Last modified: 2011-12-26 06:34:40 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T35372, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 33372 - Do not load CentralNotice on pages with password fields
Do not load CentralNotice on pages with password fields
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
CentralNotice (Other open bugs)
unspecified
All All
: Highest normal (vote)
: ---
Assigned To: Ryan Kaldari
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-25 10:28 UTC by db [inactive,noenotif]
Modified: 2011-12-26 06:34 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description db [inactive,noenotif] 2011-12-25 10:28:47 UTC 
CentralNotice is not respecting OutputPage::disallowUserJs() on Special:UserLogin, Special:ChangePassword (and maybe Special:ChangeEmail, it is new in 1.19)

The disallowUserJs method is called for good reasons: To disallow sniffing passwords with hijacked user or site javascript.

CentralNotice allows adding scripts written by users and a hijacked user account can add a script to sniffing passwords or more.

Please do not load the CentralNotice on that pages. Thanks.
Comment 1 Ryan Kaldari 2011-12-25 11:33:45 UTC 
Perhaps it would be best to just disable CentralNotice on all Special pages. Thoughts?
Comment 2 Mark A. Hershberger 2011-12-25 14:34:19 UTC 
(In reply to comment #1)
> Perhaps it would be best to just disable CentralNotice on all Special pages.
> Thoughts?

Sounds like a good idea to me.
Comment 3 Sam Reed (reedy) 2011-12-25 19:30:38 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > Perhaps it would be best to just disable CentralNotice on all Special pages.
> > Thoughts?
> 
> Sounds like a good idea to me.

Ditto. Chances are if people are using Special pages they are doing something more than just doing simple editing, so they've probably already seen Jimmy enough already ;)
Comment 4 Ryan Kaldari 2011-12-26 06:34:40 UTC 
Fixed in r107315.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links