Special page inclusions shouldn't be able to do anything privileged;
they're meant for public data. If that's not being enforced right now I'd
recommend reworking or killing the special page inclusion system...
-- brion
On Feb 3, 2015 10:11 AM, "Brad Jorsch (Anomie)" <bjorsch(a)wikimedia.org>
wrote:
On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber
<bvibber(a)wikimedia.org>
wrote:
On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn
<jackmcbarn(a)gmail.com>
wrote:
On Fri,
Jan 30, 2015 at 2:02 PM, Brion Vibber <bvibber(a)wikimedia.org>
wrote:
I'd be inclined to unstrip the marker *and
squash HTML to plaintext*,
then
encode the plaintext...
I don't see how that addresses the security issue.
Rollback tokens in the Special:Contributions HTML would then not be
available in the squashed text that got encoded. Thus it could not be
extracted and used in the timing attack.
While it would avoid *this* bug, it would still allow the attack if there
is ever sensitive data on some transcludable special page that isn't
embedded in HTML tag attributes.
--
Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
_______________________________________________
Wikitech-l mailing list
Wikitech-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l