User Details
- User Since
- Nov 15 2014, 1:25 PM (487 w, 2 d)
- Availability
- Available
- LDAP User
- Unknown
- MediaWiki User
- Tbleher [ Global Accounts ]
Dec 24 2020
@RhinosF1: I've removed the security tag, since from my point of view, this is not a security issue. You are very welcome to submit patches to improve validation, though.
Regarding wpUnicodeCheck: It's quite possible that the extension doesn't work on current versions of MediaWiki. I use it in production (see http://spiele.j-crew.de/wiki/SpieleWiki:Spielwiese), and it works there, but the MediaWiki version there is very ancient. I currently don't have time to update the code and test it with newer versions of MediaWiki. Do you want to take over maintenance of this extension? That would be very welcome :)
Dec 23 2020
@RhinosF1 What is your threat model? My understanding is that anyone who can modify wg variables via LocalSettings.php has full control over the MediaWiki instance anyway (he/she can execute arbitrary code on the server, and inject arbitrary HTML), so no validation is needed in the extension. Now, I haven't been active in the MediaWiki community for a while, so my understanding might be outdated - if yes, please correct me :)
I would of course accept patches to e.g. check that the variables are proper integers (which is nice for catching errors), but so far I don't see this as a security problem.