Page MenuHomePhabricator
Create Task
Maniphest T386271

Allowlist for namespaces in uploads should be replaced with allowlist filter
Open, Needs TriagePublic
Actions

Description

Feature summary (what you would like to be able to do and where):

Namespaces in uploaded SVGs are currently checked against a hard-coded list. It would be simpler and easier if there was a Mediawiki: allowlist .

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

In T383949 I requested the addition of a namespace (used by a tool I'm developing) to the hard-coded allowlist. It would have been easier just to ask Commons admins to add the namespace.

The function checkSvgScriptCallback suggests this in its comments:

/**
 * @todo Replace this with a allow list filter!

Benefits (why should this be implemented?):

It saves updating the code every time someone wants to add a new namespace. This increases the autonomy of extension authors.

Draft patch to follow.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Replace hardcoded list of permitted SVG namespaces with allow listmediawiki/coremaster+5 -44
Customize query in gerrit

Related Objects

Event Timeline

Marnanel created this task.Feb 12 2025, 9:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 12 2025, 9:24 PM
Marnanel added a comment.Feb 12 2025, 9:44 PM

Draft patch:

0001-Replace-hardcoded-list-of-permitted-SVG-namespaces-w.patch3 KBDownload

This is the first time I've submitted a patch to MediaWiki, so apologies in advance for errors; I'd appreciate some hand-holding. Where do we keep the defaults?

It might be good to have a central allowlist parsing function, which would ignore comments and so on.

Aklapper added a comment.Feb 12 2025, 10:16 PM

@Marnanel: Thanks for taking a look at the code! You are very welcome to use a Developer Account to submit the proposed code changes as a Git branch directly into Gerrit which makes it easier to review and provide feedback. If you don't want to set up Git/Gerrit, you can also use the Gerrit Patch Uploader. Thanks again!

Marnanel mentioned this in T383949: Add tartan namespace to allow-list.Feb 16 2025, 8:04 PM
gerritbot added a comment.Feb 16 2025, 10:19 PM

Change #1119886 had a related patch set uploaded (by Marnanel; author: Marnanel):

[mediawiki/core@master] Replace hardcoded list of permitted SVG namespaces with allow list

https://gerrit.wikimedia.org/r/1119886

gerritbot added a project: Patch-For-Review.Feb 16 2025, 10:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits