On Sun, Oct 30, 2016 at 10:25 PM, Dr. Michael Bonert
wrote:
> Thanks for all the comments Bawolff and Daniel!
>
> They have confirmed the suspicion I had: using the 'Widget' extension is a
> way to insert something into Mediawiki... but it puts a hole into the
> security framework-- especially if
Thanks for all the comments Bawolff and Daniel!
They have confirmed the suspicion I had: using the 'Widget' extension
is a way to insert something into Mediawiki... but it puts a hole into
the security framework-- especially if you are passing parameters to
the Widget.
Broadly speaking,
On 2016-10-29 5:30 PM, Brian Wolff wrote:
> On Saturday, October 29, 2016, Daniel Friesen
> wrote:
>> And then there is $image. urlpathinfo doesn't escape quotes,
>> backslashes, or .
>>
> Its hard to find docs on what urlpathinfo actually does (talk about a red
> flag for a security mechanism...)
On Saturday, October 29, 2016, Daniel Friesen
wrote:
> On 2016-10-29 8:40 AM, Brian Wolff wrote:
>> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
>> wrote:
>>> Hello,
>>>
>>> I was wondering about the security of Widgets (
>>> https://www.mediawiki.org/wiki/Extension:Widgets ) that get pa
On 2016-10-29 8:40 AM, Brian Wolff wrote:
> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
> wrote:
>> Hello,
>>
>> I was wondering about the security of Widgets (
>> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters
>> passed to them. Any thoughts?
>>
>> Are the parame
On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
wrote:
> Hello,
>
> I was wondering about the security of Widgets (
> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters
> passed to them. Any thoughts?
>
> Are the parameters passed through to the widget cleansed of html/sc
On Sat, Oct 29, 2016 at 3:40 PM, Brian Wolff wrote:
> On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
> wrote:
>> Hello,
>>
>> I was wondering about the security of Widgets (
>> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters
>> passed to them. Any thoughts?
>>
>> Are
On Sat, Oct 29, 2016 at 2:50 PM, Dr. Michael Bonert
wrote:
> Hello,
>
> I was wondering about the security of Widgets (
> https://www.mediawiki.org/wiki/Extension:Widgets ) that get parameters
> passed to them. Any thoughts?
>
> Are the parameters passed through to the widget cleansed of html/sc
Hello,
I was wondering about the security of Widgets (
https://www.mediawiki.org/wiki/Extension:Widgets ) that get
parameters passed to them. Any thoughts?
Are the parameters passed through to the widget cleansed of html/scripts?
If it isn't -- is it possible to easily enforce typing/boun
