Last modified: 2011-03-13 18:05:16 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 2845 - Configurable whitelist for action=raw content types
Configurable whitelist for action=raw content types
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.4.x
All All
: Lowest enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
: patch, patch-need-review
Depends on:
Blocks: javascript
  Show dependency treegraph
 
Reported: 2005-07-13 17:12 UTC by Benjamin Smedberg
Modified: 2011-03-13 18:05 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Configurable whitelist and default, and remove text/javascript from the default whitelist, rev. 1 (3.06 KB, patch)
2005-07-13 17:14 UTC, Benjamin Smedberg
Details
Same patch, for HEAD (2.55 KB, patch)
2005-07-13 19:22 UTC, Benjamin Smedberg
Details
HEAD patch with correct case (2.55 KB, patch)
2005-07-13 19:46 UTC, Benjamin Smedberg
Details
I propose the attached patch which sets text/css as default content type for action=raw (587 bytes, patch)
2005-12-13 07:43 UTC, T. Gries
Details

Description Benjamin Smedberg 2005-07-13 17:12:25 UTC
action=raw allows ctype=text/javascript by default. This is not a good security
setting, because it becomes very easy for wikipages to link to this script and
steal login cookies and other important cookie data.

This patch adds a configurable whitelist of allowed mimetypes and also a
configurable default mimetype.
Comment 1 Benjamin Smedberg 2005-07-13 17:14:15 UTC
Created attachment 703 [details]
Configurable whitelist and default, and remove text/javascript from the default whitelist, rev. 1
Comment 2 Benjamin Smedberg 2005-07-13 17:15:02 UTC
This patch is against 1.4.6, I'm going to checkout and test HEAD now.
Comment 3 Brion Vibber 2005-07-13 19:19:07 UTC
text/javascript is not dangerous. Scripts are executed in the security context of the HTML 
page which includes them with a <script> element, and their source location is not relevant. 
You could just as easily put the evil script on your own site or some other third party site 
and it would work equally well or poorly.

If you believe you know of an actual vulnerability that can be caused through this, please e-
mail me privately with details.
Comment 4 Benjamin Smedberg 2005-07-13 19:22:24 UTC
Created attachment 705 [details]
Same patch, for HEAD

This is the same patch merged to HEAD. I did not test it (don't have a head
install ATM, but it's a simple merge so it shouldn't be a big deal).
Comment 5 Brion Vibber 2005-07-13 19:39:13 UTC
Not a security issue, changing subject and priority for the feature request.
Comment 6 Benjamin Smedberg 2005-07-13 19:46:33 UTC
Created attachment 706 [details]
HEAD patch with correct case
Comment 7 T. Gries 2005-12-13 07:43:05 UTC
Created attachment 1179 [details]
I propose the attached patch which sets text/css as default content type for action=raw
Comment 8 Rowan Collins [IMSoP] 2005-12-13 13:21:04 UTC
(In reply to comment #7)
> I propose the attached patch which sets text/css as default content type for
> action=raw

I can't see where that patch fits in with the others, but why would you want to
declare raw pages to be CSS by default? In the majority of cases, they will be
wikitext, hence "text/x-wiki". Or am I missing the point?
Comment 9 Benjamin Smedberg 2005-12-13 14:32:41 UTC
Default as CSS doesn't make sense to me either. Default as text/plain might make
more sense to me, but the current default is fine for my purposes.
Comment 10 T. Gries 2005-12-13 22:45:52 UTC
(In reply to comment #9)
> Default as CSS doesn't make sense to me either. Default as text/plain might make
> more sense to me, but the current default is fine for my purposes.

Brion has suggested yesterday in the irc to use text/css as default, which
appears to be safe (if I understood him correctly), because the browsers let the
source through unchanged. This is not the case for text/x-wiki on Internet
Explorer, which let IE regard the page to be of "index.php" type and opens an
ugly execute/save/abort window with all the consequences. If you want to dump
the text of an article pagename using index.php?title=pagename&action=raw ,
text/css appears to be much better than text/x-wiki (please try it).

But let me know your thoughts here, of course.
Comment 11 Mike Shaver 2005-12-13 22:49:20 UTC
If you want it to just pass through unmolested, why not text/plain?
Comment 12 T. Gries 2005-12-13 22:55:20 UTC
(In reply to comment #11)
> If you want it to just pass through unmolested, why not text/plain?

Yes, you are right. Perhaps Brion misunderstood me. 
I never understood, why text/x-wiki was used here. Can you explain ?
Comment 13 Rowan Collins [IMSoP] 2005-12-14 00:56:42 UTC
(In reply to comment #10)
> [...] This is not the case for text/x-wiki on Internet
> Explorer, which let IE regard the page to be of "index.php" type and opens an
> ugly execute/save/abort window with all the consequences.

Just to clarify this, it doesn't think it's a page of *type* "index.php", it
thinks it's *called* "index.php". But yes, the "I don't know what this is,
should I open, save, or what?" dialogue is an ugly thing to encounter on any
browser, though presumably you can configure a more sane default for
"text/x-wiki" documents if you play with them often...

(In reply to comment #12)
> I never understood, why text/x-wiki was used here. Can you explain ?

It's because IE has an irritating tendency to try really really hard to guess if
something's HTML, making it quite hard to persuade it not to, say, execute the
'contents' of text that says "<script>..." To confirm this, here's an e-mail
from Brion describing the problem:
http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002983.html
[relatedly, here's why you have to use the "main script entry point", not a
fancy URL: http://mail.wikimedia.org/pipermail/mediawiki-l/2005-January/002952.html]

So 'text/plain' is definitely out. 'text/css' might be "unambiguous" enough for
IE not to try double-guessing, but it seems kind of arbitrary/hackish, and may
end up giving a download prompt anyway [it seems to for me, when I use
"&ctype=text/css" in IE].
Comment 14 T. Gries 2005-12-14 01:01:14 UTC
(In reply to comment #13)
> from Brion describing the problem [...]
Rowan: 1000thanks for pointing me to that
Comment 15 Andrew Garrett 2007-12-05 11:37:00 UTC
Dormant request, with no use case. WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links