Last modified: 2013-04-29 08:12:24 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T42965, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 40965 - General-purpose HTTPS-friendly GeoIP solution
General-purpose HTTPS-friendly GeoIP solution
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
UniversalLanguageSelector (Other open bugs)
master
All All
: Lowest enhancement (vote)
: ---
Assigned To: Niklas Laxström
https://translatewiki.net/wiki/Thread...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-11 19:54 UTC by Nemo
Modified: 2013-04-29 08:12 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nemo 2012-10-11 19:54:39 UTC 
Bug 40714 was invalid, but I think this is a valid request although a low priority one: if the browser doesn't allow to load unsecure resources, the GeoIP lookup to freegeoip.net should be skipped or anyway the behaviour should degrade gracefully (or more gracefully than it currently does). 
Of course chasing browsers is not an option but maybe someone will come up with a smart solution. The linked thread mentions HTTP 304 Not Modified responses which might give some some clue to ULS maybe?
Comment 1 Niklas Laxström 2012-10-12 19:08:01 UTC 
ULS is degrading gracefully. There is nothing we can do to support https in ULS unless someone sets up https service. We could just not make the requests at all when using https.
Comment 2 Platonides 2012-10-12 19:29:38 UTC 
You are on an untrusted network, so you only login in https, but as the wiki then loads http://freegeoip.net/json/?callback=mw.uls.setGeo in http, the attacker replaces the answer and runs arbitrary javascript in your browser...
Comment 3 Niklas Laxström 2012-10-12 19:41:24 UTC 
External services are a security risk regardless of whether it is http or https.
Comment 4 Krinkle 2012-10-13 06:32:33 UTC 
FYI: This request is blocked in Google Chrome by default when browsing translatewiki over HTTPS (as it should).
Comment 5 Platonides 2012-10-13 12:05:10 UTC 
> External services are a security risk regardless of whether it is http or
> https.
Yes, but being in http additionally means it is also open to main-in-the-middle, attacks so it disables the https security (for an active attacker).
Comment 6 Nemo 2012-11-03 10:30:22 UTC 
See also Gerrit change #31637
Comment 7 Gerrit Notification Bot 2013-04-26 13:00:01 UTC 
Related URL: https://gerrit.wikimedia.org/r/60995 (Gerrit Change Ia18130890d09f86a93b5b61f7da7c48fcfa480c7)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links