Page MenuHomePhabricator

Tbleher (Thomas Bleher)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Nov 15 2014, 1:25 PM (342 w, 6 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
Tbleher [ Global Accounts ]

Recent Activity

Dec 24 2020

Tbleher added a comment to T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk (CVE-2021-31550).

@RhinosF1: I've removed the security tag, since from my point of view, this is not a security issue. You are very welcome to submit patches to improve validation, though.
Regarding wpUnicodeCheck: It's quite possible that the extension doesn't work on current versions of MediaWiki. I use it in production (see http://spiele.j-crew.de/wiki/SpieleWiki:Spielwiese), and it works there, but the MediaWiki version there is very ancient. I currently don't have time to update the code and test it with newer versions of MediaWiki. Do you want to take over maintenance of this extension? That would be very welcome :)

Dec 24 2020, 1:23 PM · Vuln-XSS, MediaWiki-extensions-Commentbox, User-RhinosF1
Tbleher triaged T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk (CVE-2021-31550) as Low priority.
Dec 24 2020, 1:14 PM · Vuln-XSS, MediaWiki-extensions-Commentbox, User-RhinosF1
Tbleher removed a project from T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk (CVE-2021-31550): Security.
Dec 24 2020, 1:14 PM · Vuln-XSS, MediaWiki-extensions-Commentbox, User-RhinosF1

Dec 23 2020

Tbleher added a comment to T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk (CVE-2021-31550).

@RhinosF1 What is your threat model? My understanding is that anyone who can modify wg variables via LocalSettings.php has full control over the MediaWiki instance anyway (he/she can execute arbitrary code on the server, and inject arbitrary HTML), so no validation is needed in the extension. Now, I haven't been active in the MediaWiki community for a while, so my understanding might be outdated - if yes, please correct me :)
I would of course accept patches to e.g. check that the variables are proper integers (which is nice for catching errors), but so far I don't see this as a security problem.

Dec 23 2020, 9:24 PM · Vuln-XSS, MediaWiki-extensions-Commentbox, User-RhinosF1

Mar 11 2015

Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT41f0fc7020c6: Updated mediawiki/extensions Project: mediawiki/extensions/DumpHTML… (authored by Tbleher).
Updated mediawiki/extensions Project: mediawiki/extensions/DumpHTML…
Mar 11 2015, 5:03 AM

Dec 10 2014

Tbleher committed rEANDa99d66025468: Various whitespace fixes (authored by Tbleher).
Various whitespace fixes
Dec 10 2014, 7:03 PM
Tbleher committed rEHIEa595a8040b87: A few trivial changes: * Update some URLs (pages moved from meta to mw.org) *… (authored by Tbleher).
A few trivial changes: * Update some URLs (pages moved from meta to mw.org) *…
Dec 10 2014, 6:55 PM
Tbleher committed rEHIEe5ef9fc83867: Various whitespace fixes (authored by Tbleher).
Various whitespace fixes
Dec 10 2014, 6:55 PM
Tbleher committed rEWLDe2d825f42181: Various whitespace fixes (authored by Tbleher).
Various whitespace fixes
Dec 10 2014, 6:41 PM
Tbleher committed rEWLDb171c3f2ad7d: Find and fix places where globals were being used without declaring them. (authored by Tbleher).
Find and fix places where globals were being used without declaring them.
Dec 10 2014, 6:41 PM
Tbleher committed rETRA8599f9b20960: Find and fix places where globals were being used without declaring them. (authored by Tbleher).
Find and fix places where globals were being used without declaring them.
Dec 10 2014, 6:24 PM
Tbleher committed rESPCaf8c7224de14: Use ParserFirstCallInit hook to avoid unstubbing the parser unnecessarily (authored by Tbleher).
Use ParserFirstCallInit hook to avoid unstubbing the parser unnecessarily
Dec 10 2014, 6:15 PM
Tbleher committed rESMW1da92a923c20: A few trivial changes: * Update some URLs (pages moved from meta to mw.org) *… (authored by Tbleher).
A few trivial changes: * Update some URLs (pages moved from meta to mw.org) *…
Dec 10 2014, 6:03 PM
Tbleher committed rESMW1022ceabf5f0: Fix some places where globals where used without being declared as being global. (authored by Tbleher).
Fix some places where globals where used without being declared as being global.
Dec 10 2014, 6:03 PM
Tbleher committed rESMWc15439989963: Make the regexp for parsing semantic links more readable, by utilizing the //x… (authored by Tbleher).
Make the regexp for parsing semantic links more readable, by utilizing the //x…
Dec 10 2014, 6:03 PM
Tbleher committed rESDD39f2eaab7eef: Various whitespace fixes (authored by Tbleher).
Various whitespace fixes
Dec 10 2014, 5:55 PM
Tbleher committed rEPRPbbcdaf240f96: Security fix: escape all URLs, as they are written directly into the HTML of… (authored by Tbleher).
Security fix: escape all URLs, as they are written directly into the HTML of…
Dec 10 2014, 5:44 PM
Tbleher committed rEPRPc9155075ce1c: ProofreadPage: Make sure that the size calculation works with more browsers… (authored by Tbleher).
ProofreadPage: Make sure that the size calculation works with more browsers…
Dec 10 2014, 5:44 PM
Tbleher committed rEPRPb383512ce482: Make mouse zooming work with Konqueror (authored by Tbleher).
Make mouse zooming work with Konqueror
Dec 10 2014, 5:44 PM
Tbleher committed rEPRPdeebc41d1670: Fix all Firefox Javascript warnings and errors; declare all variables… (authored by Tbleher).
Fix all Firefox Javascript warnings and errors; declare all variables…
Dec 10 2014, 5:44 PM
Tbleher committed rEPHD0bb4efcb80c8: PdfHandler fixes: * require PHP 5.1.3 (for SimpleXMLElement::addChild()) *… (authored by Tbleher).
PdfHandler fixes: * require PHP 5.1.3 (for SimpleXMLElement::addChild()) *…
Dec 10 2014, 5:40 PM
Tbleher committed rEOVS4c244c2a5daa: Various whitespace fixes (authored by Tbleher).
Various whitespace fixes
Dec 10 2014, 5:34 PM
Tbleher committed rEMUP9c3022635ace: Find and fix places where globals were being used without declaring them. (authored by Tbleher).
Find and fix places where globals were being used without declaring them.
Dec 10 2014, 5:18 PM
Tbleher committed rELDAfb453dcdc32d: Fix some places where globals where used without being declared as being global. (authored by Tbleher).
Fix some places where globals where used without being declared as being global.
Dec 10 2014, 5:03 PM
Tbleher committed rELST8e7df4055f58: Fix bug 13024: Localized tags do not work with new parser (authored by Tbleher).
Fix bug 13024: Localized tags do not work with new parser
Dec 10 2014, 5:02 PM
Tbleher committed rEIMTa9af363500aa: Fix indentation (authored by Tbleher).
Fix indentation
Dec 10 2014, 4:59 PM
Tbleher committed rEFIR8599f9b20960: Find and fix places where globals were being used without declaring them. (authored by Tbleher).
Find and fix places where globals were being used without declaring them.
Dec 10 2014, 4:32 PM
Tbleher committed rEFLRded82e3ed373: Find and fix places where globals were being used without declaring them. (authored by Tbleher).
Find and fix places where globals were being used without declaring them.
Dec 10 2014, 4:28 PM
Tbleher committed rEDUP0be8e0bbd663: Various whitespace fixes (authored by Tbleher).
Various whitespace fixes
Dec 10 2014, 4:01 PM
Tbleher committed rEDHTdd186512f8ce: Fix a few DumpHTML issues: (authored by Tbleher).
Fix a few DumpHTML issues:
Dec 10 2014, 4:01 PM
Tbleher committed rEDHT68059bed7129: Followup r82577: Only generate talk page links on content pages (authored by Tbleher).
Followup r82577: Only generate talk page links on content pages
Dec 10 2014, 4:01 PM
Tbleher committed rEDHT3ed01c7744b4: DumpHTML: Set title object properly in $wgOut and $sk (authored by Tbleher).
DumpHTML: Set title object properly in $wgOut and $sk
Dec 10 2014, 4:01 PM
Tbleher committed rECMB09b24875ecae: Replace deprecated Title::escapeFullURL call (authored by Umherirrender).
Replace deprecated Title::escapeFullURL call
Dec 10 2014, 3:52 PM
Tbleher committed rECMB5bb3f0334dd1: Fix bug where Commentbox was only displayed on purged pages, not on normal page… (authored by Tbleher).
Fix bug where Commentbox was only displayed on purged pages, not on normal page…
Dec 10 2014, 3:51 PM
Tbleher committed rECMBd7da6152edbd: Add initial version of Commentbox extension (authored by Tbleher).
Add initial version of Commentbox extension
Dec 10 2014, 3:51 PM

Dec 4 2014

Tbleher committed rUSERINFO615c0c220498: Add myself to USERINFO. (authored by Tbleher).
Add myself to USERINFO.
Dec 4 2014, 7:21 PM