Last modified: 2013-10-29 11:36:51 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T37005, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 35005 - Harmonize (E:RSS) $wgRSSUrlWhitelist mechanism with (core) $wgEnableImageWhitelist handling in includes/Parser/parser.php
Harmonize (E:RSS) $wgRSSUrlWhitelist mechanism with (core) $wgEnableImageWhit...
Status: ASSIGNED
Product: MediaWiki extensions
Classification: Unclassified
RSS (Other open bugs)
master
All All
: Normal normal (vote)
: ---
Assigned To: T. Gries
:
: 55940 (view as bug list)
Depends on:
Blocks: 56287
  Show dependency treegraph
 
Reported: 2012-03-06 08:47 UTC by T. Gries
Modified: 2013-10-29 11:36 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description T. Gries 2012-03-06 08:47:52 UTC 
MediaWiki has already a framework for whitelists for image urls via MediaWiki system pages. 

/** If $wgAllowExternalImages is false, you can allow an on-wiki
 * whitelist of regular expression fragments to match the image URL
 * against. If the image matches one of the regular expression fragments,
 * The image will be displayed.
 *
 * Set this to true to enable the on-wiki whitelist (MediaWiki:External image whitelist)
 * Or false to disable it
 */
$wgEnableImageWhitelist = true;
Comment 1 T. Gries 2013-03-10 07:02:25 UTC 
implementation tip:

see core/includes/Parser/Parser.php

		if ( !$text && $this->mOptions->getEnableImageWhitelist()
			 && preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
			$whitelist = explode( "\n", wfMessage( 'external_image_whitelist' )->inContentLanguage()->text() );
			foreach ( $whitelist as $entry ) {
				# Sanitize the regex fragment, make it case-insensitive, ignore blank entries/comments
				if ( strpos( $entry, '#' ) === 0 || $entry === '' ) {
					continue;
				}
				if ( preg_match( '/' . str_replace( '/', '\\/', $entry ) . '/i', $url ) ) {
					# Image matches a whitelist entry
					$text = Linker::makeExternalImage( $url );
					break;
				}
			}
Comment 2 T. Gries 2013-10-21 09:31:15 UTC 
*** Bug 55940 has been marked as a duplicate of this bug. ***
Comment 3 Nemo 2013-10-29 07:16:56 UTC 
The summary is completely incomprehensible for me, but according to what you said on bug 45857 this blocks bug 56287.
Comment 4 T. Gries 2013-10-29 07:21:28 UTC 
(In reply to comment #3)
> The summary is completely incomprehensible for me, 
Harmonization of "whitelist" handling inside the extension RSS (in other words: E:RSS should use same code and syntax as MediaWiki core does for $wgEnableImageWhitelist)
>but according to what you
> said on bug 45857 this blocks bug 56287.
Yes
Comment 5 Bawolff (Brian Wolff) 2013-10-29 11:29:03 UTC 
What is the security threat model for rss whitelisting anyways? Mostly asking from a curiosity pov, but also one should make sure the threat models are compatible before copying the image whitelist from core.
Comment 6 T. Gries 2013-10-29 11:36:51 UTC 
(In reply to comment #5)
> What is the security threat model for rss whitelisting anyways? Mostly asking
> from a curiosity pov, but also one should make sure the threat models are
> compatible before copying the image whitelist from core.

The whitelist method was introduced long time ago, requested by Brion, as far as I remember, because RSS should only be included from trusted sources. Brion, pls. can you comment on that?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links