Special page inclusions shouldn't be able to do anything privileged; they're meant for public data. If that's not being enforced right now I'd recommend reworking or killing the special page inclusion system...
-- brion On Feb 3, 2015 10:11 AM, "Brad Jorsch (Anomie)" <[email protected]> wrote: > On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber <[email protected]> > wrote: > > > On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn <[email protected]> > wrote: > > > On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber <[email protected]> > > > wrote: > > > > I'd be inclined to unstrip the marker *and squash HTML to plaintext*, > > > then > > > > encode the plaintext... > > > > > > I don't see how that addresses the security issue. > > > > Rollback tokens in the Special:Contributions HTML would then not be > > available in the squashed text that got encoded. Thus it could not be > > extracted and used in the timing attack. > > > > While it would avoid *this* bug, it would still allow the attack if there > is ever sensitive data on some transcludable special page that isn't > embedded in HTML tag attributes. > > > -- > Brad Jorsch (Anomie) > Software Engineer > Wikimedia Foundation > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
