Page MenuHomePhabricator
Create Task
Maniphest T37005

Harmonize (E:RSS) $wgRSSUrlWhitelist mechanism with (core) $wgEnableImageWhitelist handling in includes/Parser/parser.php
Open, MediumPublic
Actions

Description

MediaWiki has already a framework for whitelists for image urls via MediaWiki system pages.

/** If $wgAllowExternalImages is false, you can allow an on-wiki

  • whitelist of regular expression fragments to match the image URL
  • against. If the image matches one of the regular expression fragments,
  • The image will be displayed. *
  • Set this to true to enable the on-wiki whitelist (MediaWiki:External image whitelist)
  • Or false to disable it */

$wgEnableImageWhitelist = true;

Version: master
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=45857

Details

Reference
bz35005

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 12:14 AM
bzimport added a project: MediaWiki-extensions-RSS.
bzimport set Reference to bz35005.
Wikinaut created this task.Mar 6 2012, 8:47 AM
Wikinaut added a comment.Mar 10 2013, 7:02 AM

implementation tip:

see core/includes/Parser/Parser.php

		if ( !$text && $this->mOptions->getEnableImageWhitelist()
			 && preg_match( self::EXT_IMAGE_REGEX, $url ) ) {
			$whitelist = explode( "\n", wfMessage( 'external_image_whitelist' )->inContentLanguage()->text() );
			foreach ( $whitelist as $entry ) {
				# Sanitize the regex fragment, make it case-insensitive, ignore blank entries/comments
				if ( strpos( $entry, '#' ) === 0 || $entry === '' ) {
					continue;
				}
				if ( preg_match( '/' . str_replace( '/', '\\/', $entry ) . '/i', $url ) ) {
					# Image matches a whitelist entry
					$text = Linker::makeExternalImage( $url );
					break;
				}
			}
Wikinaut added a comment.Oct 21 2013, 9:31 AM
  • Bug 55940 has been marked as a duplicate of this bug. ***
Nemo_bis added a comment.Oct 29 2013, 7:16 AM

The summary is completely incomprehensible for me, but according to what you said on bug 45857 this blocks bug 56287.

Wikinaut added a comment.Oct 29 2013, 7:21 AM

(In reply to comment #3)

The summary is completely incomprehensible for me,

Harmonization of "whitelist" handling inside the extension RSS (in other words: E:RSS should use same code and syntax as MediaWiki core does for $wgEnableImageWhitelist)

but according to what you
said on bug 45857 this blocks bug 56287.

Yes

Bawolff added a comment.Oct 29 2013, 11:29 AM

What is the security threat model for rss whitelisting anyways? Mostly asking from a curiosity pov, but also one should make sure the threat models are compatible before copying the image whitelist from core.

Wikinaut added a comment.Oct 29 2013, 11:36 AM

(In reply to comment #5)

What is the security threat model for rss whitelisting anyways? Mostly asking
from a curiosity pov, but also one should make sure the threat models are
compatible before copying the image whitelist from core.

The whitelist method was introduced long time ago, requested by Brion, as far as I remember, because RSS should only be included from trusted sources. Brion, pls. can you comment on that?

Aklapper removed Wikinaut as the assignee of this task.Jun 18 2015, 2:08 PM
Aklapper subscribed.

[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]

Liuxinyu970226 mentioned this in T47857: wgRSSUrlWhitelist protocol relativity.Mar 16 2017, 3:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL