A restrictive script-src in a Content-Security-Policy (RFC <https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy>, T135963 <https://phabricator.wikimedia.org/T135963>) could have helped with this. Alternatively, a report-mode CSP could at least have brought this to global operators’ attention, though I don’t know if they would’ve been faster to react than the fawiki community’s seven minutes.
Cheers, Lucas 2018-03-14 17:03 GMT+01:00 Amir Ladsgroup <[email protected]>: > That already happened and the user got blocked indefinitely immediately > after the incident. The JS was there for seven minutes which bad enough > IMO. > > One thing is that Persian Wikipedia community is working to strip the right > of editing mediawiki ns from the templateeditor user group: > https://fa.wikipedia.org/w/index.php?oldid=22370489#%D9% > 86%D8%B8%D8%B1%D8%AE%D9%88%D8%A7%D9%87%DB%8C_%D8%A8%D8%B1% > D8%A7%DB%8C_%DA%AF%D8%B1%D9%81%D8%AA%D9%86_%D8%AF%D8%B3% > D8%AA%D8%B1%D8%B3%DB%8C_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8% > B4_%D9%81%D8%B6%D8%A7%DB%8C_%D9%86%D8%A7%D9%85_%D9%85%D8% > AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C_%D8%A7%D8%B2_%D9%88% > DB%8C%D8%B1%D8%A7%DB%8C%D8%B4%DA%AF%D8%B1%D8%A7%D9%86_%D8% > A7%D9%84%DA%AF%D9%88 > > Other things include protecting us from this type of js inside the > mediawiki. That's going to be difficult. > > Best > > On Wed, Mar 14, 2018 at 4:59 PM Derk-Jan Hartman < > [email protected]> wrote: > > > In my opinion, such accounts should be globally blocked btw. It is a > > grave breach of trust and such accounts cannot be trusted anywhere > > else either. Thanks for playing, but goodbye for ever. > > > > DJ > > > > On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff <[email protected]> wrote: > > > On Wednesday, March 14, 2018, David Gerard <[email protected]> wrote: > > >> What ways are there to include user-edited JavaScript in a wiki page? > > >> > > >> I ask because someone put this revision in (which is now deleted): > > >> > > >> > > > > > https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF% > DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js&diff=next& > oldid=22367460&uselang=en > > >> > > >> You can't see it now, but it was someone including a JavaScript > > >> cryptocurrency miner in common.js! > > >> > > >> Obviously this is not going to be a common thing, and common.js is > > >> closely watched. (The above edit was reverted in 7 minutes, and the > > >> user banned.) > > >> > > >> But what are the ways to get user-edited JavaScript running on a > > >> MediaWiki, outside one's own personal usage? And what permissions are > > >> needed? I ask with threats like this in mind. > > >> > > >> > > >> - d. > > >> > > >> _______________________________________________ > > >> Wikitech-l mailing list > > >> [email protected] > > >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > > > You need editinterface, edituserjs, or some of the centralnotice > related > > > rights (or the steward related rights to give yourself these rights). > > > > > > Any method that does not involve editinterface or a related right that > is > > > normally restricted to administrator (or higher group) should be > > considered > > > a serious security issue in mediawiki and reported immediately. > > > > > > -- > > > Brian Wolff > > > _______________________________________________ > > > Wikitech-l mailing list > > > [email protected] > > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > -- Lucas Werkmeister Software Developer (Intern) Wikimedia Deutschland e. V. | Tempelhofer Ufer 23-24 | 10963 Berlin Phone: +49 (0)30 219 158 26-0 https://wikimedia.de Imagine a world, in which every single human being can freely share in the sum of all knowledge. That‘s our commitment. Wikimedia Deutschland - Gesellschaft zur Förderung Freien Wissens e. V. Eingetragen im Vereinsregister des Amtsgerichts Berlin-Charlottenburg unter der Nummer 23855 B. Als gemeinnützig anerkannt durch das Finanzamt für Körperschaften I Berlin, Steuernummer 27/029/42207. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
