[Wikitech-l] [x-post] Wikimedia Language team office hour and online meeting on March 21, 2018 (Wednesday) at 1300 UTC

2018-03-14 Thread Runa Bhattacharjee
[x-posted announcement] Hello, Wikimedia Foundation’s Language team would like to invite you for an online office hour session scheduled for Wednesday, March 21st, 2018 at 13:00 UTC. This will be an open session to talk about our work, and in particular the changes to interlanguage links, which

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread MZMcBride
David Gerard wrote: >What ways are there to include user-edited JavaScript in a wiki page? > >[...] > >You can't see it now, but it was someone including a JavaScript >cryptocurrency miner in common.js! > >Obviously this is not going to be a common thing, and common.js is >closely watched. (The

[Wikitech-l] PHP profiling - Now covering covering multiversion and wmf-config

2018-03-14 Thread Krinkle
Hi all, TL;DR: When using X-Wikimedia-Debug to profile web requests on Wikimedia wikis, the generated profile information will now include details from "w/index.php", and MWMultiVersion, and things like wmf-config/CommonSettings.php. Details at https://phabricator.wikimedia.org/T180183. - The

Re: [Wikitech-l] Persian Wikimedia cryptocurrency mining incident

2018-03-14 Thread Amir Ladsgroup
Translated and posted in Persian Wikipedia's WP:VP. [0] Posting the translation here, in case it would be useful: «در ۱۴ مارس ۲۰۱۸، اسنادی از استفاده از نرم‌افزار استخراج پول مجازی در ویکی‌پدیای فارسی کشف شد. این کشف توسط جامعه کاربران اتفاق افتاد و در کمتر از ده دقیقه بعد از اضافه شدن به وب‌گاه

Re: [Wikitech-l] Persian Wikimedia cryptocurrency mining incident

2018-03-14 Thread Vi to
How many external (non WMF-sites) js do we need? Vito 2018-03-15 0:28 GMT+01:00 John Bennett : > *On 14 March 2018, evidence of cryptocurrency mining software was > discovered on Persian Wikipedia. It was identified by the community and > removed within 10 minutes of

[Wikitech-l] Persian Wikimedia cryptocurrency mining incident

2018-03-14 Thread John Bennett
*On 14 March 2018, evidence of cryptocurrency mining software was discovered on Persian Wikipedia. It was identified by the community and removed within 10 minutes of being added to the site. Additionally, the rights of the user responsible have been revoked and their account has been globally

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Jon Robson
It has always made me a little uneasy that there are wiki pages where JavaScript could potentially be injected into my page without my approval. To be honest if I had the option I would disable all site and user scripts for my account. Has this sort of thing happened before? Can we be sure there

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Lucas Werkmeister
A restrictive script-src in a Content-Security-Policy (RFC , T135963 ) could have helped with this. Alternatively, a report-mode CSP could at least have brought this to global

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Amir Ladsgroup
That already happened and the user got blocked indefinitely immediately after the incident. The JS was there for seven minutes which bad enough IMO. One thing is that Persian Wikipedia community is working to strip the right of editing mediawiki ns from the templateeditor user group:

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Derk-Jan Hartman
In my opinion, such accounts should be globally blocked btw. It is a grave breach of trust and such accounts cannot be trusted anywhere else either. Thanks for playing, but goodbye for ever. DJ On Wed, Mar 14, 2018 at 3:42 PM, Brian Wolff wrote: > On Wednesday, March 14,

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Brian Wolff
On Wednesday, March 14, 2018, David Gerard wrote: > What ways are there to include user-edited JavaScript in a wiki page? > > I ask because someone put this revision in (which is now deleted): > >

Re: [Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread Yongmin H.
editinterface (usually only available to sysops on wmf wikis) is required to edit MediaWiki: namespace, which includes MediaWiki:(blah).css/js. And edituser(css/js) is required to edit other user’s CSS/JS files. In fawiki case, these permissions are available in template editor, so once he

[Wikitech-l] What ways are there to include user-edited JavaScript in a wiki page? (threat model: crypto miners)

2018-03-14 Thread David Gerard
What ways are there to include user-edited JavaScript in a wiki page? I ask because someone put this revision in (which is now deleted): https://fa.wikipedia.org/w/index.php?title=%D9%85%D8%AF%DB%8C%D8%A7%D9%88%DB%8C%DA%A9%DB%8C:Common.js=next=22367460=en You can't see it now, but it was