Extension:WhiteList/Security Issues

From MediaWiki.org
Jump to: navigation, search

Security Issues[edit]

This is an attempt to document how the Whitelist extension copes with various security concerns described at Security issues with authorization extensions. Note that, while this system is in production use, the extension authors make no warranty that the following information is complete or accurate (although we believe it to be so). If you find any security issues with this extension that are not described here, please let us know on the talk page.

There is a greater change of security issues in the read protection system, due to MediaWiki's architecture. So, denying read access should be seen as a "nothing to see here, move along," sort of thing rather than a absolute guarantee of secrecy.

Function/Test Check for WhiteList extension
Inclusion/transclusion
  • Can you access protected pages via {{:protected article}}? What if you use multiple levels (transclusions within transclusions)?
  • Can you circumvent a transclusion protection by using the transclusion in edit preview mode?
Potential security issue. Transclusion is not affected by the UserCan hook, so the WhiteList extension cannot block protected pages from being transcluded. Suggested configuration is to use $wgNonincludableNamespaces (MW 1.10+/rev:19934) to only allow transclusion of the Template: namespace. In previous MW versions, the NonincludableNamespaces extension can fulfill the same purpose.
XML export (Special:Export) Is it possible to export the contents of a protected page? Potential security issue. Using MW 1.10 (rev:19935), It is not possible to export the contents of a protected page. In previous MW versions, users with access to Special:Export can export any protected page. (A workaround would be to keep Special:Export blocked).
Atom/RSS feeds Does the article get delivered? With diff or full content?
There are two feeds, one in the Recent changes special pages and other on the page history. Additional feeds may be provided by extensions.
Potential security issue. This was addressed through a combination of fixes in MW 1.10 (rev:19944) and MW 1.12 (rev:25944). In previous versions, it is recommended that users disable feeds to eliminate this security issue. (see Disable feeds)
Listings & search
  • are non-readable pages listed on the Special:Search page? Are excerpts shown? (See also bugzilla:8825)
  • are non-readable pages listed on Special:Recentchanges or Special:Allpages?
  • are non-readable pages listed on other special pages, such as Lonelypages, etc?
Potential security issue. In MW 1.10+ (rev:21821), the search page no longer shows excerpts from pages that are not readable (but titles will still be listed). In previous versions, the Special:Search page should not be whitelisted if you do not want page excerpts to be displayed in a search.
Diff & revision links
  • Can a direct link to a page diff be used to show text from a protected page? How about a diff between a revision of an unprotected and a revision of a protected page, by manipulating the revision IDs?
  • Can you use a permanent link (revision link) to an old version to read a page you shouldn't read? How about a link that has a revision ID belonging to a different than the title refers to, by manipulating the URL?
No known issues. This should be OK on recent versions of MediaWiki, according to Security issues with authorization extensions.
Action links
  • Can you use action=raw or action=render options to read a page you shouldn't read?
  • Can you access a printable version of a page you shouldn't read?
  • Can a direct link to the edit page be used to view page contents of a protected page?
No known issues. This should be OK on recent versions of MediaWiki, according to Security issues with authorization extensions.
Related rights
  • Does the extension prevents a user from creating a new page that he won't have read access to?
  • Can you move or rename a page that you have read access to but not write access to?
  • Can you read a discussion page of a page you don't have read access to? Can you write a discussion page of a page you don't have write access to, unless this is specifically allowed by you?
No known issues.
  • The user is prevented from creating a new page that he won't have access to.
  • You cannot move or rename a page that you have read-only access to.
  • You cannot read/write to a discussion page unless you have explicit read/write access to that page.
Author backdoor Some extensions always allow the original author of a page to access it, ignoring later access restrictions. No known issues. The WhiteList extension does not feature an author backdoor.
Caching $wgEnableParserCache (enabled by default) caches articles between users. $wgEnableSidebarCache (not enabled by default) performs a similar function for the sidebar. If the extension could send different pages to different users, it might be incompatible with this caching. Unknown risk. We have not experienced exposure of articles due to MW caching, but we will investigate this issue further.
Files & Images
  • Can you download a file directly regardless of read access to its associated article?
  • Can you download a thumbnail of an image file directly regardless of read access to its associated article?
  • Can you upload or delete an image regardless of write access to its associated article?
Potential security issue. Since uploaded files are normally served directly by the web server, not through MediaWiki, it's not easily possible for extensions to prevent access. The extension authors used Manual:Image Authorisation to set up access restrictions for images, although this access cannot be set up on a per-image, per-user basis.
Redirects
  • If a user has permission to view a redirect but not the page it points to, are they still redirected?
  • If a user has permission to view a page but not a redirect that points to that page, can they access the page via the redirect?
No known issues.
  • If a user has permission to view a redirect but not the page it points to, they are still redirected, but cannot view the page to which the redirect points.
  • If a user has permission to view a page but not a redirect that points to that page, they cannot access the page via the redirect (since the redirect is not accessable).
Edit Section
  • Can a user use the 'edit section' feature for a page, even though they can't edit the full page (either through the interface or by changing the URL)?
  • Can a user use the 'edit section' feature for pages they have been granted access to?
No known issues. This extension uses the userCan hook, which handles this issue.
Other extensions
  • Can a user use other extensions to view part of a page? Think of DynamicPageList or Semantic MediaWiki, which provide ways to query the database for certain pages or properties.
If the extension uses the userCan hook, WhiteList will provide security functionality (although the exact functionality depends on the implementation of the extension). If the extension uses a special page, that special page could be blocked using this extension. For other extension, the user is responsible for understanding and reviewing other extensions on their MW installation to understand their risk.