Difference between revisions of "Help talk:Editing"
From Shifti
m (→First-Line Indentation?: Fixed a syntax error which hid some content.) |
ShadowWolf (Talk | contribs) m (→First-Line Indentation?: no, upgrading to the latest MediaWiki will not have an effect) |
||
| Line 11: | Line 11: | ||
::::Ah, I should have realized that configuring all of the 'In5' template's dependencies could possibly expose Shifti to cross-site scripting attacks. Maybe the latest version of MediaWiki (1.25wmf15 as of this writing as compared to Shifti's 1.22alpha, revision 'd2ad05aae9e6d931dc138b7d8cdc39758b77b318) has better protection against such attacks? While you're looking into this, I think I'll just create a temporary replacement for the 'In5' template that I can use until you've finished discussing things or if, once you have, you decide not to set up the 'In5' template's dependencies. | ::::Ah, I should have realized that configuring all of the 'In5' template's dependencies could possibly expose Shifti to cross-site scripting attacks. Maybe the latest version of MediaWiki (1.25wmf15 as of this writing as compared to Shifti's 1.22alpha, revision 'd2ad05aae9e6d931dc138b7d8cdc39758b77b318) has better protection against such attacks? While you're looking into this, I think I'll just create a temporary replacement for the 'In5' template that I can use until you've finished discussing things or if, once you have, you decide not to set up the 'In5' template's dependencies. | ||
::::— [[User:RandomDSdevel|RandomDSdevel]] ([[User talk:RandomDSdevel|talk]]) 16:13, 3 February 2015 (EST) | ::::— [[User:RandomDSdevel|RandomDSdevel]] ([[User talk:RandomDSdevel|talk]]) 16:13, 3 February 2015 (EST) | ||
| + | :::::It is more than just a version thing - Lua is a well-sandboxed language when embedded into something using it's C/C++ embedding API, but, in this case, the command-line interpreter is being called via a popen() and that means that the process will run under the same user-id as the webserver. As Shifti is hosted on a shared box this means that not only is Shifti itself threatened by what the interpreter could provide access to, but also the accounts of all the other customers of our host that are on the same server. | ||
| + | :::::Call it professional paranoia, if you like, but allowing a system to execute code supplied by the end-user of a website without an administrator having reviewed it is not a good thing. Now... I am not certain that the Scribunto extension can do that, but the documentation seems to indicate that the scripts can be embedded into the page text as well as being separately stored documents. This means that any user of Shifti could add a script to, say, [[Shifti:Sandbox|the sandbox]] that would create a shell on the server they could then access and use to implement a full attack. I am unwilling to risk that at all - no change to the script code of MediaWiki could mitigate that attack, as the function used to call the lua/other interpreter is core PHP. | ||
| + | ::::::--[[User:ShadowWolf|ShadowWolf]] ([[User talk:ShadowWolf|talk]]) 16:46, 5 February 2015 (CST) | ||
== Anti-Spam Acting Up Again… == | == Anti-Spam Acting Up Again… == | ||
Revision as of 17:46, 5 February 2015
First-Line Indentation?
How do I indent the first lines of my paragraphs? — RandomDSdevel (talk) 16:01, 19 November 2014 (EST)
- Maybe somebody could import Wikipedia's 'In5' template for me? — RandomDSdevel (talk) 15:45, 19 December 2014 (EST)
- Hmmm…apparently, the template in question relied on a Lua script. I asked somebody over on Wikipedia about how much effort bringing a copy of the 'In5' template over here would take from that wiki's end here and here, and they said that Lua isn't available here. I assume that this could be fixed, but would somebody here be willing to do that? I'd appreciate this a lot, especially because typing '{{In5}}' is a lot faster than typing five copies of ' !'
- — RandomDSdevel (talk) 14:50, 29 January 2015 (CST)
- Wikipedia's In5 template uses an extension that is not, currently, in use on Shifti. That extension is called 'Scribunto' and allows for the embedding of scripting languages into MediaWiki templates and pages. According to the documentation for that extension there is currently only one language available - Lua - though there appear to be plans to allow for others.
- At this point I would rather not install an extension that allows for such things, as they represent a major point of attack, and even though the Wiki is currently locked down, that will not always be the case. I am going to try and discuss this issue with at least one of the other Administrators to see what their thoughts are.
- --ShadowWolf (talk) 18:46, 30 January 2015 (CST)
- Ah, I should have realized that configuring all of the 'In5' template's dependencies could possibly expose Shifti to cross-site scripting attacks. Maybe the latest version of MediaWiki (1.25wmf15 as of this writing as compared to Shifti's 1.22alpha, revision 'd2ad05aae9e6d931dc138b7d8cdc39758b77b318) has better protection against such attacks? While you're looking into this, I think I'll just create a temporary replacement for the 'In5' template that I can use until you've finished discussing things or if, once you have, you decide not to set up the 'In5' template's dependencies.
- — RandomDSdevel (talk) 16:13, 3 February 2015 (EST)
- It is more than just a version thing - Lua is a well-sandboxed language when embedded into something using it's C/C++ embedding API, but, in this case, the command-line interpreter is being called via a popen() and that means that the process will run under the same user-id as the webserver. As Shifti is hosted on a shared box this means that not only is Shifti itself threatened by what the interpreter could provide access to, but also the accounts of all the other customers of our host that are on the same server.
- Call it professional paranoia, if you like, but allowing a system to execute code supplied by the end-user of a website without an administrator having reviewed it is not a good thing. Now... I am not certain that the Scribunto extension can do that, but the documentation seems to indicate that the scripts can be embedded into the page text as well as being separately stored documents. This means that any user of Shifti could add a script to, say, the sandbox that would create a shell on the server they could then access and use to implement a full attack. I am unwilling to risk that at all - no change to the script code of MediaWiki could mitigate that attack, as the function used to call the lua/other interpreter is core PHP.
- --ShadowWolf (talk) 16:46, 5 February 2015 (CST)
Anti-Spam Acting Up Again…
Hey, I've noticed that, lately, this wiki's anti-spam tool is acting up again. It's supposed to have users authenticate using two-word (Re)CAPTCHAs, but recently it's been using less secure two-to-four–digit numbers or one word for the (Re)CAPTCHAs. Is this bad, or was this regression intentional?
— RandomDSdevel (talk) 17:46, 10 January 2015 (EST)
- This might be because we've shut off most of the authentication stuff after locking out new users while we search for a replacement for Asirra. ReCaptcha failed hard, as did MathCaptcha and a few others we had tested in the past. (We tried going back to ReCaptcha after Asirra was shut down and got a massive flood of bot-signups - on the order of 40 or 50 in a 4 hour period - so...) I'm still looking, but at this time it seems like our best bet might be trying to get something like Asirra running - that style, at least, since it requires a lot of computing power or a human...
- --ShadowWolf (talk) 10:31, 11 January 2015 (CST)
