So, changing the starting letter to capital did solve some of my problems. Thank you =) However, I still seem unable to make tooltips for pages with a space in the title.
For instance, in the mediawiki:sidebar we have:
Survival Guide|Main Page
however, creating mediawiki:tooltip-n-Survival_Guide, or mediawiki:tooltip-n-Survival_guide has not effect. Neither does mediawiki:tooltip-n-Main_Page nor mediawiki:tooltip-n-Main_page.
Can someone please tell me what I'm doing wrong?
Thanks Kaare
On Mon, Jan 23, 2012 at 1:00 PM, mediawiki-l-request@lists.wikimedia.orgwrote:
Send MediaWiki-l mailing list submissions to mediawiki-l@lists.wikimedia.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.wikimedia.org/mailman/listinfo/mediawiki-l or, via email, send a message with subject or body 'help' to mediawiki-l-request@lists.wikimedia.org
You can reach the person managing the list at mediawiki-l-owner@lists.wikimedia.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of MediaWiki-l digest..."
Today's Topics:
- Re: What class logs recent changes (Siebrand Mazeland)
- Bypassing the external image whitelist (Daniel Friesen)
Message: 1 Date: Mon, 23 Jan 2012 08:35:27 +0100 From: Siebrand Mazeland s.mazeland@xs4all.nl To: MediaWiki announcements and site admin list mediawiki-l@lists.wikimedia.org Subject: Re: [Mediawiki-l] What class logs recent changes Message-ID: CA56B19D-6D4B-4E4A-B89B-1EC276A3A211@xs4all.nl Content-Type: text/plain; charset=us-ascii
Op 23 jan. 2012 om 01:57 heeft Adam Meyer meyer7@mindspring.com het volgende geschreven:
What class is used to log the recent changes on edits etc
Have a look at http://www.mediawiki.org/wiki/Logging_to_Special:Log
-- Siebrand Mazeland
M: +31 6 50 69 1239 Skype: siebrand
Message: 2 Date: Mon, 23 Jan 2012 03:25:58 -0800 From: "Daniel Friesen" lists@nadir-seen-fire.com To: "mediawiki-l@lists.wikimedia.org" mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] Bypassing the external image whitelist Message-ID: op.v8jbdkfkjuwloh@daniels-macbook-air.local Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
I've found a bit of an issue with our external image embedding whitelisting functionality. This isn't exactly a hole in the code itself, but in the fact that in practice it seams just about everyone uses the whitelist incorrectly and ends up opening up holes in their wiki allowing the whitelist to be bypassed.
I'll start with MW.org for an example: https://www.mediawiki.org/wiki/MediaWiki:External_image_whitelist
This image whitelist is fine, it's properly anchored with an explicit protocol and an initial ^, and it's not using excessive wildcards, there's nothing wrong with it.
However when I do a Google search and try to find some of the top wikis using the image whitelist functionality I see this: http://rbose.org/wiki/MediaWiki:External_image_whitelist http://mbmodwiki.ollclan.eu/MediaWiki:External_image_whitelist http://wiki.vnations.net/index.php/MediaWiki:External_image_whitelist http://stelio.net/geeki/MediaWiki:External_image_whitelist http://community.wikia.com/wiki/MediaWiki:External_image_whitelist
Basically EVERYONE except the smart people running Wikimedia sites use the image whitelist incorrectly. There are rules using .* in some but more importantly NO ONE anchors their whitelist rules (they don't even bother including the protocol in some cases so we can't even use an implicit anchor to the regexps).
This means that the whitelists can be trivially bypassed: http://community.wikia.com/wiki/User:Dantman/Whitelist_hole
In this example Wikia has a `wikia.com` regexp line in their image whitelist. By using something like this the image whitelist is bypassed: http://imgs.xkcd.com/comics/security_holes.png?wikia.com&image.png
The "?wikia.com" inside of the query triggers the whitelisting allowing the image to be embedded, and the trailing &image.png makes sure that the url still matches the internal image url embed regexp.
By adding a query like this (it doesn't even necessarily need to be a query, I haven't tested but the fragment might be usable, and even if not it's liable that you could use the path portion of the url if you had a server setup to serve images for certain weird urls) you can embed basically any url you want into the wiki since the query portion of the url is ignored by webservers serving images.
And to be clear I don't believe that patterns like `http://upload%5C.wikimedia%5C.org/%60 and `^http://(.*?%5C.)?wordpress%5C.com/%60 aren't safe. I believe that the special characters in the later parts of the url won't affect it and you can still get it to work. And ^ anchoring won't work when using .* style wildcards because you can craft a url such as
http://my.malicious-website.com/path/to/my/evil/image.png?.wordpress.com&... which would match that latter regexp.
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
End of MediaWiki-l Digest, Vol 100, Issue 18
Hi, please try: "MediaWiki:Tooltip-n-Survival-Guide". Hyphenated instead of underscored should work.
Am 23.01.2012 14:39, schrieb kaare mikkelsen:
So, changing the starting letter to capital did solve some of my problems. Thank you =) However, I still seem unable to make tooltips for pages with a space in the title.
For instance, in the mediawiki:sidebar we have:
Survival Guide|Main Page
however, creating mediawiki:tooltip-n-Survival_Guide, or mediawiki:tooltip-n-Survival_guide has not effect. Neither does mediawiki:tooltip-n-Main_Page nor mediawiki:tooltip-n-Main_page.
Can someone please tell me what I'm doing wrong?
Thanks Kaare
On Mon, Jan 23, 2012 at 1:00 PM,mediawiki-l-request@lists.wikimedia.orgwrote:
Send MediaWiki-l mailing list submissions to mediawiki-l@lists.wikimedia.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.wikimedia.org/mailman/listinfo/mediawiki-l or, via email, send a message with subject or body 'help' to mediawiki-l-request@lists.wikimedia.org
You can reach the person managing the list at mediawiki-l-owner@lists.wikimedia.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of MediaWiki-l digest..."
Today's Topics:
- Re: What class logs recent changes (Siebrand Mazeland)
- Bypassing the external image whitelist (Daniel Friesen)
Message: 1 Date: Mon, 23 Jan 2012 08:35:27 +0100 From: Siebrand Mazelands.mazeland@xs4all.nl To: MediaWiki announcements and site admin list mediawiki-l@lists.wikimedia.org Subject: Re: [Mediawiki-l] What class logs recent changes Message-ID:CA56B19D-6D4B-4E4A-B89B-1EC276A3A211@xs4all.nl Content-Type: text/plain; charset=us-ascii
Op 23 jan. 2012 om 01:57 heeft Adam Meyermeyer7@mindspring.com het volgende geschreven:
What class is used to log the recent changes on edits etc
Have a look at http://www.mediawiki.org/wiki/Logging_to_Special:Log
-- Siebrand Mazeland
M: +31 6 50 69 1239 Skype: siebrand
Message: 2 Date: Mon, 23 Jan 2012 03:25:58 -0800 From: "Daniel Friesen"lists@nadir-seen-fire.com To: "mediawiki-l@lists.wikimedia.org" mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] Bypassing the external image whitelist Message-ID:op.v8jbdkfkjuwloh@daniels-macbook-air.local Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
I've found a bit of an issue with our external image embedding whitelisting functionality. This isn't exactly a hole in the code itself, but in the fact that in practice it seams just about everyone uses the whitelist incorrectly and ends up opening up holes in their wiki allowing the whitelist to be bypassed.
I'll start with MW.org for an example: https://www.mediawiki.org/wiki/MediaWiki:External_image_whitelist
This image whitelist is fine, it's properly anchored with an explicit protocol and an initial ^, and it's not using excessive wildcards, there's nothing wrong with it.
However when I do a Google search and try to find some of the top wikis using the image whitelist functionality I see this: http://rbose.org/wiki/MediaWiki:External_image_whitelist http://mbmodwiki.ollclan.eu/MediaWiki:External_image_whitelist http://wiki.vnations.net/index.php/MediaWiki:External_image_whitelist http://stelio.net/geeki/MediaWiki:External_image_whitelist http://community.wikia.com/wiki/MediaWiki:External_image_whitelist
Basically EVERYONE except the smart people running Wikimedia sites use the image whitelist incorrectly. There are rules using .* in some but more importantly NO ONE anchors their whitelist rules (they don't even bother including the protocol in some cases so we can't even use an implicit anchor to the regexps).
This means that the whitelists can be trivially bypassed: http://community.wikia.com/wiki/User:Dantman/Whitelist_hole
In this example Wikia has a `wikia.com` regexp line in their image whitelist. By using something like this the image whitelist is bypassed: http://imgs.xkcd.com/comics/security_holes.png?wikia.com&image.png
The "?wikia.com" inside of the query triggers the whitelisting allowing the image to be embedded, and the trailing&image.png makes sure that the url still matches the internal image url embed regexp.
By adding a query like this (it doesn't even necessarily need to be a query, I haven't tested but the fragment might be usable, and even if not it's liable that you could use the path portion of the url if you had a server setup to serve images for certain weird urls) you can embed basically any url you want into the wiki since the query portion of the url is ignored by webservers serving images.
And to be clear I don't believe that patterns like `http://upload%5C.wikimedia%5C.org/%60 and `^http://(.*?%5C.)?wordpress%5C.com/%60 aren't safe. I believe that the special characters in the later parts of the url won't affect it and you can still get it to work. And ^ anchoring won't work when using .* style wildcards because you can craft a url such as
http://my.malicious-website.com/path/to/my/evil/image.png?.wordpress.com&... which would match that latter regexp.
-- ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name]
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
End of MediaWiki-l Digest, Vol 100, Issue 18
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org