On Tuesday, February 3, 2015 at 10:24 AM, Brion Vibber wrote:
Special page inclusions shouldn't be able to do anything privileged; they're meant for public data. If that's not being enforced right now I'd recommend reworking or killing the special page inclusion system...
Ok, although Brion's idea preserves more of the original content, these larger security concerns don’t look like they are going to be resolved in short order.
I think the pragmatic thing to do is either drop the content and raise an error, or replace the content with a warning string as Gergo suggested.
Any takers?
-- brion On Feb 3, 2015 10:11 AM, "Brad Jorsch (Anomie)" <bjorsch@wikimedia.org (mailto:bjorsch@wikimedia.org)> wrote:
On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber <bvibber@wikimedia.org (mailto:bvibber@wikimedia.org)> wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn <jackmcbarn@gmail.com (mailto:jackmcbarn@gmail.com)>
wrote:
On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber <bvibber@wikimedia.org (mailto:bvibber@wikimedia.org)> wrote:
I'd be inclined to unstrip the marker *and squash HTML to plaintext*,
then
encode the plaintext...
I don't see how that addresses the security issue.
Rollback tokens in the Special:Contributions HTML would then not be available in the squashed text that got encoded. Thus it could not be extracted and used in the timing attack.
While it would avoid *this* bug, it would still allow the attack if there is ever sensitive data on some transcludable special page that isn't embedded in HTML tag attributes.
-- Brad Jorsch (Anomie) Software Engineer Wikimedia Foundation _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org (mailto:Wikitech-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org (mailto:Wikitech-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/wikitech-l