Hi,
A new episode of the MediaWiki podcast "Between the Brackets" is out - this
one is an interview with Liam Wyatt, also known as Wittylama, a longtime
Wikimedian who is currently the community liaison for the new Wikimedia
Enterprise API project:
https://betweenthebrackets.libsyn.com/episode-84-liam-wyatt
And while we're at it, now I realize I forgot to send emails about the two
previous episodes. So here they are:
Jeffrey Wang, founder of the MediaWiki-based wiki farm MyWikis:
https://betweenthebrackets.libsyn.com/episode-82-jeffrey-wang
Alexander Mashin, administrator of the Russian wiki Traditio:
https://betweenthebrackets.libsyn.com/episode-81-alexander-mashin
I encourage you to check out all three episodes - they are all interesting
in their own way.
-Yaron
--
WikiWorks · MediaWiki Consulting · http://wikiworks.com
Hi Everyone,
I'm seeing some funny business in our log files.
[Thu Apr 08 10:52:20.225624 2021] [php7:notice] [pid 1823] [client
71.179.5.32:29418] PHP Notice: Unknown: file created in the system's
temporary directory in Unknown on line 0, referer:
https://www.cryptopp.com/w/index.php?title=Linux&action=edit
We override the upload directory for Apache, so nothing should be
written to the system's temporary directory:
# grep -IR 'temp_dir' /etc
/etc/php/7.4/cli/php.ini:; Defaults to the system default (see sys_get_temp_dir)
/etc/php/7.4/cli/php.ini:;sys_temp_dir = "/tmp"
/etc/php/7.4/apache2/php.ini:; Defaults to the system default (see
sys_get_temp_dir)
/etc/php/7.4/apache2/php.ini:sys_temp_dir = "/var/lib/php/tmp"
And:
# ls -Al /var/lib/php
drwxr-xr-x 3 www-data www-data 4096 Mar 31 17:04 modules
drwx-wx-wt 2 www-data www-data 4096 Mar 27 2020 sessions
drwxr-xr-x 2 www-data www-data 4096 Apr 8 11:37 tmp
And:
# grep base /etc/php/7.4/apache2/conf.d/99-security.ini
open_basedir="/var/www/html/:/var/lib/php/"
We are not sure what is going on. I guess we missed a setting somewhere.
How is the attacker creating files on the system given they are not logged in?
Thanks in advance.
Hi Everyone,
I'm looking for a Syntax Highlighter for MW 1.35. The rub is, the
extension cannot shell out like the current Syntax Highlighter.[1] Our
wiki disables nearly all of those kinds of functions.
[1] https://www.mediawiki.org/wiki/Extension:SyntaxHighlight
Rather, the extension needs to have (or install via Composer), a
Python or PHP compatible library for its use. (Is this considered
"native" in the web world?)
Would someone recommend a Syntax Highlighter that uses PHP libraries
and does not shell out, please?
Hi Everyone,
We migrated to MW 1.35.2 yesterday. The migration went well and
everything seems to work as expected.
Today I clicked on Watchlists and found the page load is hanging. I've
got the three pulsating circles and some text, but the page does not
finish loading. The text is:
17 pages are on your Watchlist (plus talk pages). Email notification
is enabled. Changes to pages you haven't visited since the changes
occurred are in bold, with solid markers.
There are no Mediawiki errors from PHP. There is nothing in error.log.
The access.log shows this:
x.x.x.x - - [10/Apr/2021:10:37:17 +0000] "GET /wiki/Special:Watchlist
HTTP/1.1" 200 7245
x.x.x.x - - [10/Apr/2021:10:37:17 +0000] "GET
/w/resources/assets/poweredby_mediawiki_132x47.png HTTP/1.1" 304 -
x.x.x.x - - [10/Apr/2021:10:37:17 +0000] "GET
/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector
HTTP/1.1" 200 11895
x.x.x.x - - [10/Apr/2021:10:37:17 +0000] "GET
/w/load.php?lang=en&modules=jquery%2Coojs%2Coojs-ui-core%2Coojs-ui-widgets%2Csite%7Cjquery.client%2Ccookie%2CmakeCollapsible%7Cjquery.makeCollapsible.styles%7Cmediawiki.String%2CTitle%2CUri%2Capi%2Cbase%2Ccldr%2Ccookie%2CjqueryMsg%2Clanguage%2Cuser%2Cutil%2Cwidgets%7Cmediawiki.libs.pluralruleparser%7Cmediawiki.page.ready%2Cstartup%7Cmediawiki.rcfilters.filters.dm%2Cui%7Cmediawiki.special.changeslist.legend.js%7Cmediawiki.special.recentchanges%2Cwatchlist%7Cmediawiki.widgets.styles%7Coojs-ui-core.icons%2Cstyles%7Coojs-ui-widgets.icons%7Coojs-ui-windows.icons%7Coojs-ui.styles.icons-content%2Cicons-editing-core%2Cicons-editing-styling%2Cicons-interactions%2Cicons-layout%2Cicons-media%2Cicons-moderation%2Cindicators%7Cskins.vector.legacy.js%7Cuser.defaults&skin=vector&version=1y7vj
HTTP/1.1" 304 -
Any thoughts on how to finish load the Watchlist page?
Jeff
Hi Everyone,
I'm trying to track down what is the cause of the non-logged-in user
and the 0-sized file written to /tmp. I'm having trouble auditing the
use of tempnam for my Mediawiki installation.
I think Mediawiki should provide a wrapper for tempnam, like
$wfTempName(...). Ensure the wrapper uses sys_get_temp_dir().
Additionally, the Mediawiki linter should flag direct use of tempnam
and point authors to use the wrapper function.
Even better, provide a complete wrapper for the tempnam so tempnam is
not used. Allow us to put tempnam on the banned function list.
Here's the PHP documentation in tempname:
https://www.php.net/manual/en/function.tempnam.php.
Here's what we get back when trying to audit the use of tempnam:
# grep -wIR tempnam /var/www/html/w 2>/dev/null | grep -v sys_get_temp_dir
/var/www/html/w/includes/import/WikiImporter.php: $filename =
tempnam( wfTempDir(), 'importupload' );
/var/www/html/w/includes/import/ImportableUploadRevisionImporter.php:
$tempo = tempnam( wfTempDir(), 'download' );
/var/www/html/w/includes/diff/TextSlotDiffRenderer.php:
$tempName1 = tempnam( $tmpDir, 'diff_' );
/var/www/html/w/includes/diff/TextSlotDiffRenderer.php:
$tempName2 = tempnam( $tmpDir, 'diff_' );
/var/www/html/w/includes/resourceloader/ResourceLoaderImage.php:
$tempFilenameSvg = tempnam( wfTempDir(), 'ResourceLoaderImage' );
/var/www/html/w/includes/resourceloader/ResourceLoaderImage.php:
$tempFilenamePng = tempnam( wfTempDir(), 'ResourceLoaderImage' );
/var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen(
$oldtextName = tempnam( $td, 'merge-old-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $mytextFile = fopen(
$mytextName = tempnam( $td, 'merge-mine-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $yourtextFile =
fopen( $yourtextName = tempnam( $td, 'merge-your-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen(
$oldtextName = tempnam( $td, 'merge-old-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $newtextFile = fopen(
$newtextName = tempnam( $td, 'merge-your-' ), 'w' );
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:
"tempnam": [
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:
"string tempnam(string dir, string prefix)",
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js: "tempnam": [
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:
"string tempnam(string dir, string prefix)",
/var/www/html/w/maintenance/mwdocgen.php: $tmpFile = tempnam(
wfTempDir(), 'MWDocGen-' );
/var/www/html/w/vendor/phpunit/phpunit/src/Util/PHP/DefaultPhpProcess.php:use
function tempnam;
/var/www/html/w/vendor/zordius/lightncandy/src/LightnCandy.php:
$fn = tempnam($tmpDir, 'lci_');
/var/www/html/w/vendor/phan/phan/src/Phan/Plugin/Internal/UseReturnValuePlugin.php:
'tempnam' => true,
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal_php73.php:'tempnam'
=> '?false|?string',
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMap.php:'tempnam'
=> ['string|false', 'dir'=>'string', 'prefix'=>'string'],
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal.php:'tempnam'
=> 'false|string',
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionDocumentationMap.php:'tempnam'
=> 'Create file with unique file name',
/var/www/html/w/vendor/psy/psysh/src/Configuration.php: return
\tempnam($this->getRuntimeDir(), $type . '_' . $pid . '_');
/var/www/html/w/vendor/psy/psysh/src/Command/EditCommand.php:
$filePath = \tempnam($this->runtimeDir, 'psysh-edit-command');
/var/www/html/w/vendor/composer/xdebug-handler/src/XdebugHandler.php:
if (!$this->tmpIni = @tempnam($tmpDir, '')) {
/var/www/html/w/vendor/pear/pear-core-minimal/src/System.php:
$tmp = tempnam($tmpdir, $prefix);
Hi all,
Tomorrow we will be issuing a security and maintenance release to all
supported branches of MediaWiki. This has been delayed by a week versus the
usual schedule, as making a security last week on 1st April ("April Fools")
was deemed not a great idea.
The new releases will be:
- 1.31.13
- 1.35.2
This will resolve 3 issues in MediaWiki core, 2 issues in bundled
extensions (one of which doesn't apply to REL1_31), and also includes some
fixes previously committed to git, including minor security and hardening
patches along with bug fixes included for maintenance reasons.
We will make the fixes available in these respective release branches, and
also master. Tarballs will be available for the above mentioned point
releases as well.
A summary of some of the security fixes that have gone into non-bundled
MediaWiki extensions will also follow.
[1] https://www.mediawiki.org/wiki/Version_lifecycle
Hello Dear,
Sorry for cross posting.
I have proposed a project grant to improve documentation of MediaWiki
maintenance scripts, to be reviewed during this grants round.
The proposal is at
https://meta.wikimedia.org/wiki/Grants:Project/Jayprakash12345/Improve_docu…
If you have any suggestions or feedback. Please let me know or create a
topic on the talk page.
Regards,
Jay Prakash (he/him)