Page MenuHomePhabricator

mgebert
User

Projects

User does not belong to any projects.

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Jun 27 2016, 7:02 PM (230 w, 1 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
Markus Gebert [ Global Accounts ]

Recent Activity

Thu, Nov 5

Vedmaka awarded T138783: SVG Upload should (optionally) allow the xhtml namespace a Like token.
Thu, Nov 5, 2:17 PM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading

Jun 30 2016

mgebert added a comment to T138783: SVG Upload should (optionally) allow the xhtml namespace.

We seem to have a couple sub-issues here:

Sanitization options:

  • always pass a safe subset of XHTML as foreign objects through the validator
  • allowing sites to configure the SVG sanitizer to pass a believed-safe subset of embedded XHTML
  • allowing sites to configure the SVG sanitizer to allow *any* XHTML through (unsafe for untrusted users)
Jun 30 2016, 11:03 PM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading
mgebert added a comment to T138783: SVG Upload should (optionally) allow the xhtml namespace.

We could write a draw.io plugin (that you'd invoke as a URL parameter when calling draw) when using draw in embed mode. That could switch off all UI functionality that causes HTML labels to be created, like word wrapping. That would then produce output with no FO sections. That doesn't solve the case of a user taking output from the online site, though, and restricts an important piece of functionality.

Jun 30 2016, 10:49 AM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading

Jun 29 2016

mgebert added a comment to T138783: SVG Upload should (optionally) allow the xhtml namespace.

Just FYI: I've opened a request at draw.io's support site and asked them to join this discussion. The ticket itself is private so I can't provide a link, but I'll keep you posted.

Jun 29 2016, 10:24 PM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading
mgebert added a comment to T138783: SVG Upload should (optionally) allow the xhtml namespace.

@RobLa-WMF, I completely unterstand that you're having security concerns, although I think they're only valid for wiki installations with untrusted users. In a closed setup where only trusted people can upload, these concerns may be a minimal risk or even a non-issue, and the minimal checks you currently do (i.e. no iframe) may be more than good enough.

Wikimedia developers can't (and shouldn't) spend a lot of their time making features that work when everyone trusts each other. We spend a lot of time cleaning up messes created by naive developers that assume trust levels they shouldn't. Sometimes the "naive developer" is "a seasoned developer several years ago before they learned a few things the hard way" ;-)

Jun 29 2016, 9:57 PM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading
mgebert added a comment to T138783: SVG Upload should (optionally) allow the xhtml namespace.

@RobLa-WMF, I completely unterstand that you're having security concerns, although I think they're only valid for wiki installations with untrusted users. In a closed setup where only trusted people can upload, these concerns may be a minimal risk or even a non-issue, and the minimal checks you currently do (i.e. no iframe) may be more than good enough. In fact I've originally created the extension for such an environment.

Jun 29 2016, 2:04 PM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading

Jun 27 2016

mgebert created T138783: SVG Upload should (optionally) allow the xhtml namespace.
Jun 27 2016, 8:15 PM · Security-Team, Wikimedia-SVG-rendering, Multimedia, MediaWiki-Uploading