 PM

What Json pages in particular pose security issues?

Krenair set Security to Software security bug.Jan 21 2017, 5:34 PM
Krenair added a project: acl*security.
Krenair changed the visibility from "Public (No Login Required)" to "Custom Policy".
Krenair edited projects, added MediaWiki-General; removed JavaScript, Wikimedia-Site-requests.
Legoktm subscribed.Jan 21 2017, 7:11 PM

What is the security issue here?

Iniquity added a comment.Jan 21 2017, 7:22 PM
In T155900#2958255, @Krenair wrote:

What Json pages in particular pose security issues?

These pages may contain user settings which used by scripts.

Krenair added a comment.Jan 21 2017, 7:36 PM

Scripts should not be putting any security-sensitive settings on openly-editable pages. That's a problem with the scripts, not MediaWiki's handling of json pages.

Legoktm added a comment.Jan 21 2017, 7:43 PM
In T155900#2958399, @Iniquity wrote:
In T155900#2958255, @Krenair wrote:

What Json pages in particular pose security issues?

These pages may contain user settings which used by scripts.

Can you provide some examples please?

Iniquity added a comment.EditedJan 21 2017, 7:45 PM
In T155900#2958412, @Krenair wrote:

Scripts should not be putting any security-sensitive settings on openly-editable pages. That's a problem with the scripts, not MediaWiki's handling of json pages.

I know, but why JSON pages openly-editable? What difference between JSON page content and JS page content in user namespace?

Iniquity added a comment.Jan 21 2017, 7:56 PM
In T155900#2958420, @Legoktm wrote:

Can you provide some examples please?

For example, this gadget has this localization page. If I want to save this gadget in 'User' namespace, and localize it in other way than one day somebody can come in and break the translation. Put the virus links, pictures smth else.

Legoktm added a comment.Jan 21 2017, 8:19 PM

OK, this is not a security bug then. I'll mark it as a duplicate of T76554: Restrict editing of .json pages in the user namespace (like .js and .css).

Legoktm removed a project: acl*security.Jan 21 2017, 8:19 PM
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Restricted Application added a project: acl*security. · View Herald TranscriptJan 21 2017, 8:19 PM
Legoktm removed a project: acl*security.Jan 21 2017, 8:20 PM
Legoktm closed this task as a duplicate of T76554: Restrict editing of .json pages in the user namespace (like .js and .css).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL