A restrictive script-src in a Content-Security-Policy (RFC https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy, T135963 https://phabricator.wikimedia.org/T135963) could have helped with this. Alternatively, a report-mode CSP could at least have brought this to global operators’ attention, though I don’t know if they would’ve been faster to react than the fawiki community’s seven minutes.
Cheers, Lucas
2018-03-14 17:03 GMT+01:00 Amir Ladsgroup ladsgroup@gmail.com:
That already happened and the user got blocked indefinitely immediately after the incident. The JS was there for seven minutes which bad enough IMO.
One thing is that Persian Wikipedia community is working to strip the right of editing mediawiki ns from the templateeditor user group: https://fa.wikipedia.org/w/index.php?oldid=22370489#%D9% 86%D8%B8%D8%B1%D8%AE%D9%88%D8%A7%D9%87%DB%8C_%D8%A8%D8%B1% D8%A7%DB%8C_%DA%AF%D8%B1%D9%81%D8%AA%D9%86_%D8%AF%D8%B3% D8%AA%D8%B1%D8%B3%DB%8C_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8% B4_%D9%81%D8%B6%D8%A7%DB%8C_%D9%86%D8%A7%D9%85_%D9%85%D8% AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C_%D8%A7%D8%B2_%D9%88% DB%8C%D8%B1%D8%A7%DB%8C%D8%B4%DA%AF%D8%B1%D8%A7%D9%86_%D8% A7%D9%84%DA%AF%D9%88
Other things include protecting us from this type of js inside the mediawiki. That's going to be difficult.
Best
On Wed, Mar 14, 2018 at 4:59 PM Derk-Jan Hartman < d.j.hartman+wmf_ml@gmail.com> wrote:
In my opinion, such accounts should be globally blocked btw. It is a grave breach of trust and such accounts cannot be trusted anywhere else either. Thanks for playing, but goodbye for ever.
DJ
On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff bawolff@gmail.com wrote:
On Wednesday, March 14, 2018, David Gerard dgerard@gmail.com wrote:
What ways are there to include user-edited JavaScript in a wiki page?
I ask because someone put this revision in (which is now deleted):
DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js&diff=next& oldid=22367460&uselang=en
You can't see it now, but it was someone including a JavaScript cryptocurrency miner in common.js!
Obviously this is not going to be a common thing, and common.js is closely watched. (The above edit was reverted in 7 minutes, and the user banned.)
But what are the ways to get user-edited JavaScript running on a MediaWiki, outside one's own personal usage? And what permissions are needed? I ask with threats like this in mind.
- d.
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
You need editinterface, edituserjs, or some of the centralnotice
related
rights (or the steward related rights to give yourself these rights).
Any method that does not involve editinterface or a related right that
is
normally restricted to administrator (or higher group) should be
considered
a serious security issue in mediawiki and reported immediately.
-- Brian Wolff _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l