Last modified: 2014-06-25 23:18:44 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T68238, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 66238 - Security review of Mantle extension
Security review of Mantle extension
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
Extension setup (Other open bugs)
wmf-deployment
All All
: Unprioritized normal (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks: 66094
  Show dependency treegraph
 
Reported: 2014-06-06 04:08 UTC by Greg Grossmeier
Modified: 2014-06-25 23:18 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Greg Grossmeier 2014-06-06 04:08:38 UTC 
https://www.mediawiki.org/wiki/Extension:Mantle

From bug 66094:
(In reply to spage from comment #3)
> (In reply to Greg Grossmeier from comment #1)
> > Any new code here... ?
> 
> Yes. Besides the code that was formerly in extension MobileFrontend
> restructured for code sharing, this introduces the new third-party
> templating library Handlebars.js in
> Mantle/javascripts/externals/handlebars.js. That will need security review.
Comment 1 Chris Steipp 2014-06-11 22:40:14 UTC 
handlebars.js says it's v2.0.0-alpha.2, instead of the stable 1.3.0. Who is going to be responsible for keeping it updated for security fixes? Mitre doesn't issue CVE's for alpha/beta builds, so security fixes won't be advertised in the usual places.

Just in case, can you add an .htaccess file in scripts, so those can't be accessed through apache?

Otherwise, I think security looks fine. Adding Timo just in case he has opinions on how ResourceLoader is being used.
Comment 2 Gerrit Notification Bot 2014-06-25 21:22:52 UTC 
Change 142011 had a related patch set uploaded by Spage:
Just in case prevent dev script access in apache

https://gerrit.wikimedia.org/r/142011
Comment 3 Gerrit Notification Bot 2014-06-25 21:44:38 UTC 
Change 142011 merged by jenkins-bot:
Just in case prevent dev script access in apache

https://gerrit.wikimedia.org/r/142011
Comment 4 Chris Steipp 2014-06-25 23:18:44 UTC 
Thanks!
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links