search

tstaerk / AdaptiveThumb

mediawiki extension to provide an image thumb that adapts to the window size
Other
2 stars 2 forks source link

Image source ignores Mediawiki image whitelists #4

Open labster opened 7 years ago

labster commented 7 years ago

Hi, I'm a security reviewer for the wiki farm miraheze.org (@miraheze). One of our wikis requested this extension, and I gave it a read through. The main issue that I have is that the src attribute doesn't respect $wgEnableImageWhitelist or $wgAllowExternalImages or $wgAllowExternalImagesFrom.

Of course, we cannot legally use your code without a license, so we cannot install it. But I thought you would like to be aware of the security issues.

tstaerk commented 7 years ago

I want my code to be used. You say I have to put it under a license for that?

Reception123 commented 7 years ago

@tstaerk Yes, for us to use your code it needs a license. This is an example of a license: https://github.com/wikimedia/mediawiki-extensions-Translate/blob/master/COPYING and https://github.com/wikimedia/mediawiki-extensions-Translate/blob/master/Translate.php#L11

tstaerk commented 7 years ago

Thank you so much, I am not a lawyer, but now I understand why you need licenses. I added the one mentioned by your colleague.

Also, great review regarding $wg*

tstaerk commented 7 years ago

committed a change, now respecting $wgAllowExternalImages

tstaerk commented 7 years ago

Thank you.

I added a license and now it adheres to $wgAllowExternalImages

regards

Thorsten

On 2016-11-05 10:39, Brent Laabs wrote:

Hi, I'm a security reviewer for the wiki farm miraheze.org (@miraheze [1]). One of our wikis requested this extension, and I gave it a read through. The main issue that I have is that the src attribute doesn't respect $wgEnableImageWhitelist or $wgAllowExternalImages or $wgAllowExternalImagesFrom.

Of course, we cannot legally use your code without a license, so we cannot install it. But I thought you would like to be aware of the security issues.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub [2], or mute the thread [3].

*

Links:

[1] https://github.com/miraheze [2] https://github.com/tstaerk/adaptivethumb/issues/4 [3] https://github.com/notifications/unsubscribe-auth/AAT2Q4ClNk5RnWxpEvToxnIsAj6n-hpBks5q7E7AgaJpZM4KqN0s