Wikitech-l February 2013

wikitech-l@lists.wikimedia.org

161 participants
170 discussions

MediaWiki 1.19.0beta2
by Sam Reed 09 May '14

09 May '14

I'm happy to announce the availability of the second beta release of the new MediaWiki 1.19 release series. Please try it out and let us know what you think. Don't run it on any wikis that you really care about, unless you are both very brave and very confident in your MediaWiki administration skills. MediaWiki 1.19 is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users. You can consult the RELEASE-NOTES-1.19 file for the full list of changes in this version. Five security issues were discovered. It was discovered that the api had a cross-site request forgery (CSRF) vulnerability in the block/unblock modules. It was possible for a user account with the block privileges to block or unblock another user without providing a token. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34212 It was discovered that the resource loader can leak certain kinds of private data across domain origin boundaries, by providing the data as an executable JavaScript file. In MediaWiki 1.18 and later, this includes the leaking of CSRF protection tokens. This allows compromise of the wiki's user accounts, say by changing the user's email address and then requesting a password reset. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=34907 Jan Schejbal of Hatforce.com discovered a cross-site request forgery (CSRF) vulnerability in Special:Upload. Modern browsers (since at least as early as December 2010) are able to post file uploads without user interaction, violating previous security assumptions within MediaWiki. Depending on the wiki's configuration, this vulnerability could lead to further compromise, especially on private wikis where the set of allowed file types is broader than on public wikis. Note that CSRF allows compromise of a wiki from an external website even if the wiki is behind a firewall. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35317 George Argyros and Aggelos Kiayias reported that the method used to generate password reset tokens is not sufficiently secure. Instead we use various more secure random number generators, depending on what is available on the platform. Windows users are strongly advised to install either the openssl extension or the mcrypt extension for PHP so that MediaWiki can take advantage of the cryptographic random number facility provided by Windows. Any extension developers using mt_rand() to generate random numbers in contexts where security is required are encouraged to instead make use of the MWCryptRand class introduced with this release. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35078 A long-standing bug in the wikitext parser (bug 22555) was discovered to have security implications. In the presence of the popular CharInsert extension, it leads to cross-site scripting (XSS). XSS may be possible with other extensions or perhaps even the MediaWiki core alone, although this is not confirmed at this time. A denial-of-service attack (infinite loop) is also possible regardless of configuration. For more details, see https://bugzilla.wikimedia.org/show_bug.cgi?id=35315 ********************************************************************* What's new? ********************************************************************* MediaWiki 1.19 brings the usual host of various bugfixes and new features. Comprehensive list of what's new is in the release notes. * Bumped MySQL version requirement to 5.0.2. * Disable the partial HTML and MathML rendering options for Math, and render as PNG by default. * MathML mode was so incomplete most people thought it simply didn't work. * New skins/common/*.css files usable by skins instead of having to copy piles of generic styles from MonoBook or Vector's css. * The default user signature now contains a talk link in addition to the user link. * Searching blocked usernames in block log is now clearer. * Better timezone recognition in user preferences. * Extensions can now participate in the extraction of titles from URL paths. * The command-line installer supports various RDBMSes better. * The interwiki links table can now be accessed also when the interwiki cache is used (used in the API and the Interwiki extension). Internationalization - -------------------- * More gender support (for instance in user lists). * Add languages: Canadian English. * Language converter improved, e.g. it now works depending on the page content language. * Time and number-formatting magic words also now depend on the page content language. * Bidirectional support further improved after 1.18. Release notes - ------------- Full release notes: https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/core.git;a=blob_plain;f=RE LEASE-NOTES-1.19;hb=1.19.0beta2 https://www.mediawiki.org/wiki/Release_notes/1.19 Co-inciding with these security releases, the MediaWiki source code repository has moved from SVN (at https://svn.wikimedia.org/viewvc/mediawiki/trunk/phase3) to Git (https://gerrit.wikimedia.org/gitweb/mediawiki/core.git). So the relevant commits for these releases will not be appearing in our SVN repository. If you use SVN checkouts of MediaWiki for version control, you need to migrate these to Git. If you up are using tarballs, there should be no change in the process for you. Please note that any WMF-deployed extensions have also been migrated to Git also, along with some other non WMF-maintained ones. Please bear with us, some of the Git related links for this release may not work instantly, but should later on. To do a simple Git clone, the command is: git clone https://gerrit.wikimedia.org/r/p/mediawiki/core.git More information is available at https://www.mediawiki.org/wiki/Git For more help, please visit the #mediawiki IRC channel on freenode.net irc://irc.freenode.net/mediawiki or email The MediaWiki-l mailing list at mediawiki-l(a)lists.wikimedia.org. ********************************************************************** Download: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz Patch to previous version (1.19.0beta1), without interface text: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz Interface text changes: http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc h.gz GPG signatures: http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.tar.gz.si g http://download.wikimedia.org/mediawiki/1.19/mediawiki-1.19.0beta2.patch.gz. sig http://download.wikimedia.org/mediawiki/1.19/mediawiki-i18n-1.19.0beta2.patc h.gz.sig Public keys: https://secure.wikimedia.org/keys.html

5 5

Can we help Tor users make legitimate edits?
by Sumana Harihareswara 28 Sep '13

28 Sep '13

TL;DR: A few ideas follow on how we could possibly help legit editors contribute from behind Tor proxies. I am just conversant enough with the security problems to make unworkable suggestions ;-), so please correct me, critique & suggest solutions, and perhaps volunteer to help. The current situation: https://en.wikipedia.org/wiki/Wikipedia:Advice_to_users_using_Tor_to_bypass… We generally don't let anyone edit or upload from behind Tor; the TorBlock extension stops them. One exception: a person can create an account, accumulate lots of good edits, and then ask for an IP block exemption, and then use that account to edit from behind Tor. This is unappealing because then there's still a bunch of in-the-clear editing that has to happen first, and because then site functionaries know that the account is going to be making controversial edits (and could possibly connect it to IPs in the future, right?). And right now there's no way to truly *anonymously* contribute from behind Tor proxies; you have to log in. However, since JavaScript delivery is hard for Tor users, I'm not sure how much editing from Tor -- vandalism or legit -- is actually happening. (I hope for analytics on this and thus added it to https://www.mediawiki.org/wiki/Analytics/Dreams .) We know at least that there are legitimate editors who would prefer to use Tor and can't. People have been talking about how to improve the situation for some time -- see http://cryptome.info/wiki-no-tor.htm and https://lists.torproject.org/pipermail/tor-dev/2012-October/004116.html . It'd be nice if it could actually move forward. I've floated this problem past Tor and privacy people, and here are a few ideas: 1) Just use the existing mechanisms more leniently. Encourage the communities (Wikimedia & Tor) to use https://en.wikipedia.org/wiki/Wikipedia:Request_an_account (to get an account from behind Tor) and to let more people get IP block exemptions even before they've made any edits (< 30 people have gotten exemptions on en.wp in 2012). Add encouraging "get an exempt account" language to the "you're blocked because you're using Tor" messaging. Then if there's an uptick in vandalism from Tor then they can just tighten up again. 2) Encourage people with closed proxies to re-vitalize https://en.wikipedia.org/wiki/Wikipedia:WOCP . Problem: using closed proxies is okay for people with some threat models but not others. 3) Look at Nymble - http://freehaven.net/anonbib/#oakland11-formalizing and http://cgi.soic.indiana.edu/~kapadia/nymble/overview.php . It would allow Wikimedia to distance itself from knowing people's identities, but still allow admins to revoke permissions if people acted up. The user shows a real identity, gets a token, and exchanges that token over tor for an account. If the user abuses the site, Wikimedia site admins can blacklist the user without ever being able to learn who they were or what other edits they did. More: https://cs.uwaterloo.ca/~iang/ Ian Golberg's, Nick Hopper's, and Apu Kapadia's groups are all working on Nymble or its derivatives. It's not ready for production yet, I bet, but if someone wanted a Big Project.... 3a) A token authorization system (perhaps a MediaWiki extension) where the server blindly signs a token, and then the user can use that token to bypass the Tor blocks. (Tyler mentioned he saw this somewhere in a Bugzilla suggestion; I haven't found it.) 4) Allow more users the IP block exemption, possibly even automatically after a certain number of unreverted edits, but with some kind of FlaggedRevs integration; Tor users can edit but their changes have to be reviewed before going live. We could combine this with (3); Nymble administrators or token-issuers could pledge to review edits coming from Tor. But that latter idea sounds like a lot of social infrastructure to set up and maintain. Thoughts? Are any of you interested in working on this problem? #tor on the OFTC IRC server is full of people who'd be interested in talking about this. -- Sumana Harihareswara Engineering Community Manager Wikimedia Foundation

16 25

Initial stab at responsive images for high-density displays
by Brion Vibber 04 Jun '13

04 Jun '13

How to load up high-resolution imagery on high-density displays has been an open question for a while; we've wanted this for the mobile web site since the Nexus One and Droid brought 1.5x, and the iPhone 4 brought 2.0x density displays to the mobile world a couple years back. More recently, tablets and a few laptops are bringing 1.5x and 2.0x density displays too, such as the new Retina iPad and MacBook Pro. A properly responsive site should be able to detect when it's running on such a display and load higher-density image assets automatically... Here's my first stab: https://bugzilla.wikimedia.org/show_bug.cgi?id=36198#c6 https://gerrit.wikimedia.org/r/#/c/24115/ * adds $wgResponsiveImages setting, defaulting to true, to enable the feature * adds jquery.hidpi plugin to check window.devicePixelRatio and replace images with data-src-1-5 or data-src-2-0 depending on the ratio * adds mediawiki.hidpi RL script to trigger hidpi loads after main images load * renders images from wiki image & thumb links at 1.5x and 2.0x and includes data-src-1-5 and data-src-2-0 attributes with the targets Note that this is a work in progress. There will be places where this doesn't yet work which output their imgs differently. If moving from a low to high-DPI screen on a MacBook Pro Retina display, you won't see images load until you reload. Confirmed basic images and thumbs in wikitext appear to work in Safari 6 on MacBook Pro Retina display. (Should work in Chrome as well). Same code loaded on MobileFrontend display should also work, but have not yet attempted that. Note this does *not* attempt to use native SVGs, which is another potential tactic for improving display on high-density displays and zoomed windows. This loads higher-resolution raster images, including rasterized SVGs. There may be loads of bugs; this is midnight hacking code and I make no guarantees of suitability for any purpose. ;) -- brion

12 22

bot activity in #mediawiki on freenode
by btb 14 May '13

14 May '13

hi- i'm hopeful this is the appropriate venue for this topic - i recently had occasion to visit #mediawiki on freenode, looking for help. i found myself a bit frustrated by the amount of bot activity there and wondered if there might be value in some consideration for this. it seems to frequently drown out/dilute those asking for help, which can be a bit discouraging/frustrating. additionally, from the perspective of those who might help [based on my experience in this role in other channels], constant activity can sometimes engender disinterest [e.g. the irc client shows activity in the channel, but i'm less inclined to look as it's probably just a bot]. to offer one possibility - i know there are a number of mediawiki and/or wikimedia related channels - might there be one in which bot activity might be better suited, in the context of less contention between the two audiences [those seeking help vs. those interested in development, etc]? one nomenclature convention that seems to be at least somewhat of a defacto standard is #project for general help, and #project-dev[el] for development topics. a few examples of this i've seen are android, libreoffice, python, and asterisk. adding yet another channel to this list might not be terribly welcome, but maybe the distinction would be worth the addition? as i'm writing this, i see another thread has begun wrt freenode, and i also see a bug filed that relates at least to some degree [https://bugzilla.wikimedia.org/show_bug.cgi?id=35427], so i may just be repeating an existing sentiment, but i wanted to at least offer a brief perspective. regards -ben

18 47

Bootstrap based theme for Mediawiki
by Yuvi Panda 06 May '13

06 May '13

https://github.com/OSAS/strapping-mediawiki looks pretty awesome! (Example at http://www.ovirt.org/Home). This also makes bootstrap's classes / layouting helpers available to content inside the wiki itself, which is pretty cool. (thanks to Patrick Reilly on IRC) -- Yuvi Panda T http://yuvi.in/blog

5 4

Update to jQuery 1.9 and jQuery UI 1.9
by Jan Luca 23 Apr '13

23 Apr '13

Hi, is there already a schedule to update jQuery and jQuery UI to 1.9 or are there problems at moment? I want to use the new tooltip widget of jQuery UI 1.9 [1]. Best regards, Jan [1] http://jqueryui.com/tooltip/

3 2

RFC: Tab as field delimiter in logging format of cache servers
by Diederik van Liere 21 Mar '13

21 Mar '13

Apologies for crossposting Heya, The Analytics Team is planning to deploy "tab as field delimiter" to replace the current space as fielddelimiter on the varnish/squid/nginx servers. We would like to do this on February 1st. The reason for this change is that we need to have a consistent number of fields in each webrequest log line. Right now, some fields contain spaces and that require a lot of post-processing cleanup and slows down the generation of reports. What is affected and maintained by Analytics * udp-filter already has support for the tab character * webstatscollector: we compiled a new version of filter to add support for the tab character * wikistats: we will fix the scripts on an ongoing basis. * udp2log: we have a patch ready for inserting sequence numbers separated by tab. In particular, I would like to have feedback to three questions: 1) Are there important reasons not to use tab as field delimiter? 2) Are there important pieces of logging that expect a space instead of a tab and that need to be fixed and that I did not mention in this email? 3) Is February 1st a good date to deploy this change? (Assuming that all preps are finished) Best, Diederik

3 4

Call for Gerrit contractor
by Rob Lanphier 19 Mar '13

19 Mar '13

On Tue, Jul 24, 2012 at 10:25 PM, Steven Walling <steven.walling <at> gmail.com> wrote: > But do we have a plan for improving Gerrit in a substantial way? Hi everyone, In my response to Steven at the time [1], I indicated that we have a modest contractor budget for this work. The RFP is now posted here: http://hire.jobvite.com/Jobvite/Job.aspx?j=o4gIWfwI&c=qSa9VfwQ Please let me know if you're interested (and apply if you're really interested). Also, please let me know if you have any questions. Thanks! Rob [1] http://article.gmane.org/gmane.science.linguistics.wikipedia.technical/62630

7 6

GSoC 2013 guidelines??
by Tejas Nikumbh 16 Mar '13

16 Mar '13

Hi, I am Tejas Nikumbh, an undergrad at Indian Institute of Technology Bombay. I will be participating in GSoC this year. [GSoC 2013]. In order to imporve my chances for getting selected this year, I would like to start contributing early on to Open Source development via Wikimedia. Here's a little background info : *Languages proficient in : *Java, Python, Javascript [+jQuery] , HTML[+HTML5 Canvas], CSS [+CSS3]. C++ should be on the list soon. *CS Theory :* Discrete Math, Probablity and Random Processes, Data Structures and Algorithms. *SVN : *Github, Mercurial . *Basic Machine learning [Regression algos and some classification algos]* Based on the above info, are there any projects which might suit me? Also, Picking up something reasonable quickly shouldn't be a problem. Thanks, -- Tejas Nikumbh, Third Year Undergraduate, Electrical Engineering Department, IIT Bombay.

6 7

Mediawiki's access points and mw-config
by Waldir Pimenta 13 Mar '13

13 Mar '13

While trying to add some more information to https://www.mediawiki.org/wiki/Manual:Code, I came across a slightly peculiar issue regarding the entry points for MediaWiki: Right now, among all the entry points that I know of (those are listed in Manual:Code), only mw-config/index.php doesn't sit in the root folder. Furthermore, it's related to the installer at includes/installer/, but that is not clear at all from the code organization, specifically the directory names (and the lack of documentation both in the file and on mediawiki.org). I have two questions, then: 1) should all access points be on the root directory of the wiki, for consistency? 2) should the name "mw-config" be changed to something that more clearly indicates its relationship with the installer? Note that these aren't merely nitpicking: a consistent structure and intuitive names for files and directories play an important role in the self-documenting nature of the code, and make the learning curve smoother for new developers (e.g. yours truly :-)). Also, I used Tim Starling's suggestion on IRC to make sure the list of entry point scripts listed in Manual:Code was complete: git grep -l /includes/WebStart.php I am not sure that exhausts the list, however, since thumb_handler.php doesn't show up on its results. Any pointers regarding potential entry points currently omitted from that list are most welcome. --Waldir ps - while investigating this subject I came accross some inconsistencies in the way the access points include the WebStart.php file, including an incorrect use (according to Tim) of require_once() instead of require(). I submitted a change to Gerrit harmonizing them; if this interests you, please review the commit: https://gerrit.wikimedia.org/r/#/c/49208/

6 16

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Wikitech-l February 2013