On Tuesday, February 3, 2015 at 10:24 AM, Brion Vibber wrote: > Special page inclusions shouldn't be able to do anything privileged; > they're meant for public data. If that's not being enforced right now I'd > recommend reworking or killing the special page inclusion system...
Ok, although Brion's idea preserves more of the original content, these larger security concerns don’t look like they are going to be resolved in short order. I think the pragmatic thing to do is either drop the content and raise an error, or replace the content with a warning string as Gergo suggested. Any takers? > > -- brion > On Feb 3, 2015 10:11 AM, "Brad Jorsch (Anomie)" <[email protected] > (mailto:[email protected])> > wrote: > > > On Fri, Jan 30, 2015 at 4:04 PM, Brion Vibber <[email protected] > > (mailto:[email protected])> > > wrote: > > > > > On Fri, Jan 30, 2015 at 12:11 PM, Jackmcbarn <[email protected] > > > (mailto:[email protected])> > > wrote: > > > > On Fri, Jan 30, 2015 at 2:02 PM, Brion Vibber <[email protected] > > > > (mailto:[email protected])> > > > > wrote: > > > > > I'd be inclined to unstrip the marker *and squash HTML to plaintext*, > > > > > > > > > > > > then > > > > > encode the plaintext... > > > > > > > > > > > > > > > > I don't see how that addresses the security issue. > > > > > > Rollback tokens in the Special:Contributions HTML would then not be > > > available in the squashed text that got encoded. Thus it could not be > > > extracted and used in the timing attack. > > > > > > > > While it would avoid *this* bug, it would still allow the attack if there > > is ever sensitive data on some transcludable special page that isn't > > embedded in HTML tag attributes. > > > > > > -- > > Brad Jorsch (Anomie) > > Software Engineer > > Wikimedia Foundation > > _______________________________________________ > > Wikitech-l mailing list > > [email protected] (mailto:[email protected]) > > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > _______________________________________________ > Wikitech-l mailing list > [email protected] (mailto:[email protected]) > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
