Page MenuHomePhabricator

Zerowiki is broken by <html> filtering
Closed, ResolvedPublic

Description

See https://zero.wikimedia.org/wiki/Special:ZeroPortal
Caused by T156184 which disallows <html> in system messages. Zerowiki is using a mix of Lua, templates and system messages to build the portal.

Details

Related Gerrit Patches:

Event Timeline

Tgr created this task.Apr 12 2017, 7:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 12 2017, 7:37 AM
Tgr triaged this task as High priority.Apr 12 2017, 7:40 AM
Tgr added a project: Zero.
Tgr added subscribers: dr0ptp4kt, Bawolff, Mholloway, DFoy.

(Not really a security issue but zerowiki is private so erring on the safe side.)

I fixed some of the more glaring issues, still have to look more closely at it

DFoy added a comment.Apr 14 2017, 8:55 PM

Thanks - it has improved.

I went in having signed in earlier and see another HTML warning. I'm attaching a screenshot.

I think I've fixed all of them.

There are some remaining usages of <html>, but it appears to all be on pages that are not used ( https://zero.wikimedia.org/w/index.php?search=insource%3A%2F%5C%3Chtml%5C%3E%2F&title=Special:Search&profile=advanced&fulltext=1&ns0=1&ns1=1&ns2=1&ns3=1&ns4=1&ns5=1&ns7=1&ns8=1&ns9=1&ns10=1&ns11=1&ns12=1&ns13=1&ns14=1&ns15=1&ns480=1&ns481=1&ns486=1&ns487=1&ns828=1&ns829=1&ns2300=1&ns2301=1&ns2302=1&ns2303=1&searchToken=epk6y0uo8q72i26rqwim69knr ).

@DFoy If indeed there is no longer any raw html usages on zero.wikimedia.org, would it be ok if I totally disabled raw html on that wiki (In order to reduce attack surface)?

@DFoy / @dr0ptp4kt : ping - would it be ok if I disabled raw html on zero wiki and transclusions from the Data namespace. I think this will make the wiki much more secure and shouldn't negatively effect anything - but if it does we could revert.

DFoy added a comment.Apr 25 2017, 9:33 PM

Go ahead and try it - let me know when it's live so I can do another test

This week is already becoming kind of insane due to events on frwiki. How about we do this on monday

DFoy added a comment.Apr 26 2017, 12:17 AM

Sounds good

Sorry for the delay, we will do this soon: https://gerrit.wikimedia.org/r/#/c/354113/

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".May 17 2017, 1:17 PM

Mentioned in SAL (#wikimedia-operations) [2017-05-17T13:23:49Z] <dereckson@tin> Synchronized wmf-config/InitialiseSettings.php: Harden zerowiki config (T162771) (duration: 00m 41s)

Go ahead and try it - let me know when it's live so I can do another test

@DFoy: Its live now. I tested myself and I didn't see any problems, let me know if you encounter any.

ping @DFoy : Everything look good? this has been live for a couple weeks now.

DFoy added a comment.Jun 9 2017, 5:57 PM

I checked and there is a problem with the testing timer. I'm attaching a screenshot. If you need credentials to access, please contact me outside of Phabricator.

I checked and there is a problem with the testing timer. I'm attaching a screenshot. If you need credentials to access, please contact me outside of Phabricator.

Whoops, must of missed that. Should be fixed now. Anything else?

Whoops, must of missed that. Should be fixed now. Anything else?

@DFoy: Could you please answer Brian's question to clarify whether this task is solved or if more work is needed?

@DFoy: Could you please answer Brian's question to clarify whether this task is solved or if more work is needed?

DFoy added a comment.Aug 24 2017, 8:55 PM

Sorry about the delay - this problem has been resolved. Thanks!

MaxSem closed this task as Resolved.Aug 24 2017, 8:58 PM
MaxSem assigned this task to Bawolff.