Page MenuHomePhabricator

GuidedTour adds MW namespace scripts to login page
Closed, ResolvedPublic


GuidedTour can add on-wiki tours (which are JavaScript files in the MW namespace) to pages where user JS is not supposed to be allowed.

I have a fix locally, which I'll upload shortly as a patch (I can do a Gerrit draft if that's secure too).

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 1:50 AM
bzimport set Reference to bz49175.

Created attachment 12467
Patch to fix issue


Hi Matt, Please keep it out of gerrit for now. We'll most likely patch the cluster first, and then put it into gerrit.

I did this during the E3 deployment in the GuidedTour directories.

However, it disappeared, because I forgot to also do a local SECURITY commit bumping the submodule. I checked that it's still deployed, though. So I did the local submodule bump to mediawiki (both directories again), and it should be correct now.

Let me know when we can make this public.

Since our next security release is a couple weeks out, and it's patched on the cluster, it probably best to just commit it in gerrit and communicate to your users that they should update. I'm not sure how much it's used outside the WMF, so you may not need to do much.

Once it's merged, feel free to close this bug and make move it to the MediaWiki Extensions Product so it will be public.