On 10/1/14, Markus Glaser <glaser(a)hallowelt.biz> wrote:
Hello everyone,
I would like to announce the release of MediaWiki 1.19.20, 1.22.12 and
1.23.5. This is a security release. Download links are given at the end of
this email.
== Security ==
* (bug 70672) SECURITY: OutputPage: Remove separation of css and js module
allowance.
Hmm. Lots of third parties use CSS in MediaWiki:Common.css to make
significant theming customizations without making a "real" skin.
Perhaps the release notes should mention that users who do this will
have their log in page suddenly look out of place.
Given that this change really only makes it mildly harder for a novice
attacker to do something evil, and there exists potential use cases it
breaks perhaps it should be behind a config variable defaulting to the
more secure setting. (A moderately skilled attacker should easily be
able to think of ways around this to steal users passwords. Once an
attacker can get javascript inserted, its pretty much game over.
Trying to "limit" damage of a malicious user modifying site js, is
like trying to unbreak an egg. Once the egg is broken, well you know
the story about humpty dumpty)
--bawolff