[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 Andre Klapper changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #15 from Andre Klapper --- Yes. :) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #14 from Bawolff (Brian Wolff) --- >*The ordercollation option does not seem to be escaped when put in the sql... Actually I didn't double check that issue was actually fixed when I briefly looked through the code several months ago (Not saying it isn't fixed, I just haven't checked) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #13 from Bawolff (Brian Wolff) --- (In reply to comment #11) > Version 2.01 claims it "resolves all former security_issues" > > Is this correct? > > (And does it work with MW 1.20.2?) > > Cheers It resolved the known issues as far as i know. Nobody has exactly done a security audit on the extension, but the old issues that were reported have been fixed. With that in mind, this bug could probably be closed as fixed. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #12 from jon_w...@hotmail.co.uk --- I should add that it is the extension called "Extension:DynamicPageList (third-party)" which makes this claim - I understand that DPL2 (the category on bugzilla) is the old name for this. URL: http://www.mediawiki.org/wiki/Extension:DynamicPageList_(third-party) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 jon_w...@hotmail.co.uk changed: What|Removed |Added CC||jon_w...@hotmail.co.uk --- Comment #11 from jon_w...@hotmail.co.uk --- Version 2.01 claims it "resolves all former security_issues" Is this correct? (And does it work with MW 1.20.2?) Cheers -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #10 from Bawolff 2012-08-08 12:09:10 UTC --- (In reply to comment #9) > (In reply to comment #8) > > I do not want to publicly disclose the > > exploit. > > Please file a bug under the "Security" product about that so its private and > only visible to our security group. Note, its not exactly secret that their are open XSS issues with this extension. They are very obvious when you look at the code (hence the giant notice on the extension description page). I somewhat doubt the "Security" group plans to rewrite the entire extension. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #9 from p858snake 2012-08-08 07:01:10 UTC --- (In reply to comment #8) > I do not want to publicly disclose the > exploit. Please file a bug under the "Security" product about that so its private and only visible to our security group. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 Jan Schejbal changed: What|Removed |Added Priority|Low |Normal CC||jan-bugrep...@gmx.de Severity|enhancement |critical --- Comment #8 from Jan Schejbal 2012-08-08 00:34:12 UTC --- I was able to perform XSS on revision 72454 and have no reason to believe this wouldn't work with current versions. I do not want to publicly disclose the exploit. That $wgRawHtml hack really needs to go away. Setting such a global variable and never changing it back (!) sounds like a great way to cause nasty security issues everywhere. I have set severity=critical, priority=normal, please correct it if that was wrong. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #7 from mediaw...@kghoffmeyer.de 2010-08-23 21:34:49 UTC --- (In reply to comment #5) > Not sure how you came to that conclusion. A lot of people out there use > $wgRawHtml for one reason or another. Perhaps in an ideal world they would > have > found a more secure way to do whatever they wanted to do, but if it doesn't > exist or they can't figure out how to get it working, this is a mechanism for > them to achieve their goal. They are warned of the potential consequences and > offered other options where available. EC I have to admit that I was a bit provocative with my reply. I just was not sure what to think about this from what I read. Now it is clear. Thank you for your reply -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #6 from Bawolff 2010-08-23 21:33:09 UTC --- (In reply to comment #4) > > Ah, I see. Thanks for your information. Shouldn't this be worth a bug > requesting the depreciation of $wgRawHtml since there seems to be a consensus > on this? (note: I'm not someone of importance, so my opinion doesn't matter, but...) $wgRawHtml does what its supposed to (allow normal editors to add sections). I do not believe it was ever supposed to be set by extensions (there are other ways for extensions to output html), and its functionality has not changed. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 Laurence 'GreenReaper' Parry changed: What|Removed |Added CC||greenrea...@hotmail.com --- Comment #5 from Laurence 'GreenReaper' Parry 2010-08-23 21:27:21 UTC --- > Shouldn't this be worth a bug requesting the depreciation of $wgRawHtml > since there seems to be a consensus on this? Not sure how you came to that conclusion. A lot of people out there use $wgRawHtml for one reason or another. Perhaps in an ideal world they would have found a more secure way to do whatever they wanted to do, but if it doesn't exist or they can't figure out how to get it working, this is a mechanism for them to achieve their goal. They are warned of the potential consequences and offered other options where available. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #4 from mediaw...@kghoffmeyer.de 2010-08-23 21:14:38 UTC --- (In reply to comment #3) > It changed at which point the variable was looked at (its looked at when the > parser is initialized, not at parse time), so extensions abusing it in certain > ways stopped working. I think this change happened at r61913. > > Personally I think extensions messing with it seems like an inherently bad > idea, and I can't think of one good reason that an extension should set it. Ah, I see. Thanks for your information. Shouldn't this be worth a bug requesting the depreciation of $wgRawHtml since there seems to be a consensus on this? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 --- Comment #3 from Bawolff 2010-08-21 18:55:18 UTC --- (In reply to comment #2) > It seems as something happened to $wgRawHtml in MW 1.16.0 Either it is now > depreciated or it is broken, since extensions using it (true) do not work any > longer. In the first case Manual:$wgRawHtml should be updated in the latter a > new bug should be filed. However the release notes of ME 1.16.0 do not mention > $wgRawHtml. Still I am not aware what happended exactly. It changed at which point the variable was looked at (its looked at when the parser is initialized, not at parse time), so extensions abusing it in certain ways stopped working. I think this change happened at r61913. Personally I think extensions messing with it seems like an inherently bad idea, and I can't think of one good reason that an extension should set it. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 mediaw...@kghoffmeyer.de changed: What|Removed |Added CC||mediaw...@kghoffmeyer.de --- Comment #2 from mediaw...@kghoffmeyer.de 2010-08-20 21:54:40 UTC --- It seems as something happened to $wgRawHtml in MW 1.16.0 Either it is now depreciated or it is broken, since extensions using it (true) do not work any longer. In the first case Manual:$wgRawHtml should be updated in the latter a new bug should be filed. However the release notes of ME 1.16.0 do not mention $wgRawHtml. Still I am not aware what happended exactly. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
[Bug 24199] DynamicPageList2 has security issues
https://bugzilla.wikimedia.org/show_bug.cgi?id=24199 p858snake changed: What|Removed |Added CC||p858sn...@yahoo.com.au --- Comment #1 from p858snake 2010-07-01 05:53:38 UTC --- Could we perhaps merge the two DPLs together, and bring over what ever is missing from the WMF in a sane manner then just disable those functions by default? -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. You are on the CC list for the bug. ___ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l