[00:12:42] Felenov: emicraft: your host is exposed. When your client disconnects and re-connects, it leaves you exposed until Libera cloaks you after you auth with NickServ: I got my cloak yesterday [00:50:52] [1/2] It's everywhere. I have stated this weeks ago, but everyone was waving it away as I was using British English. [00:50:53] [2/2] It's someone at Translation who is doing this. On Commons I have fixed it locally, but it should be looked at who is doing those translation changes. It's annoying! [00:52:09] [1/19] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/NPSACWFMNGERKIHNQWYASXCSAY26OYGN/ [00:52:09] [2/19] Security and maintenance release: 1.39.9 / 1.41.3 / 1.42.2 [00:52:09] [3/19] Sam Reed @ 1 Oct 2024 1:11 a.m. [00:52:10] [4/19] I would like to announce the release of MediaWiki 1.39.9, 1.41.3 and 1.42.2! [00:52:10] [5/19] These releases also serve as a maintenance release for these branches. [...] The tarballs have already been uploaded as of this email, and the git tags have been pushed. [00:52:10] [6/19] Unfortunately at the time of finalising this release, the CVE has not been assigned a tracking number by MITRE [...] therefore documented as "CVE-2024-PENDING" [...] [00:52:11] [7/19] A "MediaWiki Extensions Security Release Supplement" e-mail will follow this one, covering security updates for non-bundled extensions. [00:52:11] [8/19] Reports of bugs with PHP 8.0, 8.1, 8.2 and 8.3 support are particularly welcome, and fixes will be back-ported when possible. Please see https://phabricator.wikimedia.org/tag/php_8.0_support/, https://phabricator.wikimedia.org/tag/php_8.1_support/, https://phabricator.wikimedia.org/tag/php_8.2_support/ and https://phabricator.wikimedia.org/tag/php_8.3_support/ for the relevant work [00:52:12] [9/19] boards. [00:52:12] [10/19] As a reminder, MediaWiki 1.35 became end of life (EOL) in December 2023, and MediaWiki 1.40 became EOL in June 2024. [00:52:12] [11/19] It is strongly recommended to upgrade [...] [00:52:12] [12/19] It is noted that this issue fixed in AbuseFilter is replicable back to at least 1.19, if not before (though AbuseFilter was not bundled till 1.38). [00:52:13] [13/19] == Security fixes == [00:52:13] [14/19] * (T372998, CVE-2024-PENDING) SECURITY: abusefiltercheckmatch does not check the user for the abusefilter-log-detail right before matching against log details. [00:52:14] [15/19] == Links to all mentioned tasks == [00:52:14] [16/19] * https://phabricator.wikimedia.org/T372998 [00:52:15] [17/19] == Release notes == [00:52:15] [18/19] [...] [00:52:16] [19/19] [Truncated due to discord limits. hyperkitty link has full details] [00:57:01] https://www.cve.org/CVERecord?id=CVE-2023-29134 [00:57:04] why is this cve in 2023? [00:59:15] I think my login issue was related to https://phabricator.wikimedia.org/T244635 [00:59:32] I disabled Twinkle (which loads preferences from devwiki) and now I can hold a login [01:03:06] bingo! [01:03:09] I figured it out [01:03:48] If you enable a script that tries to load something from a wiki you're not attached, CentralAuth freaks out and deletes your session [01:04:03] Ohhhhhh [01:04:05] the key is to attach yourself to whatever wiki you're trying to load a script from [01:04:21] I attached myself to devwiki and now Twinkle doesn't cause me to logout [01:04:28] but I reproduced this issue with a new test account [01:04:50] Yeah, that makes a dumb amount of sense [01:05:53] It happens to me too, but I don't use twinkle!? [01:06:55] Because if the system is seeing a repeat malformed/unparsable request, it should logically try to invalidate the session. [01:07:42] Is this immediate logout after logging in, or the session only staying valid for a couple hours? [01:09:22] No, just as soon as I visit a new wiki I haven't visited before. [01:09:52] That sounds more like a cookie issue [01:09:54] My session can stay active as long as I do not connect to a new wiki [01:10:01] My issue was that I got kicked out immediately [01:10:22] Nah, I regularly clean those [01:10:41] The issue isn't you, it's CentralAuth and the way it handles cookies [01:10:52] Ah [01:10:56] I also get similar issues like that but I guess we can't do anything until SUL3 gets released [01:11:20] Okay! I'll stay patient then [01:12:09] Anyway... off to πŸ› as it's πŸ•’ am [01:12:16] night! [01:12:19] πŸ’€ [01:12:29] nini, good night at clock am [01:13:27] 3am [01:27:12] [1/2] I have been having issue with being able to make a page on this wiki as their is supposed to be a paper looking icon on the left of the line and I have reminded and reminded and I still no action on this so I will keep being persistent until this gets fixed [01:27:12] [2/2] https://cdn.discordapp.com/attachments/1006789349498699827/1290485132863471777/IMG_0286.png?ex=66fca16f&is=66fb4fef&hm=f1b73832ab4e06c9ed1005b39d12633c58d8c586eb2c49f5ae3f338391014ea8& [03:16:32] yoshi459292927370272: link? [03:20:46] https://greatcharacters.miraheze.org/wiki/Incredible_Characters_Wiki [03:35:25] yoshi459292927370272: it's the wiki config [03:35:28] https://greatcharacters.miraheze.org/wiki/Blog:Adversary_(Kung_Fu_Panda)_2?action=edit [03:35:35] > You do not have permission to create this page, for the following reason: [03:35:37] > You do not have permission to create new pages. [03:36:35] probably would need to use Special:CreateBlogPost [03:54:34] surprised wgUseXssLanguage isn't enabled on mirabeta [04:05:22] RhinosF1: how would you feel if i accidentally found an xss while looking for a different security vulnerability? [04:06:23] After nearly 600 commits, 100 files, and 9k lines, my CreateWiki rewrite is nearing the true testing phase IE almost done finally lol... just a few things left to build into RequestWiki... [04:06:49] oh god i'm both proud and horrified of you [04:07:48] lol [04:08:15] Im worried I forgot to rebuild some features into RW as I just wiped it and rebuilt it nearly from scratch lol [04:08:21] x-xss is handy... no need to manually edit the interface pages to add xss payloads [04:09:34] I don't see a reason not to allow it on beta but I was thinking maybe we should disable and allow it to be enabled using the Debug browser extension idk though. If you use the language you can expect XSS and that is the choice of the user so I see no reason why not. [04:09:59] ideally, you shouldn't expect xss lol [04:10:22] had to install the extension in question locally and configure it to test--mildly inconvenient [04:10:30] anyway, new xss served up: https://issue-tracker.miraheze.org/T12670 [04:10:51] Well yeah lol but it could be an acceptable risk if you have to manually trigger xss with the uselang [04:11:47] and like... you can't even control the payload [04:11:50] it's the interface message [04:13:10] yep [04:17:29] The issue comes from despite having the permission I. The auto confirmed area and still not able to make pages for some odd reason which is why many have been having a problem I will wait a little longer for this issue to fix or something as this isn’t normal [06:39:19] CosmicAlpha: i have more questions :D [06:41:04] BlankEclair: not at all surprised [06:41:26] oh i guess i can ask you instead [06:41:33] BlankEclair: you should consider a job in cyber security or pen testing one day [06:41:46] yeah perhaps lmao [06:41:56] You can certainly ask ye [06:42:04] the universe rewrites code i am about to touch to include security vulnerabilities [06:44:14] [1/9] πŸ“’ ANNOUNCEMENT πŸ“’ [06:44:14] [2/9] https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/BXVG7SF3DTZTPOENKXEKWC3ZEOHS4NTG/ [06:44:14] [3/9] Maintenance release: MediaWiki 1.39.10, 1.41.4 and 1.42.3 [06:44:15] [4/9] Sam Reed @ 1 Oct 2024 10:08 a.m. [06:44:15] [5/9] I would like to announce the availability of MediaWiki 1.39.10, 1.41.4 and 1.42.3. [06:44:15] [6/9] This fixes an issue identified in the MediaWiki 1.39.9, 1.41.3 and 1.42.2 releases. [06:44:15] [7/9] The patch for T372998 was incorrectly back-ported. [06:44:16] [8/9] [Truncated due to discord limits. hyperkitty link has full details] [06:44:16] [9/9] @everyone [06:45:35] Oops... Sorry for forgetting to remove the ping from the message. [06:48:40] I didn't actually ping @rodejong [06:48:52] We've thought of that one before πŸ™‚ [06:49:01] Well actually I think someone's tried it before [06:49:17] can i try? [06:49:48] You can try [06:49:56] Hopefully I won't regret that [06:50:40] everyone: Attention students of St. Hallvard High School. I have an announement to make. [06:50:43] I am a flaming dyke! [06:50:43] [1/2] Just wants to hear how do you think about this one: [06:50:44] [2/2] https://www.mediawiki.org/wiki/Extension:FlexForm [06:50:46] Thank you for your time and have a wonderful day! [06:51:29] did that work? [06:51:46] Nope [06:51:57] No ping [06:52:08] well, at least i just gave a neat lil reference to all five rain readers in the chat [06:52:16] if it worked it'd be hilarious though [06:52:19] lol [06:52:34] @everyone test [06:52:38] Yes? [06:52:39] @everyone: test2 [06:52:45] Doesn't work [06:52:51] CosmicAlpha: i already asked RhinosF1, nvm :p [06:52:53] Discussed on IRC [06:53:09] basically wondered if https://meta.miraheze.org/wiki/Special:DataDump?action=download&dump=/ counts as a vuln [06:53:15] I added safeguards against it even if the bot had the permission it can't ping everyone or here [06:53:29] (lists all files in miraheze-metawiki-dumps-backup) [06:54:19] Good [06:54:48] @everyone awawa [06:54:56] is that monospace? [06:55:04] come on, yes [06:55:19] i don't have discord to make sure :/ [06:55:25] everyone: does this have a leading @? [06:55:39] No [06:55:41] No [06:55:44] oh oops [06:55:49] misunderstood how the mentions work [06:56:05] BlankEclair: ^ [06:56:08] https://usercontent.irccloud-cdn.com/file/Nz7UY0pD/1727765757.JPG [06:56:17] Wrong order IRCCloud [06:56:30] eh close enough [06:56:36] [06:57:08] whoops wrong line a few lines up lol [06:57:19] L480 [06:57:43] i thought the bridge translated username: awawa to @username awawa [06:57:48] turns out it does the user id [06:58:36] Yep that was to prevent incorrect mentions so the user has to actually exist to mention also [06:58:48] So it doesn't do partial matches [08:46:42] https://github.com/Open-CSP/FlexForm/blob/af6c72f410e6de7dd0cc6a5a8f06345a669244e9/src/Core/Config.php#L120; as a linux user, this makes my brain go "crime" [08:52:16] this code is structured in a way that makes me not want to read it oh my god [16:46:02] Tech people: don't forget if you've got a wikimedia dev account to complete the wikitech SUL migration [16:54:22] hmm, yeah we also need to move away from Extension:LdapAuthentication, and deploy a different solution for password resets [16:55:18] MacFan4000: eventually he [16:55:28] Wikimedia have made their own thing called Bitu [16:55:49] If you have a wikitech though, you need to act soon [19:46:06] [1/3] I got the same issue w/ on wiki search several people already reported here [19:46:06] [2/3] however - search seems to works fine on mobile [19:46:07] [3/3] https://cdn.discordapp.com/attachments/1006789349498699827/1290761681424744499/2024-10-01_22_45_10.png?ex=66fda2fe&is=66fc517e&hm=2ff1a4c2dea8253baa1062970f26d690c504cae7bde5e5e8e908bf5d1b428a18& [19:47:25] I get immediately to the page of the same name in android firefox [19:48:50] trying just one word, however, turns up nothing in both mobile and desktop [20:52:05] Also how do I fix the ICW configuration thing so that users can be able to make new pages or something