So, changing the starting letter to capital did solve some of my problems. Thank you =) However, I still seem unable to make tooltips for pages with a space in the title.
For instance, in the mediawiki:sidebar we have: Survival Guide|Main Page however, creating mediawiki:tooltip-n-Survival_Guide, or mediawiki:tooltip-n-Survival_guide has not effect. Neither does mediawiki:tooltip-n-Main_Page nor mediawiki:tooltip-n-Main_page. Can someone please tell me what I'm doing wrong? Thanks Kaare On Mon, Jan 23, 2012 at 1:00 PM, <[email protected]>wrote: > Send MediaWiki-l mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of MediaWiki-l digest..." > > > Today's Topics: > > 1. Re: What class logs recent changes (Siebrand Mazeland) > 2. Bypassing the external image whitelist (Daniel Friesen) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 23 Jan 2012 08:35:27 +0100 > From: Siebrand Mazeland <[email protected]> > To: MediaWiki announcements and site admin list > <[email protected]> > Subject: Re: [Mediawiki-l] What class logs recent changes > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > Op 23 jan. 2012 om 01:57 heeft Adam Meyer <[email protected]> het > volgende geschreven: > > > What class is used to log the recent changes on edits etc > > Have a look at http://www.mediawiki.org/wiki/Logging_to_Special:Log > > -- > Siebrand Mazeland > > M: +31 6 50 69 1239 > Skype: siebrand > > > ------------------------------ > > Message: 2 > Date: Mon, 23 Jan 2012 03:25:58 -0800 > From: "Daniel Friesen" <[email protected]> > To: "[email protected]" > <[email protected]> > Subject: [Mediawiki-l] Bypassing the external image whitelist > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes > > I've found a bit of an issue with our external image embedding > whitelisting functionality. > This isn't exactly a hole in the code itself, but in the fact that in > practice it seams just about everyone uses the whitelist incorrectly and > ends up opening up holes in their wiki allowing the whitelist to be > bypassed. > > I'll start with MW.org for an example: > https://www.mediawiki.org/wiki/MediaWiki:External_image_whitelist > > This image whitelist is fine, it's properly anchored with an explicit > protocol and an initial ^, and it's not using excessive wildcards, there's > nothing wrong with it. > > However when I do a Google search and try to find some of the top wikis > using the image whitelist functionality I see this: > http://rbose.org/wiki/MediaWiki:External_image_whitelist > http://mbmodwiki.ollclan.eu/MediaWiki:External_image_whitelist > http://wiki.vnations.net/index.php/MediaWiki:External_image_whitelist > http://stelio.net/geeki/MediaWiki:External_image_whitelist > http://community.wikia.com/wiki/MediaWiki:External_image_whitelist > > Basically EVERYONE except the smart people running Wikimedia sites use the > image whitelist incorrectly. There are rules using .* in some but more > importantly NO ONE anchors their whitelist rules (they don't even bother > including the protocol in some cases so we can't even use an implicit > anchor to the regexps). > > This means that the whitelists can be trivially bypassed: > http://community.wikia.com/wiki/User:Dantman/Whitelist_hole > > In this example Wikia has a `wikia\.com` regexp line in their image > whitelist. > By using something like this the image whitelist is bypassed: > http://imgs.xkcd.com/comics/security_holes.png?wikia.com&image.png > > The "?wikia.com" inside of the query triggers the whitelisting allowing > the image to be embedded, and the trailing &image.png makes sure that the > url still matches the internal image url embed regexp. > > By adding a query like this (it doesn't even necessarily need to be a > query, I haven't tested but the fragment might be usable, and even if not > it's liable that you could use the path portion of the url if you had a > server setup to serve images for certain weird urls) you can embed > basically any url you want into the wiki since the query portion of the > url is ignored by webservers serving images. > > And to be clear I don't believe that patterns like > `http://upload\.wikimedia\.org/` and `^http://(.*?\.)?wordpress\.com/` > aren't safe. I believe that the special characters in the later parts of > the url won't affect it and you can still get it to work. And ^ anchoring > won't work when using .* style wildcards because you can craft a url such > as > > http://my.malicious-website.com/path/to/my/evil/image.png?.wordpress.com&image.png > which would match that latter regexp. > > -- > ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://daniel.friesen.name] > > > > ------------------------------ > > _______________________________________________ > MediaWiki-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > End of MediaWiki-l Digest, Vol 100, Issue 18 > ******************************************** > _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
