[prev in list] [next in list] [prev in thread] [next in thread]
List: mediawiki-l
Subject: Re: [Mediawiki-l] Enabling the Common.js feature
From: Benjamin Lees <emufarmers () gmail ! com>
Date: 2009-05-24 21:04:08
Message-ID: b8e96a340905241404o36231194q784afaa7d59df980 () mail ! gmail ! com
[Download RAW message or body]
One rather obvious point you could make is that $wgUseSiteJs is enabled by
default (and on Wikimedia projects!); if it were a gaping security
vulnerability, it would be disabled. Somebody could potentially do nasty
things with JS, of course, but to do that he would need to have already
compromised your admin account, and at that point you'd already be screwed.
:-)
Beyond that, a good farm setup will allow your sysop to set different
settings for different wikis, so he shouldn't need to enable this for all
the wikis if he doesn't want to. Changes to one wiki's JS shouldn't be able
to to affect anything on another wiki (assuming they're on separate
subdomains).
Of course, if you really just want this so you can change the favicon
location, why don't you ask your sysop to set $wgFavicon for your sub-wiki?
On Sat, May 23, 2009 at 8:57 PM, Greg Webb <gregw@zip.com.au> wrote:
>
> 24/05/2009 10:45:58
> Hi Poon,
>
> On our wiki the Common.js feature needs to be turned on. I am the admin for
> a sub-wiki, not the whole wiki. The sysop runs the whole wiki and the
> settings files (DefaultSettings.php and LocalSettings.php) have the switch
> '$wgUseSiteJs' turned off. The sysop's attitude is that any change to the
> settings is going to affect all sub-wikis, ours being just one of them. My
> argument is that the sysop can turn on the Common.js feature, which will
> affect all sub-wikis, and it is safe to do so. With this feature on I will
> be able to change the settings that I want changed without it affecting all
> the other sub-wikis.
>
> If you have a one-wiki system this will not be an issue for you. You will
> not need the Common.js file. As the sysop you can change the settings in
> the
> LocalSettings.php file.
>
> I'm trying to convince my sysop that it is safe to turn on '$wgUseSiteJs'
> because:
>
> * only sub-wiki admins will be able to change their own sub-wiki Common.js
> file, not normal users. (The common.js file is protected by default)
> * any JavaScript run from a local sub-wiki is unable to affect other
> sub-wikis.
>
> I'm hoping to draw on the expertise of this group to support my argument.
> :-)
>
>
> ___________
> Greg
>
>
> -----Original Message-----
> From: mediawiki-l-bounces@lists.wikimedia.org
> [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Ekompute
> .info
> Sent: Sunday, 24 May 2009 4:19 AM
> To: MediaWiki announcements and site admin list
> Subject: Re: [Mediawiki-l] Enabling the Common.js feature
>
> Hi, do pages need to be enabled? I think the question of enabling does not
> arise.
>
> PM Poon
>
> On Sat, May 23, 2009 at 7:19 PM, Greg Webb <gregw@zip.com.au> wrote:
>
> >
> > 23/05/2009 21:06:58
> > Hi:
> >
> > That's good to know. Do many MW admin/sysops allow the use of
> > Common.js through the settings switch $wgUseSiteJs? Some people seem
> > to think that it is 'dangerous'. I don't know the capabilities of
> > JavaScript but my IT experience would say that JavaScript cannot write
> > to areas that it is not permitted to write to. Hence I would conclude
> > that any changes I made using JavaScript on my sub-wiki would only be
> > able to address my sub-wiki, not the top level one and not any other
> > sub-wiki. That doesn't sound dangerous to the users of other wikis. Is
> > this argument flawed?
> >
> > Why do I want access to Common.js? Very simple application, I want to
> > set my own Favicon and not use the one set at the top level. :-)
> >
> > ___________
> > Greg
> >
> >
> > -----Original Message-----
> > From: mediawiki-l-bounces@lists.wikimedia.org
> > [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of K.
> > Peachey
> > Sent: Saturday, 23 May 2009 7:37 PM
> > To: MediaWiki announcements and site admin list
> > Subject: Re: [Mediawiki-l] Enabling the Common.js feature
> >
> > All pages within the Mediawiki: namespace are automatically full
> > protected [hard so they can't be unprotected], so only users with
> > sysop/admin rights on the wiki would be able to edit it.
> >
> > _______________________________________________
> > MediaWiki-l mailing list
> > MediaWiki-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> >
> > _______________________________________________
> > MediaWiki-l mailing list
> > MediaWiki-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic