A restrictive script-src in a Content-Security-Policy (RFC
<https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy>,
T135963 <https://phabricator.wikimedia.org/T135963>) could have helped with
this. Alternatively, a report-mode CSP could at least have brought this to
global operators’ attention, though I don’t know if they would’ve been
faster to react than the fawiki community’s seven minutes.
Cheers,
Lucas
2018-03-14 17:03 GMT+01:00 Amir Ladsgroup <ladsgroup(a)gmail.com>om>:
That already happened and the user got blocked
indefinitely immediately
after the incident. The JS was there for seven minutes which bad enough
IMO.
One thing is that Persian Wikipedia community is working to strip the right
of editing mediawiki ns from the templateeditor user group:
https://fa.wikipedia.org/w/index.php?oldid=22370489#%D9%
86%D8%B8%D8%B1%D8%AE%D9%88%D8%A7%D9%87%DB%8C_%D8%A8%D8%B1%
D8%A7%DB%8C_%DA%AF%D8%B1%D9%81%D8%AA%D9%86_%D8%AF%D8%B3%
D8%AA%D8%B1%D8%B3%DB%8C_%D9%88%DB%8C%D8%B1%D8%A7%DB%8C%D8%
B4_%D9%81%D8%B6%D8%A7%DB%8C_%D9%86%D8%A7%D9%85_%D9%85%D8%
AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C_%D8%A7%D8%B2_%D9%88%
DB%8C%D8%B1%D8%A7%DB%8C%D8%B4%DA%AF%D8%B1%D8%A7%D9%86_%D8%
A7%D9%84%DA%AF%D9%88
Other things include protecting us from this type of js inside the
mediawiki. That's going to be difficult.
Best
On Wed, Mar 14, 2018 at 4:59 PM Derk-Jan Hartman <
d.j.hartman+wmf_ml(a)gmail.com> wrote:
In my opinion, such accounts should be globally
blocked btw. It is a
grave breach of trust and such accounts cannot be trusted anywhere
else either. Thanks for playing, but goodbye for ever.
DJ
On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff <bawolff(a)gmail.com> wrote:
On Wednesday, March 14, 2018, David Gerard
<dgerard(a)gmail.com> wrote:
What ways are there to include user-edited
JavaScript in a wiki page?
I ask because someone put this revision in (which is now deleted):
https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%
DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js&diff=next&
oldid=22367460&uselang=en
>>
>> You can't see it now, but it was someone including a JavaScript
>> cryptocurrency miner in common.js!
>>
>> Obviously this is not going to be a common thing, and common.js is
>> closely watched. (The above edit was reverted in 7 minutes, and the
>> user banned.)
>>
>> But what are the ways to get user-edited JavaScript running on a
>> MediaWiki, outside one's own personal usage? And what permissions are
>> needed? I ask with threats like this in mind.
>>
>>
>> - d.
>>
>> _______________________________________________
>> Wikitech-l mailing list
>> Wikitech-l(a)lists.wikimedia.org
>>
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
> You need editinterface, edituserjs, or some of the centralnotice
related
> rights (or the steward related rights to
give yourself these rights).
>
> Any method that does not involve editinterface or a related right that
is
normally
restricted to administrator (or higher group) should be
considered
a serious security issue in mediawiki and
reported immediately.
--
Brian Wolff
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
--
Lucas Werkmeister
Software Developer (Intern)
Wikimedia Deutschland e. V. | Tempelhofer Ufer 23-24 | 10963 Berlin
Phone: +49 (0)30 219 158 26-0
Imagine a world, in which every single human being can freely share in the
sum of all knowledge. That‘s our commitment.
Wikimedia Deutschland - Gesellschaft zur Förderung Freien Wissens e. V.
Eingetragen im Vereinsregister des Amtsgerichts Berlin-Charlottenburg unter
der Nummer 23855 B. Als gemeinnützig anerkannt durch das Finanzamt für
Körperschaften I Berlin, Steuernummer 27/029/42207.