Page MenuHomeMiraheze

Enable Extension:TemplateStylesExtender on https://sctoolszh.miraheze.org/
Closed, ResolvedPublic

Description

Hello! Could we please have the following Extension installed on our wiki? It will help us organize and make it pretty!

https://www.mediawiki.org/wiki/Extension:TemplateStylesExtender

Thank you!

Event Timeline

I'm leaning on a -1 here, var() is currently banned (awaiting a patch as it's fixed) as it caused a security issue. I'd like to know how the developer determined that it wasn't a security risk when they decided to allow this to enable it.

Unknown Object (User) closed this task as Declined.Sep 19 2021, 08:18
Unknown Object (User) claimed this task.

I'm going to go ahead and mark this as declined for now at least on the grounds of a potential security risk, as @RhinosF1 mentioned above.

Unknown Object (User) edited projects, added Extensions; removed MediaWiki.Sep 19 2021, 08:19

Spoken to another sysadmin, we are declining this as extending TemplateStyles is too much of a risk without high enough security standards.

We strongly encourage you to raise this upstream. You'll probably already find tasks for a few of them so it can be added to TemplateStyles.

Unknown Object (User) moved this task from Backlog to Security Review Needed on the Extensions board.Sep 19 2021, 08:19

I'm leaning on a -1 here, var() is currently banned (awaiting a patch as it's fixed) as it caused a security issue. I'd like to know how the developer determined that it wasn't a security risk when they decided to allow this to enable it.

Is there more information on the security issue? If you're talking about T208881, it is fixed by browsers two years ago. Besides TS extender doesn't allow defining CSS variables, but only using it. So the variables have to be defined either through the MW namespace or other extensions, which are not sanitized anyways.

Spoken to another sysadmin, we are declining this as extending TemplateStyles is too much of a risk without high enough security standards.

We strongly encourage you to raise this upstream. You'll probably already find tasks for a few of them so it can be added to TemplateStyles.

There are multiple years-old tasks upstream already on adding modern rules into TemplateStyles/CSS sanitizer. The current WMF stance is to only add rules when it becomes a published standard, which alienated many rules that are in the draft standards. With that being said, the whole purpose of developing this extension is an add-on to the original TS as upstream is not an option.

Reopen for visibility and discussion

While the use case is good, I still want to ensure it's developed to high standard with risks taken into account.

How can we guarntee thats done by the developer?

While the use case is good, I still want to ensure it's developed to high standard with risks taken into account.

How can we guarntee thats done by the developer?

What are the specific risks that you're referring to? I will be able to provide a clearer insight if I understand what you're concerned about.

The extension only adds a few additional rules to the allow list of TemplateStyles. CSS is a logicless language that is relatively safe compared to anything. Besides, TemplateStyles with TemplateStylesExtender is still enforce stricter than the Extension:CSS, which allows unsanitized input.

Unknown Object (User) added a comment.Sep 25 2021, 16:31

While the use case is good, I still want to ensure it's developed to high standard with risks taken into account.

How can we guarntee thats done by the developer?

I do know this developer is active, and am confident in speedy reply for security issues, but regardless I still have some concerns. I can look into it though. I agree the use case is good enough to consider it though. However, nothing is good enough to risk a security issue, therefore it will be declined if I'm not 100% sure it is security safe. I also noticed now that the extension has configuration options to disable certain features of it. Therefore I am more willing to approve it. Nonetheless I will have to thoroughly review it.

Unknown Object (User) moved this task from Backlog to Short Term on the Technology-Team (MediaWiki) board.Sep 25 2021, 16:31
Unknown Object (User) moved this task from Unsorted to Short Term on the Universal Omega board.
Unknown Object (User) removed Unknown Object (User) as the assignee of this task.Oct 10 2021, 06:44
Unknown Object (User) added a comment.Oct 20 2021, 05:58

We might be able to approve this since there is $wgTemplateStylesExtenderEnableCssVars, but I'd like a second opinion on that, and this extension's functionality first.

Unknown Object (User) moved this task from Security Review Needed to Actions Needed (Review) on the Extensions board.EditedOct 20 2021, 06:10

The extension code itself is fine, it's the functionality that concerns arise with. Moving out of security review needed, because it's technically approved from security, but leaving to the rest of SRE to decide whether the functionality is OK.

Unknown Object (User) added subscribers: U.ayaao.p, Excelsis, Unknown Object (User).
Unknown Object (User) added a comment.Nov 6 2021, 07:37

@RhinosF1, @Reception123 any thoughts on this?

Unknown Object (User) claimed this task.Nov 7 2021, 23:51

Installing

Unknown Object (User) closed this task as Resolved.Nov 7 2021, 23:59

Now available from Special:ManageWiki/extensions#mw-section-parserhooks