Wikitech-l August 2008

wikitech-l@lists.wikimedia.org

71 participants
89 discussions

Re: [Wikitech-l] GIFAR vulnerability and commons
by Tim Starling 14 Aug '08

14 Aug '08

peter green wrote: >> Commons seems to be a target for such an attack. Upload is easy, although I'm >> not to sure about the damage potential. I suppose if an administrators >> account would get compromised an applet could be manufactured to mass delete >> content or mass block users. >> >> > If commons is vulnerable all wikimedia wiki's are and there is nothing > that local commons users or admins can really do about this. Mediawiki > should probablly be modified to check for garbage on the end of image > files if it does not already do so. > > Sending this on to wikitech-l so the devs can comment on it. Replied on commons-l and fixed for default MediaWiki installations in r39203. -- Tim Starling

6 10

Re: [Wikitech-l] [MediaWiki-CVS] SVN: [39308] trunk/phase3/includes/specials/SpecialUserlogin.php
by Aryeh Gregor 14 Aug '08

14 Aug '08

On Wed, Aug 13, 2008 at 6:29 PM, <aaron(a)svn.wikimedia.org> wrote: > Log Message: > ----------- > I really don't like the idea of invalid IPs sending these passwords out > . . . > Modified: trunk/phase3/includes/specials/SpecialUserlogin.php > . . . > - if ( '' == $ip ) { $ip = '(Unknown)'; } > + if( !$ip ) { > + return new WikiError( wfMsg( 'badipaddress' ) ); > + } > + #if ( '' == $ip ) { $ip = '(Unknown)'; } Under what circumstances would the $ip ever be invalid? Where $_SERVER['REMOTE_ADDR'] is unset? When might that be? If there's no known circumstance, this chunk of code should just be removed. If there is one, wfGetIP()'s documentation should be updated (but whether this change is reasonable depends on when wfGetIP() might fail). Overall, I have a hard time imagining why a strange IP address should merit blocking e-mail reset requests.

1 0

I can't reach upload.wikimedia.org since a few months
by Opensource Obscure 13 Aug '08

13 Aug '08

Hi all! I asked for help in the #wikimedia-tech IRC channel and I was pointed here. My problem: since a few months, I can't reach http://upload.wikimedia.org The error message I get from browsers it 'Timeout error' I am located in North Italy and I'm using an ADSL provided by a major national ISP. My IP address is static - I'd prefer not to write it here, while I will be glad to provide more details in private. http://wikimedia.org works ok - but images in Wikipedia pages that are from upload.wikimedia.org never show for me (BTW I can see the same images if I use .nyud.net proxying system) http://upload.wikimedia.org is the only URL I have issues with - my web navigation has no relevant problems apart this. I already tried changing the DNS servers I'm using, rebooting the ADSL router, doing a few other common browser/networks things - it didn't work. I'm usually on WindowsXPSP2 and there are no active filtering software, firewalls or proxies here. Thanks in advance. Opensource Obscure

1 0

Developer needed for ParserFunctions extension
by Siebrand Mazeland 13 Aug '08

13 Aug '08

The ParserFunctions extension currently has 44 open issues in Bugzilla (38 new, 1 assigned, 5 reopened - 1 major, 20 normal, 3 minor, 1 trivial, 19 enhancement)[1]. Recently there have been some discussions on this list on triage and assigning of issues. Who volunteers to do work on ParserFunctions, and get some issues closed? Cheers! Siebrand [1] https://bugzilla.wikimedia.org/buglist.cgi?bug_file_loc=&bug_file_loc_type=…

6 10

Re: [Wikitech-l] Developer needed for ParserFunctions extension
by roan.kattouw＠home.nl 13 Aug '08

13 Aug '08

---- Daniel Friesen <dan_the_man(a)telus.net> schrijft: > Also, a big one. I'm thinking of actually allowing mathematical > variables. These can show up in the formula, and the following > parameters are var=value pairs. > An example of such: > {{#expr:d + v×t + ½×a×t²|d=4e2|v=2|a=4|t=7}} > That kind of feature would be quite nice on perhaps... A physics wiki, > where you use a lot of formula that repeat variables. Why not just create a Template:Accmotion that contains {{#expr:{{{d}}} + {{{v}}}*{{{t}}} + 0.5*{{{a}}}*{{{t}}}^2}} and call {{accmotion|d=4e2|v=2|a=4|t=7}} Does that work? Are template parameters expanded before ParserFunctions? Roan Kattouw (Catrope)

2 1

Re: [Wikitech-l] GIFAR vulnerability and commons
by Daniel Friesen 12 Aug '08

12 Aug '08

Eh? The API, sure in context of an application, but whatabout interwiki. But more importantly: http://wikia.com/index.php?title=Template:WikiLogo&action=edit ~Daniel Friesen(Dantman, Nadir-Seen-Fire) of: -The Nadir-Point Group (http://nadir-point.com) --It's Wiki-Tools subgroup (http://wiki-tools.com) --The ElectronicMe project (http://electronic-me.org) --Games-G.P.S. (http://ggps.org) -And Wikia ACG on Wikia.com (http://wikia.com/wiki/Wikia_ACG) --Animepedia (http://anime.wikia.com) --Narutopedia (http://naruto.wikia.com) Tim Starling wrote: > Daniel Schwen wrote: > >>> Even if Wikimedia is not vulnerable, many other MediaWiki installations >>> will be. >>> >> I'm not convinced yet that WikiMedia is not vulnerable! >> While at first the upload.wikimedia.org subdomain seemed to offer protection, >> my tests at >> >> http://toolserver.org/~dschwen/test.html >> >> indicate that when using the url >> http://commons.wikimedia.org/wiki/Special:FilePath/Gifar.gif to load the >> applet, it has no rights to connect to upload.wikimedia.org >> >> Unfortunately it is late right now, so I don't have time to confirm if the >> server of origin is indeed set to commons.wikimedia.org as it seems at first >> glance, but if it is then I think I found an attack vector. >> > > Does anyone actually use Special:FilePath? This is not the first security > hole opened up by it, and the API could easily serve the same purpose. > Could it be removed? > > -- Tim Starling >

3 2

Re: [Wikitech-l] PPNode_DOM to wikitext
by D Sledge 12 Aug '08

12 Aug '08

Wait, that issue is with 1.12alpha. Don't know if it exists with later versions. D ----- Original Message ---- From: D Sledge <david.sledge(a)yahoo.com> To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org> Sent: Tuesday, August 12, 2008 2:45:41 PM Subject: Re: [Wikitech-l] PPNode_DOM to wikitext Excellent! Would've taken me a while to figure that one out (if ever). One issue is that tags aren't being translated back. They end up as the placeholder "UNIQx0x0-tagname-x0x0-QINU" strings. Thank you very much, D ----- Original Message ---- From: Brion Vibber <brion(a)wikimedia.org> To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org> Sent: Tuesday, August 12, 2008 1:55:23 PM Subject: Re: [Wikitech-l] PPNode_DOM to wikitext -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 D Sledge wrote: > MediaWiki: 1.12.0 PHP: 5.2.4 MySQL: 5.0.45 > > So the method Parser::preprocessToDom converts wikitext to a > PPNode_DOM object. Is there a method that does the reverse (i.e. > transforms a PPNode_DOM object to wikitext)? $frame = $wgParser->getPreprocessor()->newFrame(); $frame->expand( $node, PPFrame::RECOVER_ORIG ); - -- brion -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkih6qsACgkQwRnhpk1wk47lbQCgvTf8arvB+xHTUu0veyVaS81p /GkAn2cvM4Me4w/JKLdem2vBPTXfQqfO =+zLb -----END PGP SIGNATURE----- _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

1 0

Re: [Wikitech-l] PPNode_DOM to wikitext
by D Sledge 12 Aug '08

12 Aug '08

Excellent! Would've taken me a while to figure that one out (if ever). One issue is that tags aren't being translated back. They end up as the placeholder "UNIQx0x0-tagname-x0x0-QINU" strings. Thank you very much, D ----- Original Message ---- From: Brion Vibber <brion(a)wikimedia.org> To: Wikimedia developers <wikitech-l(a)lists.wikimedia.org> Sent: Tuesday, August 12, 2008 1:55:23 PM Subject: Re: [Wikitech-l] PPNode_DOM to wikitext -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 D Sledge wrote: > MediaWiki: 1.12.0 PHP: 5.2.4 MySQL: 5.0.45 > > So the method Parser::preprocessToDom converts wikitext to a > PPNode_DOM object. Is there a method that does the reverse (i.e. > transforms a PPNode_DOM object to wikitext)? $frame = $wgParser->getPreprocessor()->newFrame(); $frame->expand( $node, PPFrame::RECOVER_ORIG ); - -- brion -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkih6qsACgkQwRnhpk1wk47lbQCgvTf8arvB+xHTUu0veyVaS81p /GkAn2cvM4Me4w/JKLdem2vBPTXfQqfO =+zLb -----END PGP SIGNATURE----- _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

1 0

PPNode_DOM to wikitext
by D Sledge 12 Aug '08

12 Aug '08

MediaWiki: 1.12.0 PHP: 5.2.4 MySQL: 5.0.45 So the method Parser::preprocessToDom converts wikitext to a PPNode_DOM object. Is there a method that does the reverse (i.e. transforms a PPNode_DOM object to wikitext)? Thanks, D

3 2

Re: [Wikitech-l] [MediaWiki-CVS] SVN: [39099] trunk/extensions/GlobalBlocking
by Andrew Garrett 12 Aug '08

12 Aug '08

On Mon, Aug 11, 2008 at 7:50 AM, <brion(a)svn.wikimedia.org> wrote: > * Clean up horrible horrible permission checks which are 1000 times more complicated than they should be. We have User::isAllowed() for a reason, kids :) I've since fixed up the getUserPermissionsErrors function to allow an array of errors to be ignored to be passed. It seems like a good idea to prevent blocked users from globally blocking, and to allow extensions / other code to prevent doing action X on title Y. This is why I prefer to use getUserPermissionsErrors rather than isAllowed, since isAllowed only checks if the user has the appropriate permission (this is the point of getUserPermissionsErrors - to be a one-stop shop for checking permissions). Also, the wfReadOnly checks are done in getUserPermissionsErrors, so we need to add them separately if we are to use User::isAllowed. -- Andrew Garrett

3 3

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Wikitech-l August 2008