[00:34:52] Finally finished CW rewrite after 11,816 total lines, 123 files, 746 commits lol. Just needs some final testing, review, etc... now! [00:34:56] oh god [01:23:35] Damn, congratulations [01:24:59] Incidentally I was thinking of rewriting FormWizard [01:42:11] which is that again [01:42:13] dont think ive used it [01:42:35] https://meta.wikimedia.org/wiki/Meta:FormWizard [01:42:39] It's not an extension but a gadget [01:43:15] ah [01:43:22] at least it's not FlexForm where there's encryption [01:43:27] i need to dabble in gadget work [01:43:31] and 9999 other things [01:43:36] whose default key is set to php_uname() [01:43:48] please tell me you're declining that thing [01:43:52] already did [01:44:02] link? [01:44:14] https://issue-tracker.miraheze.org/T12672 [01:44:45] > After consultation with RhinosF1, I decided to decline this extension on the grounds that it would give me both a heart attack and a mental breakdown due to its messy code structure and myriad of security risks. [01:45:17] i already had like two plans of attack [01:45:44] oh, and there's a feature to prevent users from seeing past revisions [01:46:03] totally didn't immediately have two ideas on how to bypass that when i found it [01:46:14] FormWizard is really old, it's 10 years old and pre-dates two generations of MediaWiki user interface code. We can leapfrog over the OOUI era and jump straight to Codex [01:47:00] User scripts are fun because you don't need anyone's approval for that, you just write a script then you load it in your common.js file [01:47:09] I mean, the wiki has to allow user scripts, but other than that [01:47:17] Ok... So I know the reason why SocialProfile gets glitched out every time we uses this in higher versions [01:47:41] i forgot about Codex ngl [01:47:47] same [01:47:58] meanwhile i'm here manually constructions html elements [01:48:04] constructing* [01:48:19] if i wanted to work on a gadget should i use raw js or typescript(@waki285 i know does this) [01:48:23] @suzuneu * [01:49:19] Jeez I can spot things from XSS, path traversal, potential RCE and maybe even an SQL injection vulnerability... one of the worst extensions I have ever seen. They don't use any escaping in the entire extension just one parse which is safe, but the rest are all ->text... [01:49:38] how long did you take a look at it? [01:49:43] i think i got through like... two subfolders? [01:49:54] until RhinosF1 told me that i could decline it [01:50:09] About 5 minutes, just about one folder then I did a search for wfMessage [01:50:18] oh god oh god oh no [01:50:25] oh, that one I have requested [01:50:37] yes, the one that probably gave me a mental breakdown [01:51:10] Easily done [01:51:45] what [01:51:50] I used to believe on the potential to "replace" PageForms in my wiki, at least until I can't get it to be installed in my test localhost [01:52:30] BlankEclair: I propose we toss it in the very depths of the developer dungeon [01:52:43] yes please oh my god [01:52:50] no one will ever act out of line if they know what they're going to have to share a cave with now! [01:52:53] it's like they designed it specifically so that i don't want to read it [01:52:54] Y E S [01:53:09] this is like a subtle layer of code obfuscation [01:54:09] TIL the organization currently known as World Taekwando used to be the World Taekwando Assosiation [01:54:10] WTF [01:55:31] the Taekwando Fandom wiki is pretty good actually [01:55:44] WikiTide Foundation? [01:56:33] lmao [01:56:41] World Taekwondo Federation [01:56:44] misspelled [01:56:54] idk where i got aso from [01:56:56] well i do [01:57:47] what the hell do you call the "../" component [01:57:55] ik it's called path traversal, but what do you call the ".." specifically [01:58:07] one folder up? [01:58:17] i guess yeah [01:58:39] Yeah I noticed a ton of path traversal vulnerabilities in that extension [01:59:28] At least possible ones not confirmed nor do I want to... [02:02:50] best way to announce your security vulnerabilities: https://github.com/theresnotime/as-a-treat/pull/124 [02:03:13] Seems like FlexForm is actively maintained, could try submitting feedback to the devs [02:03:35] do you want to review the source code though? [02:05:48] no way [02:07:38] There is no way it is actively maintained... it even uses manifest_version 1 which I think is deprecated in 1.43 or I saw a task where it is supposed to be. Even if it had no security issues its practices are so out of date there is no way it even works... [02:09:44] Though I did see it had commits 2 months ago I don't understand under what hole the devs live in that they upgrade the extension to modern both in PHP and MediaWiki methods. [02:09:58] *that they don't [02:10:20] That extensions code will give me nightmares [02:10:34] I literally have nightmares about bad code sometimes lol [02:10:49] Bullshit [02:10:51] you dont even sleep [02:11:03] Although if you did I'd totally believe that [02:11:13] lmao [02:11:42] According to the MW.org page they aim for compatibility with LTS versions of MW which currently is 1.39 [02:13:43] but... 1.42 is LTS [02:13:49] *43 [02:14:16] technically not out yet [02:14:18] @pixldev well, that is still a beta version though [02:14:29] oh has it become beta now? [02:14:35] No [02:14:41] It isn’t branched yet [02:14:50] i mean wmf runs it in prod... [02:14:53] Seems pretty silly to aim to be compatible with 1.39 which will be out of LTS in December [02:14:53] god knows why [02:15:04] dogfooding: public edition [02:15:37] Theoretically 1.43 would be released by then [02:15:56] well yeah thats what i just said [02:16:23] There are massive differences between 1.39 and what will be 1.43 so it just seems a waste of time to make it 1.39 compat [02:16:46] A lot of stuff from 1.39 is gone in 1.43 [02:23:43] https://www.mediawiki.org/w/index.php?title=Extension:FlexForm&diff=prev&oldid=6783528 [02:23:46] there we go [02:24:08] we haven't tested any of them out btw [02:24:49] Yeah XSS and Path traversal I am almost sure of RCE and SQL just seemed likely to me [02:25:28] i love it when my extension shells out to git (and yes, it uses the shell because there's cd, let's ignore the fact that git has a -C parameter) [02:26:14] BlankEclair: do you feel like reviewing my CreateWiki PR and make sure I didn't introduce some random security issue? I tried my best there but its always best to have someone else review also in any case. [02:26:25] oh yeah, forgot about that [02:26:38] IE review the CW PR branch the PR changes will be to hard to review. [02:26:43] It touches everything lol [02:27:06] how the fuck did you change 123 files [02:27:37] Good question since there wasn't 123 files lol [02:28:00] Because a rename counts as a deletion and addition in git [02:28:13] It does if there is a certain % of difference [02:28:21] So that must have been it lol [02:28:50] should i comment on things that were not touched by the pr? [02:29:21] Yes you can, the PR aims to fix a lot so there isn't anything not in the scope of the PR. [02:29:40] gg it won't let me make a comment [02:29:56] okay chat, time to figure out if i can do some api fuckery to make it work [02:30:39] Oh yeah you can't comment on a line not touched by the PR, just comment on the file level and mention a line if you want. [02:30:50] Hmm, and that extension even has it's own discord server [02:30:51] internal server error :/ [02:31:42] From what? [02:32:22] github [02:33:22] ah [08:36:29] @MediaWiki Specialists relay from #tech-ops: Has an wiki here ever use UserStats sub-extension and have the contribution points working? [08:37:18] (SocialProfile's sub-extension, if more contents are needed-) [08:43:17] oh wait, we have not defined user levels for that was it... [08:43:55] too busy working on the rewrite that you rubberducked yourself lol [08:44:22] i ' m a u t i s m [08:44:27] gonna try making a patch later at the same time to fix the SocialProfile's deprecation as well [08:44:29] no way, me too! [08:45:21] lots of us have the autism [08:45:22] https://retro.pizza/@LynnSenpai/113048208848236665 [08:45:23] well- [08:45:34] Do I really have SocialProfile as a stalk word so the term SocialProfile is pinging me lmao [08:45:42] that's kinda funny [08:45:52] SocialProfile SocialProfile SocialProfile [08:45:58] Yep ping ping ping [08:46:01] lol [08:46:18] https://usercontent.irccloud-cdn.com/file/ijfNahy8/1728031574780.png [08:46:22] obscure claire fact: you can ping me with !claire [08:47:01] I forget sometimes I actually have C+2 rights to all the social tools extensions on Gerrit [08:47:20] i hate it when i forget that i have +2 [09:04:11] just tried out the RAADS-R and I got 176 total [09:04:30] huh [09:04:34] i was like 126 [09:05:59] should I take the accessment process? [09:06:14] the what? [09:06:30] uh nevermind [09:19:17] !claire test [09:19:22] i got pinged [09:19:24] first tester [09:19:30] Heh [09:53:57] hey uhh mirabeta globalnewfiles is broken [09:54:01] https://meta.mirabeta.org/wiki/Special:GlobalNewFiles [09:54:38] doesn't show my most recently uploaded file: https://test.mirabeta.org/wiki/File:MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM.png [09:57:51] Why [09:57:53] Why [09:58:14] delish [09:58:21] okay okay, i just found a long-ass filename on miraheze gnf [09:58:23] BlankEclair: is this job broken or did you break it [09:58:27] dunno [09:58:44] BlankEclair: does prod work [09:58:46] yes [09:58:54] Weird [09:58:57] Is beta running jobs [09:59:06] dunno [09:59:21] Grafana will tell you [09:59:24] here's what caused me to upload that file: https://meta.miraheze.org/wiki/Special:GlobalNewFiles?offset=20241004093024&useskin=vector-2022 [11:31:57] @paladox could you check out https://issue-tracker.miraheze.org/T12694 when you have time? since you're the swift expert [11:32:20] or do you think it's just the mw permission script that needs to be ran again? [11:34:15] Its permissions on the repo [11:35:05] You can use Swift to stat the container and see what perms it has set but it’s likely it was set like it was private [11:35:22] You can just won that script I think that changes perms on containers? [11:36:05] @reception123 [11:37:15] Ok thanks, I'll just try that then [11:37:29] do you have any ideas what could have caused the issue though? [11:37:54] https://github.com/miraheze/CreateWiki/blob/master/maintenance/setContainersAccess.php [11:38:02] Nope [12:42:38] hmm, it seems that for Template:Status on meta the |cannot param is no longer taking effect [12:42:44] could it be because of Raidarr's change here https://meta.miraheze.org/wiki/Template:Status?diff=prev&oldid=427725 that broke something? [12:59:40] Hm [13:21:45] Hmm, not sure why requests such as https://meta.miraheze.org/wiki/Special:RequestImportQueue/878#mw-section-details have suddenly gone back into the queue [13:22:15] BlankEclair: ^ [13:22:23] idk i peeked around only [13:22:33] also, no one has a clue on what i'm doing [13:35:14] Yup [13:35:45] it's lots of fun though <3 [13:35:50] for example, i just made my own wiki farm [13:36:00] $matches = []; [13:36:02] preg_match( '/^(\w+)\.mw142\.icecone\.internal$/', $_SERVER['HTTP_HOST'] ?? '', $matches ); [13:36:03] $wgDBname = $matches[1] ?? 'my_wiki'; [13:37:44] My second favorite farm [13:38:12] Icecone internal [13:39:22] Using $_SERVER in MediaWiki should be illegal [13:39:33] oh you have no idea how many things i've done [13:41:56] instead of finally learning how to use xdebug, i use var_dump() and throw exceptions [13:46:40] the server actually uses both nginx and apache [13:47:46] Go to hell [13:49:29] everything is running under qemu-user [13:49:46] except for lua, that fails (to allocate memory iirc?), so i had to build lua for the server's architecture [13:51:58] BlankEclair: expect my /msg soon [13:52:04] that soudns like a threat lmao [13:52:27] okay, managed to get the wiki installed (i tried using the web installer, but i had to use install.php like non-agents of chaos people) [13:52:27] Pipebomb! [13:52:41] amazingly the original wiki still works [13:53:04] aaand the new wiki doesn't work [13:53:13] E [13:53:25] ...did it [13:53:32] did it install to the wrong database? [13:54:08] oh okay no [13:54:21] I haven't get any of that wikifarm stuffs to work locally [13:55:12] i'm making the world's most horrific wikifarm and no one can stop me [13:58:23] how did i install this database... who even is the superuser? [13:59:47] oh, i think there's none [14:00:55] uhh i don't have access to my own server... that's fun [14:01:47] oh okay, we have a superuser: root@localhost [14:02:14] Everyone knows print_r is superior [14:02:45] so turns out that i initially installed the database to the wrong database server [14:02:54] that was to the half-serious one, oops :p [14:03:28] easy mistake to make, right? [14:03:46] yeah, it is when you have zero authentication for your toy servers :p [14:04:02] Localhost W [14:04:24] anyway, the database is... still not installed [14:04:55] I like to just do sql.php and run the tables-generated.sql [14:04:57] Much more efficient [14:05:18] actually, i might need to give grants for the database [14:05:31] no wait i already did? [14:05:53] oh wait. the error is from createwiki. [14:07:47] okay cool, i built the world's worst wiki farm ever [14:14:17] That title belongs to shoutwiki [14:14:25] You trying to steal their thunder? [14:14:36] oh god, i think the tables for importdump is on the main wiki [14:14:58] and it's trying to access uwu.import_requests, not my_wiki.import_requests [14:16:42] ohh, we're meant to have wgSharedDB [14:17:21] er... did not help? [14:20:49] wait no! i found it! $wgVirtualDomainsMapping['virtual-importdump'] = [ 'db' => $wi->getCentralDatabase() ]; [15:08:57] BlankEclair: re: latest ticket, we’ve known that for a few years but no one cares [15:09:00] lol [15:09:10] I raised this up a while ago but it wasn’t deemed important [15:09:14] breh [15:10:42] Thats why it should use the CentralAuth id [15:11:11] two more reports to go... yay... [15:14:00] I think the thing is that it’s designed to work without central IDs [15:14:07] unrelated, but why did we make Extension:IncidentReporting? [15:15:23] a simple check for whether the wiki is the centralwiki would be easier then I guess [15:15:30] or you can just unset the special page if its not meta [15:17:28] i already linked to a similar issue in the task :/ [15:17:49] (but using `centralIdFromLocalUser()` will also return the user id locally if there is no central id because they are the same, so win-win) [15:25:49] Which ticket [15:26:51] https://issue-tracker.miraheze.org/T12701 [15:30:31] fun fact: if i make too many requests at once, php locks up and i have to restart the container [15:34:37] Why do I not have phab security access [15:35:02] good question [15:35:06] want me to add you? [15:35:26] why did i ask, i just did it anyway :p [15:50:11] [1/2] ooo [15:50:11] [2/2] new error :D [15:50:15] `[b8f9f39a20d51b33257b3430] 2024-10-04 15:49:38: Fatal exception of type "MediaWiki\Page\PageAssertionException"` [15:50:40] I just tried out the QuizGame extension [15:52:55] BlankEclair: nice [17:19:37] Can you make a simple special page in config without a full extension [17:20:08] Though this could maybe just go into miraheze magic [20:33:07] https://grafana.wikitide.net/d/mWxtnz5Mz/cloudflare-zone-analytics?orgId=1&from=now-5m&to=now [20:33:15] huzzah [20:34:23] Sweet! [20:34:37] I still can’t use Grafana on my phone lmao [20:35:11] Buy a new phone [20:36:38] I’m not buying a new iPhone to be able to see Miraheze Grafana [20:37:21] It’s not even the browser