palamhi all, is this a security hole? even in a read protected wiki, the recent changes RSS feed is accessible by anyoneis there a way to disable the RSS feed?Werdnaprobablywikibugs(NEW) Listing hidden categories - https://bugzilla.wikimedia.org/show_bug.cgi?id=13106 enhancement; normal; MediaWiki: Special pages; (huji.huji)Werdnahaev you checked the FAQ/manual?Django joined the chat room.DjangoDjangoGoof afternoon everyone !palami google it, and didn't find anything. I'll checkDjangoI got a probleme with mediawiki !WerdnaTimStarling: No good deed goes unpunished ;)DjangoIn de sidebar a trie to put a external link. That works for **http://www.google.com|Google but not for ** http://www.martialheroes.eu/mheroes/mcsmambo.p?M5NextUrl=RCHLP&M5Arg=SUPPORT|ContactDo someone know where te problem can be ?Werdna"It doesn't work" isn't very specificwhat's wrong with it?Hojjatpalam: I don't know of a way to turn RSS feature off. As a remedy, you can set $wgFeedLimit to zero, in your localSettingsDjangoI shows : "http://www.martialheroes.eu/mheroes/mcsmambo.p?M5NextUrl=RCHLP&M5Arg=SUPPORT | Contact" in the sidebar page en in the sidebar : Contact with the link : http://wiki.martialheroes.eu/frwiki/index.php/--error:_link_target_missing--Hojjatpalam: http://www.mediawiki.org/wiki/Manual:$wgFeedLimitpalamoh Hojjat, thanks!Werdnatry replacing & with &Hojjatpalam: but the point you made is so valid. I'm really thinking of adding a turn-feeds-off feature :)if there is none there, alreadypalamHojjat, I was stunned when I found out the stupid thing ()I was trying to get an RSS feed so I could follow developments on a project wikiand realised there was no username/password in the RSS url!Hojjatpalam, add a bug to our bugzilla about that.!bugzilla | palamfoxlitRSS urls exposing your passwords gr!*password are interesting tooHojjatpalam: https://bugzilla.wikimedia.org/enter_bug.cgipalamHojjat, i'll do that, thanksHojjatpalam: add a bug for "MediaWiki"pepie34 joined the chat room.pepie34foxlit left the chat room.foxlitHojjatpalam: I checked, there is no feed-turn-off feature avaiable yetI'm going to add it, I guesspalamHojjat, that will be wonderfulHojjatok, see you laterHojjat left the chat room.Hojjat"Gotta go"palambut Hojjat, it should be the default settingdamnCIA-6tstarling * r31183 /trunk/phase3/ (includes/StubObject.php languages/Language.php): Revert r31022 -- breaks commons upload hack.wikibugs(REOPENED) Invalid language codes should fallback to default wiki language not English - https://bugzilla.wikimedia.org/show_bug.cgi?id=13010 +comment (tstarling)foxlit joined the chat room.foxlitManecke joined the chat room.Maneckepuckman joined the chat room.puckmanfoxlit left the chat room.foxlitClient Quitmboman joined the chat room.mbomanYazzY left the chat room.YazzYjdpond left the chat room.jdpondDuesentriebpalam: hm, rss feed available to anyone? *how* the that wiki read-protected? what version of mediawiki? and have you checked what's *in* the feed?palamyes, all the contenti was stunnedi'm filing a bug reportDuesentriebrecent versions of mediawiki should check if the page content is accessible to everyone, and only then include content/diffs in the feed.palami'm using 1.11.1Duesentriebotherwise, all you see is the edit summary. no content.palami'm seeing content i typed inDuesentriebpalam: again, how did you protected it?read-whitelist? lockdown? some other extension?palam1 sec, let me grab the lineread, yes$wgGroupPermissions['*']['read'] = false;Duesentriebno, that's not read-whitelist. but it should do. it should also cause the page content not to be included in the feed.hm...actually, it should also mean that the page the feed is on is not accessible, iirc.Django_ joined the chat room.Django_Duesentriebwhat feed are we talking about? Special:Recentchanges?palamyepDuesentriebbut the page Special:Recentchanges itself - that isn't accessible?can you give me the url? in private if you preferpalamnono Duesentrieb, its a development wikiDuesentriebtoo bad.err. so?palamyou can read the contentDuesentriebyes :)palam: iunderstand if you can't do it. but "development wiki" is not a valid reason :) we do lots of development which anyone can read :)palamso no, i can't give you that url, but i can setup a dummy wiki (reproduce this), and give you the rssDuesentriebi don't need the rssm i'd need to be able to play with the wiki.palamthis development wiki is private thoughDuesentriebnot sure if it's worth setting up a dummy just for thatpalami'll setup a wiki and give you the urlMarkie996 left the chat room.Markie996Duesentriebif you like :) I can't promise it'll do any good.wikibugs(NEW) Security hole through RSS/Atom feeds of Recentchanges - https://bugzilla.wikimedia.org/show_bug.cgi?id=13107 CRIT; highest; MediaWiki: Special pages; (palaniappanc)Astemd joined the chat room.Astemdpalamwow, thats nicehe hethe temp workaround if enough for meDuesentrieb, don't worry about it i'll set the feed limit to zeroDuesentriebpalam: http://brightbyte.de/page/Special:Recentchanges?feed=rsspalam: you see "a test for palam" at the top. but no page content.palamno, i can see the contentOn import, mediawiki should issue a warning if one of the '''extensions''' is not installed, or if the local '''version''' of mediawiki is older than the one that create the dump. Both cases may lead to the imported wikitext not being rendered as expected. Perhaps it would even be good to show a warning if the local <tt>$wgCapitalLinks</tt> setting is different than the one indicated by the <tt><case></tt> element.part of it...Duesentriebpalam: that'S another entry. from a public namespacepalam: the top most entry is from the "Private" namespace.and thus shows no contentworks fine for me...palamoh crapi just submitted a critical bug that isn't a bugi didn't know about namespaces thoughi just protected my wiki, and i could see my content through rssDuesentriebpalam: well, by $wgGroupPermissions['*']['read'] = false; ALL namespaces should be protectedso if they are not, it IS a bugpalamok, then i'll setup a wiki and give you a linkwill you be here for about 20 minutes?pepie34 left the chat room.pepie34"Ex-Chat"Duesentriebthe check if you can view a page should be exactly the one used to determin if content is to be included in the rss.palam: i'll be online for a few more hours, but i may be busy doing other stuff. just mentione my nick, i'll read it eventually.mboman left the chat room.mboman"Pooof!"palamokmboman joined the chat room.mbomanDuesentriebpalam: please give me a login on that dummy wiki too, btw.palamsurewikibugs(mod) Replace the "magnify" symbol used below thumbnails by a more explicit one - https://bugzilla.wikimedia.org/show_bug.cgi?id=13070 +comment (huskyr)Django left the chat room.DjangoRead error: 113 (No route to host)pederis ther a way to intermix numbered list and other content, so that the numbering continues, and dosn't restart?Hojjat joined the chat room.Hojjatstemd left the chat room.stemdRead error: 110 (Connection timed out)Duesentriebpeder: use html syntax for the listspederand how would you put a block of preformatted text in one of the list-items?Hojjatpalam: you there?CIA-6huji * r31184 /trunk/phase3/ (7 files in 3 dirs): Introducing $wgFeed variable. Allows tuning sydication feeds off, when desired.palamHojjat, yespederhmm... use both <ol>, <li> and <pre>...Hojjatpalam: read the above. In revision 31184 I introduced a feature which lots you turn the feeds off, totallypalamoh nicebut thats in 1.11.2?whenever it comes out?Hojjat, shouldn't it be the default behaviour?VasilievVVpalam: why?Hojjatpalam. that is in 1.12.0palam: and no. I think feeds are there unless you don't want themDuesentriebpalam: i fixed a caching-related security bug in the rc feed in r25944 (19 Sep 2007). When was 1.11 forked again?...palamso for a read protected wiki, what do you get in the feed?Duesentrieb, i have no clue. I've only been dabbling with wikis for a few daysHojjatpalam: I insist, the bug you are mentioning here, is not solved by r31184Duesentriebthat was a question to myself really :PHm, RecentChanges.php in 1.11.1 is r25546. So it doesn't have that fix.Hojjatpalam: theoretically, the solution to that bug is to find a way to show the RSS only to the users which have the permission to read pagesDuesentriebwonders why his own site has it, thenoh i'm running r26224 these days. i forgetpalamand that will have to be through using a username/pwd in the feed HojjatHojjatpalam: but as you know, passwords should not appear in the feed URLpalamhmm, then it can't be doneHojjat, but why no?Hojjatmy knowledge about syndication feeds is limitted, but if there is no standard and secure way for authentication for feeds, then it can't be donepalam: "but why no" about what?foxlit joined the chat room.foxlitpalamusername/pwd in the urlDuesentrieb, is there a secure way to access RSS feeds?Duesentriebno.palamyou're sure?Duesentriebi don't even know any feed reader that supports authenticatiopn or cookiesno, i'm not sure. i just don't know of anyHojjatI don't know eitherCIA-6jojo * r31185 /trunk/extensions/Collection/ (Collection.body.php Collection.i18n.php Collection.php): use wfLoadExtensionMessages(). prefix message IDs with coll-.maliboo left the chat room.maliboo"Leaving."Duesentriebpalam: authenticating via passowrd in the url would have to be added - it would be kind of inefficient, too. could be an extension, i guess.wikibugs(mod) Security hole through RSS/Atom feeds of Recentchanges - https://bugzilla.wikimedia.org/show_bug.cgi?id=13107 +comment (huji.huji)palamDuesentrieb, in that feed you showed me, only the alert comes up on a change? nobody can actually get the content on a feed right?flyingparchmentDuesentrieb: the KDE rss reader will use konq's cookies, and i believe that most support http digest authDuesentriebpalam: yespalamDuesentrieb, that is actually pretty usefulbut how do i get that working? do I have to use namespaces?Duesentriebflyingparchment: they might, yes. we'd have to support some kind of "temporary http-auth login" thing for feeds, thenHojjatflyingparchment: so how does that work? You first have to login and then give the cookie to the software?flyingparchmentDuesentrieb: you don't need to log in, just do the auth for one requestHojjat: no, because it's integrated with kde, it can use the kde http component, which uses saved cookies transparentlyHojjatoh, HTTP auth!palambut something like that can't be a proper solution. what about google reader?Duesentriebpalam: no, you have to use a revision of RecentChanges.php newer than r25944. palamdamnDuesentriebpalam: the feature was there before, but buggy: the feed is cached, and if the person looking it it has permission to see the contents, then that "privileged" version should get served, and cached, and then served to everyone.palam: here'sa batch: http://rafb.net/p/0qzUMY78.htmlpalam: after applying that, no one should get any content from any read-protected page through the feed.palamthanksDuesentriebflyingparchment: anyway, auth for feeds implies no cache fo feeds... palam: you need to purge the feed cache for this to work though (the code that allows this is added by the patch too).add action=purge as anotehr url paramafter that, you should see a "safe" feed.HojjatDuesentrieb: am I wrong to think that, HTTP authentication cannot be setup from MediaWiki itself?palamoh niceDuesentriebHojjat: you are wrong. there are several extensions for this. it'sa trivial implementation of the AuthPlugin interface!httpauthgah, still no bot?Hojjatmwbot is goneDuesentrieb: and thanks for correcting me :0:)Duesentriebjust look through the auth plugins on mwofoxlit left the chat room.foxlitFrancoGG left the chat room.FrancoGGNick collision from services.FrancoGG_ joined the chat room.FrancoGG_