Last modified: 2014-03-24 17:17:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T60438, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 58438 - Security review of GlobalCssJs extension


Summary:	Security review of GlobalCssJs extension

Status:	RESOLVED FIXED

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	GlobalCssJs (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized normal (vote)
Target Milestone:	---
Assigned To:	Chris Steipp

URL:	https://www.mediawiki.org/wiki/extens...
Whiteboard:
Keywords:

Depends on:
Blocks:	57891
	Show dependency tree / graph

Reported:	2013-12-13 08:38 UTC by Kunal Mehta (Legoktm)
Modified:	2014-03-24 17:17 UTC (History)
CC List:	6 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kunal Mehta (Legoktm) 2013-12-13 08:38:44 UTC

For deployment.

Comment 1 MZMcBride 2014-02-16 21:38:12 UTC

Lego: is this extension ready for a security review now? If so, can you please coordinate with Chris S. on this?

Comment 2 Kunal Mehta (Legoktm) 2014-03-04 17:18:14 UTC

Spoke with Chris today, and he's going to do this once he finishes the Popups review (bug 61743).

Comment 3 Chris Steipp 2014-03-14 22:21:10 UTC

With the caveats that Kunal put on the extension's page (account compromise if you're not correctly using CentralAuth or shared user tables), the security looks ok.

The site global scripts allow admins on the central site to fully control the wikis using wgUseGlobalSiteCssJs, including elevating their own privileges, so obviously should be used with extreme caution.

Comment 4 Kunal Mehta (Legoktm) 2014-03-23 00:49:32 UTC

(In reply to Chris Steipp from comment #3)

> The site global scripts allow admins on the central site to fully control
> the wikis using wgUseGlobalSiteCssJs, including elevating their own
> privileges, so obviously should be used with extreme caution.

On bug 57891 we established that for the time being this would be disabled on WMF wikis, and we would need to re-review the extension if we ever decide to turn it on.

Comment 5 MZMcBride 2014-03-23 01:31:49 UTC

(In reply to Chris Steipp from comment #3)
> With the caveats that Kunal put on the extension's page (account compromise
> if you're not correctly using CentralAuth or shared user tables), the
> security looks ok.
> 
> The site global scripts allow admins on the central site to fully control
> the wikis using wgUseGlobalSiteCssJs, including elevating their own
> privileges, so obviously should be used with extreme caution.

Is this bug resolved/fixed then?

Comment 6 Chris Steipp 2014-03-24 17:17:43 UTC

(In reply to MZMcBride from comment #5)
> (In reply to Chris Steipp from comment #3)
> > With the caveats that Kunal put on the extension's page (account compromise
> > if you're not correctly using CentralAuth or shared user tables), the
> > security looks ok.
> > 
> > The site global scripts allow admins on the central site to fully control
> > the wikis using wgUseGlobalSiteCssJs, including elevating their own
> > privileges, so obviously should be used with extreme caution.
> 
> Is this bug resolved/fixed then?

Yes

Note You need to log in before you can comment on or make changes to this bug.

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links