Maniphest T203912

HotCat loads code that can be edited without editsitejs right
Open, MediumPublic
Actions

Assigned To

None

Authored By

	Tgr
	Sep 9 2018, 3:32 PM

Description

HotCat stores part of its configuration on various MediaWiki pages which do not have a .js extension: MediaWiki:Gadget-HotCat.js/<languagecode> for localisations (such as MediaWiki:Gadget-HotCat.js/mwl; the page could be either on Commons or the local wiki) and MediaWiki:Gadget-HotCat.js/local_defaults on the wiki where it's used for configuration settings (such as MediaWiki:Gadget-HotCat.js/local_defaults). These pages are not recognizable to MediaWiki as Javascript; they should either be renamed to .js; protected from editing without the editsitejs right by some other means (e.g. GetUserRights hook); or (preferably) convert those pages to JSON and rename them to .json so that more people are able to edit it without being able to deploy sitewide JS. (That last one does not work for hook callbacks, but no WMF wiki actually seems to use them.)

HotCat is used on several non-WMF wikis, often by loading the main file from Commons, so care should be taken not to break those.

Event Timeline

Tgr created this task.Sep 9 2018, 3:32 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 9 2018, 3:32 PM

Left a message about it on the Commons gadget talk page (message, permalink).

At a glance, wikis which have their own copy of HotCat instead of hotloading from Commons include azbwiki, cebwiki, fawiki, idwikimedia, labswiki, mkwiki, mkwiktionary, nowiktionary, pswiki, ruwiktionary, urwikiquote, fdcwiki.

Its a really common pattern to do <msg>/langcode. Its even supported by us if the msg is not content language msg (which would be insane for a js msg).

Given that, i think maybe we should have mw consider anything where the base page name ends in .js in NS_MEDIAWIKI to be a js msg

Enwiki’s version uses regex literals and even functions, which are not allowed in JSON (they could be evaluated strings, of course, but code evaluation should be avoided, otherwise JSON’s protection is lost), meaning the possibility to use JavaScript has to be kept. So the following order might be good (if a page higher on the list is present, the script should not go any further):

MediaWiki:Gadget-HotCat.js/local_defaults.json evaluated as JSON
MediaWiki:Gadget-HotCat.js/local_defaults.js evaluated as JavaScript
MediaWiki:Gadget-HotCat.js/local_defaults evaluated as JavaScript, restricted (possibly based on MediaWiki version: enabled the current stable release as of the implementation of this change, disabled in any later wmf or stable version)

MarcoAurelio subscribed.Sep 10 2018, 7:28 AM

Aklapper added a project: WMF-General-or-Unknown.Sep 10 2018, 9:29 AM

Small comment: this can be mitigated without changing HotCat’s code ASAP by changing content model of such pages in every project to JavaScript (as it should be made, since it vastly improves their editing).

Perhelion subscribed.Feb 20 2019, 1:00 PM

alaa subscribed.Apr 30 2019, 1:13 AM

Galobtter subscribed.Jun 16 2019, 3:42 PM

• chasemp triaged this task as Medium priority.Dec 9 2019, 4:49 PM

• chasemp added a project: Security-Team.

Amorymeltzer subscribed.Dec 16 2019, 6:34 PM

• chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 23 2019, 5:16 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM

Reedy removed a project: Security-Team.Nov 3 2021, 7:12 PM

1234qwer1234qwer4 subscribed.Jun 10 2023, 9:23 AM

How about visiting all affected wikis and changing the content model? https://global-search.toolforge.org/?q=HotCat&namespaces=8&title=.*%5C%2Flocal+defaults