Last modified: 2007-01-02 18:58:21 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T10462, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 8462 - Private pages can be transcluded into public pages
Private pages can be transcluded into public pages
Status: RESOLVED WONTFIX
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
unspecified
All All
: Lowest enhancement with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-01-02 15:27 UTC by Angela
Modified: 2007-01-02 18:58 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Angela 2007-01-02 15:27:49 UTC
A wiki has mostly private pages (only viewable and editable by logged in users)
and account creation restricted. The wiki allows public comments on one page.

However, users can type {{:Village pump}} on the public page to view private
content.

Transclusion of private pages should not be allowed.

Partly related to http://bugzilla.wikimedia.org/show_bug.cgi?id=3693
Comment 1 Rob Church 2007-01-02 15:33:18 UTC
Surprise, surprise; when people start hacking about with their configuration to
get MediaWiki to do something it was never intended to do, things don't work as
expected.

There is no such thing as a "private page". Blocking all users from reading all
but a few pages is fine, but then not preventing them from editing is obviously
going to yield unwanted results.

Fixing this one requires major changes to the transclusion engine in the parser,
and would make caching far less effective than it is already.
Comment 2 Anders Wegge Jakobsen 2007-01-02 15:34:53 UTC
Mediawiki does not have private pages. Various patches claims to provide this,
but as they are not part of the mediawiki base, this bug is invalid.
Comment 3 Angela 2007-01-02 15:45:29 UTC
Wegge, this isn't about an extension. It's the $wgGroupPermissions setting which
does allow for private pages - all non-whitelisted pages are supposed to made
private with this setting.

$wgGroupPermissions['*']['read'] = false; makes the non-whitelisted pages
private. Only it isn't working since those pages can still be read by
transcluding them in other pages.

http://wikimania2005.wikimedia.org/wiki/Template:Newsflash is not viewable to
unlogged in users, but it appears on the main page. In this case, that's fine
since a registered user chose to put it there, but an unregistered user could do
that with any page if one page was editable.
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-01-02 17:22:31 UTC
Read whitelists for a private wiki are intended to allow something like reading
the main page (so they can see what the site is about) and Special:Userlogin (so
they can log in).  They are not supposed to be used to allow editing of even a
single page, which opens up this vulnerability.  As the comment in
DefaultSettings.php says:

 * Functionality to make pages inaccessible has not been extensively tested
 * for security. Use at your own risk!

This is not a bug.  It's a lack of functionality, which is presently deliberate.
Comment 5 Brion Vibber 2007-01-02 18:58:21 UTC
There is no support for mixed public/private editing in MediaWiki. Trying to
hack in a patch here will just leave a thousand other holes open.

WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links