Last modified: 2014-06-25 23:18:44 UTC
https://www.mediawiki.org/wiki/Extension:Mantle From bug 66094: (In reply to spage from comment #3) > (In reply to Greg Grossmeier from comment #1) > > Any new code here... ? > > Yes. Besides the code that was formerly in extension MobileFrontend > restructured for code sharing, this introduces the new third-party > templating library Handlebars.js in > Mantle/javascripts/externals/handlebars.js. That will need security review.
handlebars.js says it's v2.0.0-alpha.2, instead of the stable 1.3.0. Who is going to be responsible for keeping it updated for security fixes? Mitre doesn't issue CVE's for alpha/beta builds, so security fixes won't be advertised in the usual places. Just in case, can you add an .htaccess file in scripts, so those can't be accessed through apache? Otherwise, I think security looks fine. Adding Timo just in case he has opinions on how ResourceLoader is being used.
Change 142011 had a related patch set uploaded by Spage: Just in case prevent dev script access in apache https://gerrit.wikimedia.org/r/142011
Change 142011 merged by jenkins-bot: Just in case prevent dev script access in apache https://gerrit.wikimedia.org/r/142011
Thanks!