editinterface (usually only available to sysops on wmf wikis) is required to edit MediaWiki: namespace, which includes MediaWiki:(blah).css/js. And edituser(css/js) is required to edit other user’s CSS/JS files. In fawiki case, these permissions are available in template editor, so once he became one of template editor (I don’t know how strict fawiki rule is, so no comment on there) he was able to inject such evil thing (tm).
TL;DR:
1. editinterface to modify MediaWiki: namespace, which affects everyone. 2. edituserjs to touch other user’s js. 3. editusercss to touch other user’s css.
-- Yongmin Sent from my iPhone https://wp.revi.blog Text licensed under CC BY ND 2.0 KR Please note that this address is list-only address and any non-mailing list mails will be treated as spam. Please use https://encrypt.to/0x947f156f16250de39788c3c35b625da5beff197a
2018. 3. 14. 22:25, David Gerard dgerard@gmail.com 작성:
What ways are there to include user-edited JavaScript in a wiki page?
I ask because someone put this revision in (which is now deleted):
https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB...
You can't see it now, but it was someone including a JavaScript cryptocurrency miner in common.js!
Obviously this is not going to be a common thing, and common.js is closely watched. (The above edit was reverted in 7 minutes, and the user banned.)
But what are the ways to get user-edited JavaScript running on a MediaWiki, outside one's own personal usage? And what permissions are needed? I ask with threats like this in mind.
- d.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l