Page MenuHomePhabricator
Create Task
Maniphest T162771

Zerowiki is broken by <html> filtering
Closed, ResolvedPublic
Actions

Description

See https://zero.wikimedia.org/wiki/Special:ZeroPortal
Caused by T156184 which disallows <html> in system messages. Zerowiki is using a mix of Lua, templates and system messages to build the portal.

Details

ProjectBranchLines +/-Subject
operations/mediawiki-configmaster+5 -1Harden zerowiki config (no raw html, no transclude NS_ZERO)
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Apr 12 2017, 7:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 12 2017, 7:37 AM
Tgr triaged this task as High priority.Apr 12 2017, 7:40 AM
Tgr added a project: Zero.
Tgr added subscribers: dr0ptp4kt, Bawolff, Mholloway, DFoy.

(Not really a security issue but zerowiki is private so erring on the safe side.)

Tgr mentioned this in T156184: Make rawHTML mode not apply to system messages.Apr 12 2017, 7:43 AM
Bawolff added a comment.Apr 12 2017, 7:08 PM

I fixed some of the more glaring issues, still have to look more closely at it

DFoy added a comment.Apr 14 2017, 8:55 PM

Thanks - it has improved.

I went in having signed in earlier and see another HTML warning. I'm attaching a screenshot.

Screen Shot 2017-04-13 at 1.56.16 PM.png (1×2 px, 428 KB)

Bawolff added a comment.Apr 18 2017, 8:15 PM

I think I've fixed all of them.

There are some remaining usages of <html>, but it appears to all be on pages that are not used ( https://zero.wikimedia.org/w/index.php?search=insource%3A%2F%5C%3Chtml%5C%3E%2F&title=Special:Search&profile=advanced&fulltext=1&ns0=1&ns1=1&ns2=1&ns3=1&ns4=1&ns5=1&ns7=1&ns8=1&ns9=1&ns10=1&ns11=1&ns12=1&ns13=1&ns14=1&ns15=1&ns480=1&ns481=1&ns486=1&ns487=1&ns828=1&ns829=1&ns2300=1&ns2301=1&ns2302=1&ns2303=1&searchToken=epk6y0uo8q72i26rqwim69knr ).

@DFoy If indeed there is no longer any raw html usages on zero.wikimedia.org, would it be ok if I totally disabled raw html on that wiki (In order to reduce attack surface)?

Bawolff added a comment.Apr 25 2017, 8:54 PM

@DFoy / @dr0ptp4kt : ping - would it be ok if I disabled raw html on zero wiki and transclusions from the Data namespace. I think this will make the wiki much more secure and shouldn't negatively effect anything - but if it does we could revert.

dr0ptp4kt added a comment.Apr 25 2017, 9:25 PM

I defer to @DFoy ...

DFoy added a comment.Apr 25 2017, 9:33 PM

Go ahead and try it - let me know when it's live so I can do another test

Bawolff added a comment.Apr 25 2017, 10:52 PM

This week is already becoming kind of insane due to events on frwiki. How about we do this on monday

DFoy added a comment.Apr 26 2017, 12:17 AM

Sounds good

Bawolff added a comment.May 17 2017, 12:39 PM

Sorry for the delay, we will do this soon: https://gerrit.wikimedia.org/r/#/c/354113/

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".May 17 2017, 1:17 PM
Stashbot added a subscriber: Stashbot.May 17 2017, 1:23 PM

Mentioned in SAL (#wikimedia-operations) [2017-05-17T13:23:49Z] <dereckson@tin> Synchronized wmf-config/InitialiseSettings.php: Harden zerowiki config (T162771) (duration: 00m 41s)

Bawolff added a comment.May 17 2017, 1:24 PM
In T162771#3211931, @DFoy wrote:

Go ahead and try it - let me know when it's live so I can do another test

@DFoy: Its live now. I tested myself and I didn't see any problems, let me know if you encounter any.

Bawolff added a comment.Jun 9 2017, 5:20 PM

ping @DFoy : Everything look good? this has been live for a couple weeks now.

DFoy added a comment.Jun 9 2017, 5:57 PM

I checked and there is a problem with the testing timer. I'm attaching a screenshot. If you need credentials to access, please contact me outside of Phabricator.

Screen Shot 2017-06-09 at 10.44.22 AM.png (1×2 px, 344 KB)

Bawolff added a comment.Jun 9 2017, 7:36 PM
In T162771#3336038, @DFoy wrote:

I checked and there is a problem with the testing timer. I'm attaching a screenshot. If you need credentials to access, please contact me outside of Phabricator.

Screen Shot 2017-06-09 at 10.44.22 AM.png (1×2 px, 344 KB)

Whoops, must of missed that. Should be fixed now. Anything else?

Aklapper added a comment.Jul 12 2017, 1:11 PM
In T162771#3336264, @Bawolff wrote:

Whoops, must of missed that. Should be fixed now. Anything else?

@DFoy: Could you please answer Brian's question to clarify whether this task is solved or if more work is needed?

Aklapper added a comment.Aug 24 2017, 3:02 PM

@DFoy: Could you please answer Brian's question to clarify whether this task is solved or if more work is needed?

DFoy added a comment.Aug 24 2017, 8:55 PM

Sorry about the delay - this problem has been resolved. Thanks!

MaxSem closed this task as Resolved.Aug 24 2017, 8:58 PM
MaxSem assigned this task to Bawolff.
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL