@RhinosF1: I've removed the security tag, since from my point of view, this is not a security issue. You are very welcome to submit patches to improve validation, though.
Regarding wpUnicodeCheck: It's quite possible that the extension doesn't work on current versions of MediaWiki. I use it in production (see http://spiele.j-crew.de/wiki/SpieleWiki:Spielwiese), and it works there, but the MediaWiki version there is very ancient. I currently don't have time to update the code and test it with newer versions of MediaWiki. Do you want to take over maintenance of this extension? That would be very welcome :)
- Feed Queries
- All Stories
- Search
- Feed Search
- Transactions
- Transaction Logs
Feed Search
Jan 5 2025
Jan 5 2025
Dec 24 2020
Dec 24 2020
Tbleher added a comment to T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk (CVE-2021-31550).
Dec 23 2020
Dec 23 2020
Tbleher added a comment to T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk (CVE-2021-31550).
@RhinosF1 What is your threat model? My understanding is that anyone who can modify wg variables via LocalSettings.php has full control over the MediaWiki instance anyway (he/she can execute arbitrary code on the server, and inject arbitrary HTML), so no validation is needed in the extension. Now, I haven't been active in the MediaWiki community for a while, so my understanding might be outdated - if yes, please correct me :)
I would of course accept patches to e.g. check that the variables are proper integers (which is nice for catching errors), but so far I don't see this as a security problem.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits