Last modified: 2014-03-24 17:17:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 58438 - Security review of GlobalCssJs extension
Security review of GlobalCssJs extension
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
GlobalCssJs (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Chris Steipp
https://www.mediawiki.org/wiki/extens...
:
Depends on:
Blocks: 57891
  Show dependency treegraph
 
Reported: 2013-12-13 08:38 UTC by Kunal Mehta (Legoktm)
Modified: 2014-03-24 17:17 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Kunal Mehta (Legoktm) 2013-12-13 08:38:44 UTC
For deployment.
Comment 1 MZMcBride 2014-02-16 21:38:12 UTC
Lego: is this extension ready for a security review now? If so, can you please coordinate with Chris S. on this?
Comment 2 Kunal Mehta (Legoktm) 2014-03-04 17:18:14 UTC
Spoke with Chris today, and he's going to do this once he finishes the Popups review (bug 61743).
Comment 3 Chris Steipp 2014-03-14 22:21:10 UTC
With the caveats that Kunal put on the extension's page (account compromise if you're not correctly using CentralAuth or shared user tables), the security looks ok.

The site global scripts allow admins on the central site to fully control the wikis using wgUseGlobalSiteCssJs, including elevating their own privileges, so obviously should be used with extreme caution.
Comment 4 Kunal Mehta (Legoktm) 2014-03-23 00:49:32 UTC
(In reply to Chris Steipp from comment #3)

> The site global scripts allow admins on the central site to fully control
> the wikis using wgUseGlobalSiteCssJs, including elevating their own
> privileges, so obviously should be used with extreme caution.

On bug 57891 we established that for the time being this would be disabled on WMF wikis, and we would need to re-review the extension if we ever decide to turn it on.
Comment 5 MZMcBride 2014-03-23 01:31:49 UTC
(In reply to Chris Steipp from comment #3)
> With the caveats that Kunal put on the extension's page (account compromise
> if you're not correctly using CentralAuth or shared user tables), the
> security looks ok.
> 
> The site global scripts allow admins on the central site to fully control
> the wikis using wgUseGlobalSiteCssJs, including elevating their own
> privileges, so obviously should be used with extreme caution.

Is this bug resolved/fixed then?
Comment 6 Chris Steipp 2014-03-24 17:17:43 UTC
(In reply to MZMcBride from comment #5)
> (In reply to Chris Steipp from comment #3)
> > With the caveats that Kunal put on the extension's page (account compromise
> > if you're not correctly using CentralAuth or shared user tables), the
> > security looks ok.
> > 
> > The site global scripts allow admins on the central site to fully control
> > the wikis using wgUseGlobalSiteCssJs, including elevating their own
> > privileges, so obviously should be used with extreme caution.
> 
> Is this bug resolved/fixed then?

Yes

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links