Page MenuHomeMiraheze

Disable PageProperties globally until a security review is performed
Open, Stalled, NormalPublic

Description

The recent update to PageProperties changed the code a lot, and as such it is not the same extension it was when it was initially approved and added to MH. As a result, it should be globally disabled and a security review performed to ensure that it is still secure; it has been disabled on WikiTide for a few months now due to this issue.

  • Disable PageProperties globally on Miraheze
  • Perform security review.

Event Timeline

Original_Authority changed the task status from Open to Stalled.Jan 7 2024, 18:25

Yeah I requested this have a new review due to the scope of recent changes that even changed the extent of what the extension can do and was basically an entire rewrite...

Universal_Omega changed the task status from Stalled to Open.Jan 31 2024, 03:29

It's been pretty good, but I found a minor security failure, here:

https://github.com/wikimedia/mediawiki-extensions-PageProperties/blob/c79ba5258e5b759295adfbd3dd628e4daad07c96/includes/api/PagePropertiesApiCheckLatestVersion.php#L59

$contents = file_get_contents( 'https://www.mediawiki.org/wiki/Extension:PageProperties' );
// proceeds to extract a version number from the XML

There are three bits to this:

  1. This is an absolutely bonkers way to check for upgrades. It does require csrf tokens, but it can still be used as often as the client likes to make a bit more workload on both MH and WMF servers. It should hit an actual API.
  2. I can just go vandalize a page on mediawiki.org which will tell wikis on all platforms that this extension needs an upgrade.
  3. There is a variable $wgPagePropertiesDisableVersionCheck that is respected on the frontend but not on the backend API (We definitely need to set this, as we do not need users randomly telling us to update extensions -- the usergroups who see the version check alert are hardcoded.)

I have no idea where to create an issue for this extension, because there is no issue tracker linked on the extension page.

It's low-enough risk that it would be reasonable to accept the risk here, but I'd just prefer that the disable variable actually worked. (And that there was an actual API behind the extension's API call, not slurping a publicly editable wiki page -- but that's not necessary for us.)

I will continue reviewing...

I believe the correct location for reporting bugs for this extension would be to the author's email: support [at] topway.it

labster changed the task status from Open to Stalled.Apr 27 2024, 08:29

I created https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PageProperties/+/1024831 rather than report the bug, since I didn't want to deal with emailing the author. The patch is was so simple it would take longer to explain than to just write the answer.

I'll continue reviewing once this is merged.

@labster Could you update us once the user responds, so we can decide whether to keep disabled or re-enable? Much appreciated for performing the review, thank you!