https://bugzilla.wikimedia.org/show_bug.cgi?id=21602
Summary: Code review for use of SMW in MediaWiki.Org
Product: MediaWiki extensions
Version: any
Platform: All
URL: http://MediaWiki.Org
OS/Version: All
Status: NEW
Severity: enhancement
Priority: Normal
Component: Semantic MediaWiki
AssignedTo: [email protected]
ReportedBy: [email protected]
CC: [email protected], [email protected],
[email protected]
The idea is to use SMW to manage MediaWiki extensions. The associated email
discussion that took place on [email protected] is
included below.
The requirement for including an extension in http://MediaWiki.Org is that it
gets a code review from a MW staffer (i.e. TimStarling). However, it seems that
before he looks at the code, it should be rewritten to conform to the security
guidelines spelled out on http://MediaWiki.Org:
http://www.mediawiki.org/wiki/Manual:Security
http://www.mediawiki.org/wiki/Security_for_developers
This bug is to track the status of that rewrite, specifically for the SMW core
code. We can create dependent bugs for the SF / SD / SRF / etc. extensions. I
think the best approach is to work on one extension at a time, starting with
SMW core.
More information:
For example, Tim found a problem in the SF extension (an XSS vulnerability in
Special:CreateForm):
He created a template called:
Template:" onclick="alert('hello');" foo=
and when called from within the combo box of Special:CreateForm, it did just
that!
Email discussion:
2009/11/20 Laurent Alquier <[email protected]>:
> I had an idea last night to help make SMW more visible.
>
> Use SMW to manage MediaWiki extensions.
>
> The current list of extensions is a mess. There is no way to query them at
> all. The lists on the index page are static and (I hope) updated by a script.
>
> They already use an 'Extension' template. How hard could it be to set up SMW
> + forms on the MediaWiki site and replace the 'Extension' template with a
> semantic template?
2009/11/22 Jan Steinman <[email protected]>:
> Yes!
>
> Whenever I think, "Someone must have already done an extension for
> this thing I want to do," I get depressed at the hours of work it will
> take for me to tease it out.
2009/11/22 Krabina Bernhard <[email protected]>:
> that's an excellent idea!!
IRC discussion:
17:22 < faceface> hi RoanKattouw
17:22 < faceface> on the Semantic MediaWiki mailing list the discussion about
potentially running SMW on mediawiki.org just came up
17:23 < faceface> do you think it would be a possibility to run SMW on MW.org?
17:23 < RoanKattouw> For that to happen it would first have to be reviewed by a
staff member
17:23 < RoanKattouw> In practice, that means Tim
17:24 < RoanKattouw> Reviewing SMW is not something you do on a rainy Sunday
night
17:24 < RoanKattouw> faceface: I mean reviewing the actual code
17:24 < RoanKattouw> Which I imagine is pretty large
17:25 < faceface> A code review would be really welcome though
17:25 < faceface> what could SMW devs do to make it easier?
17:26 < RoanKattouw> Well not much I guess, they can hardly review their own
code
17:26 < RoanKattouw> They could verify that all the DB queries SMW runs are
properly indexed, you know, run EXPLAIN on them
...
<TimStarling> faceface_: I just opened the source of a random special
page and found an XSS vulnerability in about 10 seconds
<TimStarling> it's persistent:
http://www.bioinformatics.org/wiki/Special:CreateForm
<Platonides> I see the " onclick="alert("hello"); inside the combo
<TimStarling> it works as advertised
<Platonides> at last
<Platonides> the event wasn't firing
It seems like a waste of my time to review this thing when the quality
is so low and the errors are so obvious. Surely anyone could see those
sorts of things if they bothered to look. Maybe if it were rewritten to
conform with the security guidelines I've spelled out on mediawiki.org
then I'd be interested.
-- Tim Starling
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
