[15:03:45] Technical Advice IRC meeting starting in 60 minutes in channel #wikimedia-tech, hosts: @addshore & @Christoph_Jauera_(WMDE) - all questions welcome, more infos: https://www.mediawiki.org/wiki/Technical_Advice_IRC_Meeting [16:03:46] Technical Advice IRC meeting starting now in channel #wikimedia-tech, hosts: @addshore & @Christoph_Jauera_(WMDE) - all questions welcome, more infos: https://www.mediawiki.org/wiki/Technical_Advice_IRC_Meeting [17:20:39] hello, i need help to solve some tidy errors (https://www.mediawiki.org/wiki/Help:Extension:Linter/tidy-font-bug) [17:21:25] i have a template that uses {{{1}}} [17:21:53] and this param is espected to be a link like: [[Test]] [17:22:13] so the result may be [[Test]] [17:22:42] to solve the tidy error, i need to include the span tag *inside* the internal links [17:22:49] do [[Test|Test]] instead [17:23:26] but how can i re-made the template ? [17:23:52] remember that the template is {{{1}}} [17:24:07] i cant change the {{{1}}} [17:25:17] and if i need to use directly [[Test|Test]] , i dont need the template [17:25:29] [[{{{1}}}|{{{1}}}]] [17:25:36] oh wait, the [[ is already in the parameter [17:25:57] try maybe {{{1}}}. Not sure if that will work [17:26:07] yeah, and {{{1}}} may be like «[[Test| This is a test link ]]» [17:26:26] bawolff, i already test this and no works [17:26:55] important is ignored because the global css style for anchors [17:31:29] so... [17:31:47] nobody knows a solution ? [17:52:07] Tell users not to include [[ [17:52:28] leoncastro: You can do something complicated with Scribunto, but then stuff gets complicated [17:53:59] not including [[ and using two params instead of one [17:54:20] link and text [17:55:49] in mediawiki api, if we query for the talk page using talk page id, is there any property that would return the talk page's main page id in the result? [17:56:26] or the only way is to do a separate query using the title after removing the prefix "Talk:" [17:57:39] this is khushboo from india [17:58:04] i installed mediawiki version 1.26.4 to my linux system [17:58:33] then i installed visual editor from rel_126 branch intp extension directry [17:58:57] it seems visual editor for new pages not working [17:59:16] nothing is happenign at all... [17:59:32] just page refresh occurs and nothing else. no server error log also [17:59:36] please help me [18:02:39] khushbooSingh: have you installed parsoid too? [18:03:15] no for now i havent installed [18:03:42] but still for new pages visual editor should open the page for editing na ? [18:03:52] khushbooSingh: visual editor needs parsoid. and parsoid needs a node.js server. [18:04:12] khushbooSingh: https://www.mediawiki.org/wiki/Extension:VisualEditor#Setting_VisualEditor_up [18:04:22] VE should probably give some kind of helpful information if parsoid is missing... [18:05:40] i am not getting any information. Even the blue bar that use to appear when page is in edit mode is not appearing. [18:05:51] khushbooSingh: for logging make sure error reporting is on and any other settings - https://www.mediawiki.org/wiki/Manual:How_to_debug [18:10:05] ok thanks codezee...will surely work on that [18:12:43] one more doubt i am having. currently my mediawiki is ssl configured on web server. so do i need to cofigure the parsoid url too in ssl mode. and if so then would the parsoid domain name be different than the mediawiki url ? [18:14:15] khushbooSingh: i think you might best be able to get some attention for parsoid on mediawiki-parsoid [18:19:09] ok thanks codezee [19:53:00] andre__: mind a PM? [19:57:14] Skizzerz, feel free to [19:58:58] TimStarling: are you about [20:02:27] I've got a Demo wiki setup that has been affected by some sort of malware that injects spam content into the page, upon every page edit or page creation [20:02:53] wipe the files and upload a clean tarball [20:02:58] I don't need help figuring it out, I'm just going to delete the box and rebuild it [20:03:23] although you may want to make sure it isn't a bad browser plugin/extension doing it first [20:03:36] (try with a different computer or your phone, see if it still happens) [20:03:43] But I'm wondering if anyone knows what it is, or quick sleuthing techniques because I'd obviously want to harden against it in the future. [20:03:59] e.g. https://freephile.qualitybox.us/wiki/Bar [20:04:47] I notice you have dozens of extensions [20:04:58] it's quite possible the vulnerability lies with one of them [20:05:04] Skizzerz, I had another user @hexmode check it out, and he saw the same thing [20:05:26] if you know roughly when the issue started, you can look at your webserver logs for suspicious-looking GET/POST requests [20:05:30] to see how they exploited [20:05:47] (check overall server logs as well in case they guessed FTP passwords or something) [20:05:56] Skizzerz, the install is fully automated with git repo checkouts. I checked all code for status and everything is clean. [20:06:26] using the wmf repos? [20:06:31] yes [20:06:39] in most cases [20:06:43] if you use any third-party, unstable, or beta extensions, might try clearing those out [20:06:44] so if git is clean for the core directory, that leads me to believe it's extension related [20:06:49] since each extension is its own repo [20:06:57] just checking the core .git won't tell you the full story [20:07:07] I checked all the extension repos too. [20:07:25] before you wipe [20:07:30] try disabling all extension from LocalSettings.php [20:07:37] see if it still happens [20:07:51] if yes, then the bad files are either in core or one of the composer libs [20:08:01] since iirc vendor/ is in .gitignore [20:08:03] Or site/user js..? [20:08:03] I'll try disabling.... here are the core extensions https://github.com/freephile/meza/blob/es128-rebased/config/core/MezaCoreExtensions.yml [20:08:21] meaning "core" for the distribution that I'm running. [20:08:35] Does it happen for other user accounts? [20:08:43] On other machines/browsers? [20:08:47] It's a farm system, so there are also "local" extensions that I install per wiki [20:09:21] lot of javascript https://freephile.qualitybox.us/wiki/Special:AllPages?from=&to=&namespace=8 [20:09:56] https://freephile.qualitybox.us/wiki/MediaWiki:Smw_import_skos is the only recently changed one [20:09:57] Reedy: Yes, happens for other users, other machines, other browsers [20:10:12] Just making sure :) [20:11:10] Do you have other things like phpmyadmin running which are known to have many flaws? [20:11:13] I don't see any bad js from a very quick perusal [20:11:24] (in the mw ns) [20:12:37] Skizzerz: nothing else. Dedicated MediaWiki box; with HAproxy, node, ElasticSearch, Apache [20:13:30] ES is very easily to badly setup [20:13:37] But that's usually more a machine compromise, than MW [20:14:16] could be the database is compromised [20:14:28] because the page histories don't match the page content [20:17:48] c: that's something I noticed. There is no history of the bad content being inserted. [20:18:59] freephile: you may want to check out your Maria instance then [20:20:38] c: any suggestions on detecting problems with MariaDB? I don't see any problems from working in MySQLWorkbench [20:21:04] it's only accessible from localhost, and I use SSH tunnels [20:21:11] check for triggers on the db [20:21:19] set up query logging [20:21:20] etc. [20:21:46] general_log fills up fast tho :D [20:21:57] true [20:21:57] query logging... right... I'll turn it on, and then off, and be able to check for unusual activity. [20:22:12] make sure that you aren't using CACHE_DB as your cache mechanism for anything [20:22:22] or the query log will have a LOT of noise [20:22:54] but even then, should be easy enough to filter [20:22:55] originally the wiki was open to anonymous edits, and that's how they got in in the first place, and there are POST and GET requests coming nonstop now. [20:23:18] Skizzerz: using MEMCACHE [20:23:23] I wouldn't be surprised if it came in via ElasticSearch though [20:23:26] it's insecure by default [20:23:43] unless they finally turned off the "RCE as a feature" thing [20:24:35] if the spam is being inserted like immediately when you save a new page [20:24:40] then I suspect there's a trigger in place [20:24:43] Skizzerz: http://freephile.qualitybox.us:9201/_plugin/head/ [20:24:55] I have PUT and DELETE disabled in HAproxy [20:25:33] meaning I've added security to ElasticSearch [20:29:02] unless it needs to be exposed to the net at large, binding it to localhost only adds even *more* security :) [20:30:31] i forget, but I think it is bound to localhost [20:30:34] anyway I don't see any recent RCE CVEs for ES [20:30:43] well I was able to access that URL [20:30:49] and I'm definitely not on your local server [20:30:51] https://freephile.qualitybox.us:1936/haproxy admin/password shows that most traffic is web traffic, not ElasticSearch [20:31:38] does ps show any unusual processes or users running things they shouldn't be running? [20:35:32] Doesn't mean ES was not exploited already [20:35:38] The ES URL is for the "head" plugin which I pass through HAProxy to a backend connection... but it's just for reading because I also configured HAProxy to disallow all methods to the backend but GET [20:36:16] But it *could* be ES, because something *is* definitely hacked :-) [20:43:27] no triggers found [20:43:35] select trigger_schema, trigger_name, action_statement [20:43:35] from information_schema.triggers [22:17:30] heh https://mwusers.org there's a mw support forum now :)