I work on the MediaWiki Security Team.
I just tried firstname.lastname@example.org and it does not appear that email forwards to email@example.com so we should do that too.
Its unlikely this is an XSS.
Mon, Dec 11
So yes, this sounds sane to me (With the caveat, I haven't looked at the multimedia code in a while). Some comments:
Ok, so when I do wikitext
` ==A== ==B== ==C== ==D== ===D1=== ====D11=== ===D2===
Speaking just for myself and not the team. I think such a thing makes sense. Not exactly what I'd call a high priority concern, but some reporters like being paranoid, and we should do everything we can to make people feel comfortable reporting security issues to us.
Ok, lets call it mediawiki/phan-taint-check-plugin. (Although after this, I'd like to just stick to the name)
Sun, Dec 10
Fixed as part of T119158
From my perspective, I don't believe that inline styles should be banned as part of CSP. The security benefits (Which are very low. Mostly around preventing data-exfriltration) are not worth the user inconvienance.
Inserting headers just because some website says so is silly - they should be investigated individually on their merits. Most of these have other bugs, the main one to investigate is X-XSS-Protection which i filed as T182535.
As an aside, T141670 is also basically about this issue.
Making public, I don't see any way to exploit this
Sat, Dec 9
Imported in gci as https://codein.withgoogle.com/dashboard/tasks/4879638591438848/
It was broken by 0beaa51bb1030 - i fixed the enwikinews one https://en.wikinews.org/w/index.php?title=MediaWiki%3ATicker2.js&type=revision&diff=4369358&oldid=2804555 . Local admins, or some global editinterface person could fix the other one's if they so desire :)
Regular audits will take some work to get setup
Well it may make sense to reaudit the list, this bug is really old so if we were to do that, we would probably have to start from scratch anyways
SecurityCheckPlugin is a super uninspired name, so im totally fine naming it something else. Naming things is hard :)
Fri, Dec 8
Its your computer. The plugin only supports exactly php 7.0 (not php7.1). And it needs the ast extension which you may have to install separately.
Note, that vito made the original complaint, so he might be a better person to ask for acceptance criteria.
Hmm, I don't know if its entirely a CI thing, because its a project in itself, and not exclusively for WMF CI.
Allowing arbitrary complex queries does not seem appropriate as a mediawiki core interface. Most people won't want their site potentially DOSed.
-patch for review tag as that change isn't for this bug.
Status update for the Wikipedians: We will go back to the old textbox on Monday.
Did anyone bother to test this? This is borderline unusable. Screen size is 1920x1080.
Thu, Dec 7
Maybe its time we had a discussion about IEContentAnalzyer. IE6 is very rarely used now a days. You cant even connect to wikimedia sites with it without a proxy (due to lack of TLS1.0).
Ill probably send out a wikitech-l email on monday encouraging people to test and give feedback.
This is done now. https://packagist.org/packages/wikimedia/security-check-plugin
variant is sort of like a sublanguage. Its only used in certain languages such as serbian or chinese, usually when there are multiple writing systems (e.g. latin vs cyrillic for serbian, traditional vs simple for chinese).
Wed, Dec 6
While skin is not super sensitive, it is still something that MW keeps secret, and hence something I don't think we should show.