Last modified: 2014-08-12 18:58:09 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T54290, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 52290 - $wgEnableImageWhitelist should be disabled on enwiki (and other wikis?)
$wgEnableImageWhitelist should be disabled on enwiki (and other wikis?)
Status: UNCONFIRMED
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
wmf-deployment
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-30 19:34 UTC by C. Scott Ananian
Modified: 2014-08-12 18:58 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description C. Scott Ananian 2013-07-30 19:34:26 UTC 
http://en.wikipedia.org/wiki/MediaWiki:External_Image_Whitelist is currently empty; it's probably worth just turning off $wgEnableImageWhitelist in the enwiki configuration, unless someone has plans to allow external images.  It seems that external images are just an opportunity for trouble.
Comment 1 C. Scott Ananian 2013-07-30 19:35:44 UTC 
http://en.wikipedia.org/wiki/Special:ApiSandbox#action=query&meta=siteinfo&format=json&siprop=general
lets you verify that $wgEnableImageWhitelist is currently on.
Comment 2 Bawolff (Brian Wolff) 2013-07-30 19:38:11 UTC 
I agree. It seems very odd this is enabled by default. I don't think it should be.

For reference, first introduced in b3b81715 in 2008
Comment 3 Alex Monk 2013-07-30 22:23:09 UTC 
I think the URL is supposed to be https://en.wikipedia.org/wiki/MediaWiki:External_image_whitelist
Comment 4 Alex Monk 2013-07-30 22:38:51 UTC 
Only non-default versions of the message I could find were:
* arwiki, barwiki, kowiktionary - just translated the comments
* mediawikiwiki - "^https?://en\.wikipedia\.org/upload/b/bc/Wiki\.png$"
* testwiki - "^https?://upload\.wikimedia\.org.+$" and "^https://.*\.creativecommons\.org/l/by/3.0/.+\.png$"
Comment 5 MZMcBride 2013-07-30 22:50:36 UTC 
I'm taking the somewhat unusual move of switching this bug back to "unconfirmed" for now. There's currently no evidence of a problem to be solved here.

Broadly, it may make sense to change the default (which would be a MediaWiki bug, not a Wikimedia bug), however, again, there would first have to be a demonstration of a problem.

Any such demonstration would have to account for the fact that:

* local administrators can edit site-wide JavaScript and insert raw HTML;
* the external image whitelist is a relatively clean system for allowing external image sources; and
* this feature has been enabled by default for about five years now without issue.

https://git.wikimedia.org/commitdiff/mediawiki%2Fcore/b3b81715d54e55fee4e18fbba985e98c25d1866a (better link)
Comment 6 C. Scott Ananian 2013-07-31 00:06:18 UTC 
Note due to bug 51268, this setting is ignored for Parsoid/VE.  Turning $wgEnableImageWhitelist off on production servers where it is unused helps to ensure VE behavior is consistent.

I'm not actually suggesting that $wgEnableImageWhitelist be disabled in DefaultSettings.php (as suggested in comment 5).  Just that it should be turned off in production for wikis which are not currently using that functionality.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links