Page MenuHomePhabricator

Security review of community extensions: Extension:AtomExporter, Extension:DownloadCounter, Extension:PasswordProtected
Closed, ResolvedPublic

Event Timeline

csteipp created this task.Oct 21 2014, 10:54 PM
csteipp updated the task description. (Show Details)
csteipp added a project: Security.
csteipp changed the edit policy from "All Users" to "MediaWiki-Core-Team (Project)".
csteipp changed Security from none to None.
csteipp added a project: MediaWiki-Core-Team.
csteipp added a subscriber: csteipp.
csteipp triaged this task as Low priority.Oct 21 2014, 10:58 PM
demon renamed this task from Security review of community extensions (per https://www.mediawiki.org/wiki/User_talk:CSteipp_(WMF)#Review_SQL_injection_fixes): Extension:AtomExporter, Extension:DownloadCounter, Extension:PasswordProtected to Security review of community extensions: Extension:AtomExporter, Extension:DownloadCounter, Extension:PasswordProtected.Nov 11 2014, 2:38 AM
demon updated the task description. (Show Details)
Krenair added a subscriber: Krenair.

Um, why has editing this been restricted to the WMF MW Core team, Chris? I'm assuming this was accidental because anyone can join that team?

csteipp changed the edit policy from "MediaWiki-Core-Team (Project)" to "All Users".Jan 6 2015, 4:59 PM
csteipp edited projects, added Security-Team; removed Security.May 7 2015, 12:21 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 24 2015, 7:00 PM
Bawolff closed this task as Resolved.Mar 12 2017, 6:02 PM
Bawolff claimed this task.
Bawolff added subscribers: Southparkfan, Bawolff.

@Southparkfan : Do you still want re-review on this?

  • AtomExporter still has XSS issues. The SQL injection is fixed (The SQL isn't following best current practices, but it is no longer vulnerable). The extension however is "archived"
  • DownloadCounter looks fine, although the Download.php is a little sketch in terms of exposing file existence via path traversal and didn't follow best practises for escaping (but was not exploitable). Fixed in 31214ed604f324fba3f125bad92f6b313a12d4ca
  • PasswordProtection is now archived. prior to the archive, the extension looked rather sketch, but no SQL injections.

I'm going to close this bug. Let me know if you want anything more for this.

sbassett moved this task from Backlog to Done on the Security-Team board.Jun 11 2019, 7:20 PM