User talk:Bawolff

Extension: write-whitelist namespace
I just saw your Extension:Whitelist Namespaces, works great! Thank you :) Would it be difficult to change it to write-whitelist an entire namespace? on what line in the code do i need to look? Thanks Mauro Bieg 07:57, 29 June 2010 (UTC)
 * Should be fairly easy, just change the

if ($action == 'read') { to if ($action == 'edit') { Should work (but I have not tested). Bawolff 18:56, 29 June 2010 (UTC)
 * Thank you for your quick reply! Unfortunately it doesn't work for me, even an  doesn't.. :S so apparently it isn't enough setting that $result to TRUE.. whatever exactly happens afterwards. Mauro Bieg

Google Summer of Code 2010
Thanks for expressing an interest in MediaWiki for Google Summer of Code 2010. Please note (if you haven't already done so) that you must apply and a submit proposal at http://socghop.appspot.com/gsoc/student/apply/google/gsoc2010 by April 9 at the latest or a slot will not be reserved. Thanks! -- RobLa 19:38, 1 April 2010 (UTC)
 * Thank you for the message. I will do that. Bawolff 19:43, 1 April 2010 (UTC)

Extension:DynamicPageList_(third-party)
Hi, you add a warning to this extension. Can you please explain what the risk means for sites with this extension? I want to know if I shall uninstall it or that I can still use it. Thanks for your answer. 145.94.74.23 15:20, 17 July 2010 (UTC)
 * Hi. Basically the warning means that someone with knowledge of the insides of that extension would be able to inject html (including javascript) into your page if you have the extension enabled. Someone could potentially exploit this to put a code in the wikipage to make anyone who views that wikipage make edits to some other page for example. Another example is someone could put code into a wikipage that causes everyone who views that page to be redirected to another website. The most recent version of the extension is slightly harder to exploit, but someone familiar with the internals of that extension could still exploit it. See also Cross-site_scripting and 24199. As a side note, if you're only using the basic features of the extension, you could try using extension:DynamicPageList (Wikimedia) which does not have the above mentioned security issues but has significantly less features. Bawolff 15:50, 17 July 2010 (UTC)
 * Thanks for the explanation. One more question: Does someone need to log in and be able to edit pages on the site to use this exploit? Or is it something that can be used without any rights? 145.94.74.23 15:20, 18 July 2010 (UTC)
 * Yes, one would need to be able to edit. Basically the exploit is that someone can use the dpl extension to make part of the page behave as if manual:$wgRawHtml was set to true. Thus, all the warnings that apply to that setting also apply to that extension. If its a private wiki and you trust everyone who has access, you should be fine. Bawolff 21:16, 18 July 2010 (UTC)
 * Ah, great. That's good to know. Thank you very much for answering the questions. Would it be useful to copy this discussion to the talk page of the mod, or at least link to it? 145.94.74.23 18:24, 20 July 2010 (UTC)
 * Feel free to if you want. Bawolff 20:14, 20 July 2010 (UTC)


 * I've just sent an email to two of the maintainers of this extension, so they are aware of this. --Ciencia Al Poder 17:32, 23 July 2010 (UTC)
 * Cool. Although as a sidenote i think Algorithmix is the only semi-active maintainer of the extension. Bawolff 20:52, 23 July 2010 (UTC)

Maybe you know... would 'RunFromProtectedPagesOnly' setting (from here) be enough to make DPL usage safe? Wassily Steik 07:38, 12 August 2010 (UTC)
 * Assuming that its implemented correctly, I believe it should (at least for the issue I found. I have not read the entire source code so there could potentially be other things wrong with it, etc so no guarantees, etc) Bawolff 07:49, 12 August 2010 (UTC)
 * Thanks. Well, at least it makes DPL usable... Of course, I'll check this twice before enabling it. E.g. currently this option allowed DPL on semiprotected pages (I've already fixed this on my copy - in DPLMain.php under 'Initialization' comment). Wassily Steik 08:10, 12 August 2010 (UTC)
 * I should mention, this of course assumes you trust all your admins :P. Bawolff 08:12, 12 August 2010 (UTC)
 * Well, I understand this :) Fortunately, on my small project that's not a problem. Wassily Steik 08:25, 12 August 2010 (UTC)

DPL issues?
Hello Bawolff, I saw that you are concerned about DPL regarding security (HTML injection). I plan to work on a major new DPL releasse in January 2011. Currently DPL switches silently to allow HTML for internal purpose and switches back once it has finished. A user knowing this might inject HTML code or even Javascript as cou clearly explained. I plan to restructure the code and to avoid such risks (at least in a default configuration setting). Would you be willing to review or maybe give some advice when I start working on the changes? Algorithmix 07:04, 29 October 2010 (UTC)