Page MenuHomePhabricator

Suspicious typeface file names loading on arwiki from Toolforge
Closed, ResolvedPublicSecurity


When testing CentralNotice banners, the stricter Content Security Policy was throwing up a series of warnings.

This relates to series of font files that are being defined here:

And are being pulled in by default to the sites common.css.

The previous characters were removed here with the edit summary ' The line was removed because the system no longer supports links from Tulabs ' (إزالة السطر بسبب أن النظام لم يعد يدعم الروابط القادمة من التولابز). The new fonts were added in in this edit. Both by the same user.

The file names were what looked most suspect to me and I can believe there is a good faith reason for doing this. But loading in any files for an entire site from labs in this way should not be the done thing.

Event Timeline

Jseddon created this task.Nov 27 2020, 3:32 AM
Restricted Application added subscribers: alaa, Aklapper. · View Herald TranscriptNov 27 2020, 3:32 AM
Reedy added a project: Privacy Engineering.
Reedy added a comment.Nov 27 2020, 4:17 AM

Going to make the task public incase of further discussion/communication with the community (no private data etc in this ticket)

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
alaa added a comment.Nov 27 2020, 11:28 AM

Thanks @Reedy & @Jseddon.
If you want I can put a notice on arwiki village pump about this, and ping the user who made those edits (Adding per community request to use on the Mathematical equations).

Reedy added a comment.Nov 27 2020, 3:45 PM

Feel free :)

Nintendofan885 renamed this task from Suspicious typeface file names loading on arwiki from labs to Suspicious typeface file names loading on arwiki from Toolforge.Nov 27 2020, 3:53 PM
alaa added a subscriber: Zack.Nov 27 2020, 5:52 PM
Reedy closed this task as Resolved.Nov 30 2020, 4:21 PM
Reedy claimed this task.