Page MenuHomePhabricator
Create Task
Maniphest T285329

Anyone can display whatever title they want using TemplateStyles
Open, Needs TriagePublicSecurity
Actions

Description

See also T221887. If $wgRestrictDisplayTitle was meant to prevent display titles from being different to the real page title, then it looks like it has become useless as anyone can do this now.

Related Objects

Event Timeline

Sakretsu created this task.Jun 22 2021, 4:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 22 2021, 4:33 PM
Aklapper removed projects: Security, Security-Team.Jun 22 2021, 4:39 PM
RhinosF1 set Security to Software security bug.Jun 22 2021, 4:45 PM
RhinosF1 added projects: Security, Security-Team.
RhinosF1 changed the visibility from "Public (No Login Required)" to "Custom Policy".
RhinosF1 changed the subtype of this task from "Task" to "Security Issue".
RhinosF1 subscribed.

Seems like a security issue

RhinosF1 added a comment.Jun 22 2021, 4:45 PM

@Aklapper: This allows circumventing a technical restriction. It should be Security.

Legoktm subscribed.Jun 22 2021, 4:48 PM

I don't think it needs to be private, T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled is public and explains a different way to bypass $wgRestrictDisplayTitle.

Urbanecm updated the task description. (Show Details)Jun 22 2021, 4:51 PM
Urbanecm updated the task description. (Show Details)
Urbanecm subscribed.
In T285329#7170182, @Legoktm wrote:

I don't think it needs to be private, T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled is public and explains a different way to bypass $wgRestrictDisplayTitle.

Was going to clear the linked page, but I missed this is already public for quite some time, so I reverted myself. Thanks for noting this.

RhinosF1 added a comment.EditedJun 22 2021, 4:54 PM
In T285329#7170182, @Legoktm wrote:

I don't think it needs to be private, T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled is public and explains a different way to bypass $wgRestrictDisplayTitle.

I wasn't aware of the other task. I'm not 100% sure of the differences but I trust you to make that call. I always edge on the side of caution with security issues.

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 23 2021, 7:39 AM
Tgr subscribed.Jun 23 2021, 11:09 AM

I think T221887#5171826 applies here as well. Plus, as long as T40848 is not fixed this is kind of moot.

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Jun 28 2021, 3:41 PM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:35 PM
Bugreporter2 awarded a token.Nov 16 2023, 6:06 AM
Bugreporter2 subscribed.Nov 16 2023, 6:35 AM

Is this really a massive 😱 OMG drop everything and panic security issue?

It seems to me that $wgRestrictDisplayTitle=true is a security fix for a problem that is mostly abstract in nature. It's basically saying "we don't trust Wikipedia editors to deal with vandalism" -- except in real life editors routinely deal with vandalism. In the case of vandalism, reacting to real problems is better than trying to prevent them with ideas that don't work. This is how the page move vandalism went from being somewhat of a problem to being only a minor issue.

It's like putting up a gate because that will stop people from getting in. Except you don't have a fence:
https://commons.wikimedia.org/wiki/File:Gates_without_wall.jpg and the gate isn't even locked. Great job guys. 👍🙄

So, why not just set $wgRestrictDisplayTitle=false?

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits