Page MenuHomePhabricator

Special:TemplateSandbox from Extension:TemplateSandbox needs edit token when raw HTML is allowed
Closed, ResolvedPublic

Description

Event Timeline

Schnark created this task.Nov 28 2014, 8:15 AM
Schnark raised the priority of this task from to Needs Triage.
Schnark updated the task description. (Show Details)
Schnark changed Security from none to Software security bug.
Schnark added a subscriber: Schnark.
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptNov 28 2014, 8:15 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript

For reference: The issue with Special:ExpandTemplates is T73111.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptNov 29 2014, 9:36 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie claimed this task.Dec 1 2014, 6:52 PM

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 1 2014, 6:52 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
csteipp triaged this task as High priority.Dec 2 2014, 5:57 PM
csteipp added a project: MediaWiki-Core-Team.
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 2 2014, 5:57 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 2 2014, 5:57 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Looks good to me. Let's get this deployed.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 2 2014, 7:46 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

Was this already deployed? In other words, can I publish the patch today?

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 10:19 AM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript

This patch is currently deployed to the cluster in 1.25wmf11 and 1.25wmf12, so it should be good to publish.

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 4:48 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 9:07 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptDec 17 2014, 10:12 PM
Restricted Application changed the edit policy from "Custom Policy" to "Custom Policy". · View Herald Transcript
Anomie closed this task as Resolved.Dec 17 2014, 10:13 PM
Anomie changed Security from Software security bug to None.
Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".
Anomie changed the edit policy from "Custom Policy" to "All Users".

Change 180646 merged by jenkins-bot:
Require post with edit token if $wgRawHtml is set

https://gerrit.wikimedia.org/r/180646

Change 180660 had a related patch set uploaded (by Legoktm):
Require post with edit token if $wgRawHtml is set

https://gerrit.wikimedia.org/r/180660

Patch-For-Review

Change 180660 merged by jenkins-bot:
Require post with edit token if $wgRawHtml is set

https://gerrit.wikimedia.org/r/180660

Why was this not backported to REL1_23 or REL1_22?

Had trouble with committing to the right branch and decided that time from disclosure to publication of _any_ fix should be kept as minimal as possible. Thanks for the REL1_23 backport.

Kunal,

Thanks to your patch, I was able to get REL1_22 patched: https://gerrit.wikimedia.org/r/#/c/180787/

Had trouble with committing to the right branch and decided that time from disclosure to publication of _any_ fix should be kept as minimal as possible.

This makes absolutely no sense. So no fix is preferable to a delayed fix??? This basically screwed over 1.23/1.22 users who, after the bug was publicly disclosed still had no patch, with absolutely no indication that 1.23/1.22 patches were not ready. So I'm in the middle of upgrading my wikis and then realize that hey, there's no patch!

If you're trying to reduce the time from disclosure to publication, there are many other things you could be doing (prepping patches beforehand, not putting them in git until after the release, not waiting hours for jenkins to -1 patches, etc.) but aren't, so *not* releasing a security fix is completely ridiculous.

Kunal,
Thanks to your patch, I was able to get REL1_22 patched: https://gerrit.wikimedia.org/r/#/c/180787/

Thank you.

Isarra added a subscriber: Isarra.Dec 18 2014, 7:14 PM
bd808 moved this task from Done to Archive on the MediaWiki-Core-Team board.Dec 22 2014, 10:45 PM