Topic on User talk:Skizzerz

SwiftSys (talkcontribs)

Really grafeul for your comments about the security, I'm relativrly new to Mediawiki developement, and suspected there maybe problems of this nature, hence making the project beta. Any ideas how this can be recified, I had assumed (obviously incorrectly) that as the editable parts of the extension can only be added by the wiki admin through cpanel then the risk of injection couldn't occur?

Really appreciate any support :)

Many thanks, Lee

ps when I asked an editor for advice on who to contact about this I was advised to ask someone at IRC to review the code, but got a little lost in how to do this. I suppose this will mean adding more code so that only logged in memebers can use the form and that the recipient is a single defined wiki admin? Would this resolve the security issue?

Skizzerz (talkcontribs)

I'll send you a POC via email in a couple of hours. As for IRC, check out IRC for more instructions on how to connect.

SwiftSys (talkcontribs)

Man, that was an interesting experience, learnt a lot, like I doubt theres a single php form on the web that can beat that script you sent, honestly in the end I had 107 lines of code trying to catch the header injection, some purporting to be unbeatable and still the damn thing managed to slip through, that was some crazy s***! Thanks so much for a crazy day!

Skizzerz (talkcontribs)

The fix for that takes far less than 107 lines of code. The proper solution is to move your process form inside of the special page itself (you can POST to the same special page, you know, it doesn't have to go to a file external to mediawiki itself), and then use the builtin mediawiki utilities to send email, such as UserMailer::send() and UserMailer::sanitizeHeaderValue(). Again, give Coding conventions a good read and see how other similar special pages, like those in Extension:ContactPage, do it.

SwiftSys (talkcontribs)

awesome cheers, kind of you to say :) appreciate the help.

SwiftSys (talkcontribs)

K think its sorted now, if you don't mind trying again? Still needs tidying but and other mods but it seems secure now, atleast the script you gave me isn't sending cc headers anymore :)

You can find the new version here

Skizzerz (talkcontribs)

That's nice, but that isn't the code for the new version. Please link to the code download.

Reply to "Security guidance"