Page MenuHomePhabricator
Create Task
Maniphest T23602

Code review for use of SMW in MediaWiki.Org
Closed, DeclinedPublic
Actions

Description

Author: dan.bolser

Description:
The idea is to use SMW to manage MediaWiki extensions. The associated email discussion that took place on semediawiki-user@lists.sourceforge.net is included below.

The requirement for including an extension in http://MediaWiki.Org is that it gets a code review from a MW staffer (i.e. TimStarling). However, it seems that before he looks at the code, it should be rewritten to conform to the security guidelines spelled out on http://MediaWiki.Org:

http://www.mediawiki.org/wiki/Manual:Security
http://www.mediawiki.org/wiki/Security_for_developers

This bug is to track the status of that rewrite, specifically for the SMW core code. We can create dependent bugs for the SF / SD / SRF / etc. extensions. I think the best approach is to work on one extension at a time, starting with SMW core.

More information:

For example, Tim found a problem in the SF extension (an XSS vulnerability in Special:CreateForm):

He created a template called:

Template:" onclick="alert('hello');" foo=

and when called from within the combo box of Special:CreateForm, it did just that!

Email discussion:

2009/11/20 Laurent Alquier <laurent@alquier.org>:

I had an idea last night to help make SMW more visible.

Use SMW to manage MediaWiki extensions.

The current list of extensions is a mess. There is no way to query them at all. The lists on the index page are static and (I hope) updated by a script.

They already use an 'Extension' template. How hard could it be to set up SMW + forms on the MediaWiki site and replace the 'Extension' template with a semantic template?

2009/11/22 Jan Steinman <Jan@bytesmiths.com>:

Yes!

Whenever I think, "Someone must have already done an extension for
this thing I want to do," I get depressed at the hours of work it will
take for me to tease it out.

2009/11/22 Krabina Bernhard <krabina@kdz.or.at>:

that's an excellent idea!!

IRC discussion:

17:22 < faceface> hi RoanKattouw
17:22 < faceface> on the Semantic MediaWiki mailing list the discussion about

potentially running SMW on mediawiki.org just came up

17:23 < faceface> do you think it would be a possibility to run SMW on MW.org?
17:23 < RoanKattouw> For that to happen it would first have to be reviewed by a

staff member

17:23 < RoanKattouw> In practice, that means Tim
17:24 < RoanKattouw> Reviewing SMW is not something you do on a rainy Sunday

night

17:24 < RoanKattouw> faceface: I mean reviewing the actual code
17:24 < RoanKattouw> Which I imagine is pretty large
17:25 < faceface> A code review would be really welcome though
17:25 < faceface> what could SMW devs do to make it easier?
17:26 < RoanKattouw> Well not much I guess, they can hardly review their own

code

17:26 < RoanKattouw> They could verify that all the DB queries SMW runs are

properly indexed, you know, run EXPLAIN on them

...

<TimStarling> faceface_: I just opened the source of a random special
page and found an XSS vulnerability in about 10 seconds
<TimStarling> it's persistent:
http://www.bioinformatics.org/wiki/Special:CreateForm
<Platonides> I see the " onclick="alert("hello"); inside the combo
<TimStarling> it works as advertised
<Platonides> at last
<Platonides> the event wasn't firing

It seems like a waste of my time to review this thing when the quality
is so low and the errors are so obvious. Surely anyone could see those
sorts of things if they bothered to look. Maybe if it were rewritten to
conform with the security guidelines I've spelled out on mediawiki.org
then I'd be interested.

  • Tim Starling

Version: unspecified
Severity: enhancement
URL: http://MediaWiki.Org

Details

Reference
bz21602

Related Objects

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:50 PM
bzimport added a project: MediaWiki-extensions-Semantic-MediaWiki.
bzimport set Reference to bz21602.
bzimport created this task.Nov 23 2009, 9:38 AM
mkroetzsch added a comment.Dec 30 2009, 11:41 AM

The SMW core developers are well aware of the guidelines at http://www.mediawiki.org/wiki/Security_for_developers and bugs in third-party extensions should not be mixed up with SMW. There is of course always a possibility of human error, and more should be done to make the SMW code more readable/reviewable.

The main tasks I see for this bug are:

  • Organise independent code review by a developer who did not write SMW and generate an first assessment of readability/security based on this. Volunteers are welcome, but we will also proactively recruit some people to do this.
  • Define which core features are actually required for the first SMW version to run on mediawiki.org. SMW is very modular, and features can be removed to reduce reviewing effort. I am not sure who to approach for this; maybe we should develop a proposal.
  • Improve readability of the SQL access code. It is currently the longest piece of code (due to many similar but different ways of reading data of various types), and I see that it will be hardest to review.

The current structure of SMW's code and the associated lines of code can be seen at http://semantic-mediawiki.org/wiki/SMW_source_code_structure

tstarling added a comment.Dec 31 2009, 1:10 AM

I'm pretty sure my comment quoted above was in response to a request to review SemanticForms, I wasn't implying SMW is in the same boat.

bzimport added a comment.Feb 7 2010, 1:31 AM

dan.bolser wrote:

Some preliminary work to create a demonstration of the advantages of using SMW
to handle extensions was undertaken at the following SMW site:

http://extensions.referata.com/wiki/Main_Page

However, more work needs to be put into that site to make it a convincing
demonstration of the benefits of SMW.

greg added a comment.Mar 7 2013, 10:29 PM

From my understanding of the current situation, this bug should be closed. If you believe this to be in error, you can blame me; the new guy.

Please pardon the noise.

bzimport added a comment.Mar 8 2013, 8:02 AM

dan.bolser wrote:

Yeah, it's a shame (I think SMW could be very useful on MW.Org, for example), but there is no concerted will in either community to do this.

Cheers,

Dereckson mentioned this in T149869: Security review for PageForms.Feb 14 2017, 12:03 AM
MarcoAurelio added a project: Wikimedia-extension-review-queue.Aug 26 2017, 9:40 AM
MarcoAurelio removed a parent task: T33235: [DO NOT USE] Extensions awaiting code review to be deployed on Wikimedia wikis (tracking) [superseded by #wikimedia-extension-review-queue].Aug 26 2017, 9:43 AM
MarcoAurelio moved this task from Backlog to Live in production on the Wikimedia-extension-review-queue board.Aug 26 2017, 9:53 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL