On Tuesday, February 3, 2015 at 10:24 AM, Brion Vibber wrote:
Special page inclusions shouldn't be able to do anything privileged;
they're meant for public data. If that's not being enforced right now I'd
recommend reworking or killing the special page inclusion system...
Ok, although Brion's
On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber bvib...@wikimedia.org wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn jackmcb...@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber bvib...@wikimedia.org
wrote:
I'd be inclined to unstrip the marker *and squash HTML to
On Friday, January 30, 2015 at 1:04 PM, Brion Vibber wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn jackmcb...@gmail.com
(mailto:jackmcb...@gmail.com) wrote:
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber bvib...@wikimedia.org
(mailto:bvib...@wikimedia.org)
wrote:
On Thu,
Special page inclusions shouldn't be able to do anything privileged;
they're meant for public data. If that's not being enforced right now I'd
recommend reworking or killing the special page inclusion system...
-- brion
On Feb 3, 2015 10:11 AM, Brad Jorsch (Anomie) bjor...@wikimedia.org
wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn jackmcb...@gmail.com wrote:
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber bvib...@wikimedia.org
wrote:
On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch (Anomie)
bjor...@wikimedia.org
wrote:
On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault
On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch (Anomie) bjor...@wikimedia.org
wrote:
4. Remove the marker. This loses whatever is inside the marker.
5. Just output an error, to make it obvious something stupid is going on.
Failing loud and early is generally a good idea, but if we don't want
On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch (Anomie) bjor...@wikimedia.org
wrote:
On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault abrea...@wikimedia.org
wrote:
https://gerrit.wikimedia.org/r/#/c/181519/
To clarify, the possible solutions seem to be:
1. Unstrip the marker and then encode
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber bvib...@wikimedia.org wrote:
On Thu, Jan 29, 2015 at 5:38 PM, Brad Jorsch (Anomie)
bjor...@wikimedia.org
wrote:
On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault abrea...@wikimedia.org
wrote:
https://gerrit.wikimedia.org/r/#/c/181519/
Currently, while {{urlencod}}ing, content in strip markers is skipped.
I believe this violates the expectation that the entire output
will be properly escaped to be placed in a sensitive context.
An example is in the infobox book caption on,
https://en.wikipedia.org/wiki/%22F%22_Is_for_Fugitive
On Thu, Jan 29, 2015 at 2:47 PM, Arlo Breault abrea...@wikimedia.org
wrote:
There’s a brief discussions of the security implications of
some proposed solutions in the review of,
https://gerrit.wikimedia.org/r/#/c/181519/
To clarify, the possible solutions seem to be:
1. Unstrip the marker
10 matches
Mail list logo
