Page MenuHomeMiraheze
Create Task
Maniphest T10500

#dplreplace MIA on my wiki
Closed, ResolvedPublic
Actions

Description

Wiki URLhttps://constantnoble.miraheze.org

As I just found out minutes ago on my site's conlang dictionary, the crucial RegexFunctions substitute {{#dplreplace:}} (part of the DynamicPageList3 system, and which every entry depends on) is currently MIA on my wiki, and possibly every other Miraheze site with DPL3 (since maybe hours or a couple of days ago). As quick investigation shows, this is tied to a security change documented in its GitHub changelog:

Version 3.5.2

Added additional ReDoS security validation for dplreplace and enabled the SecurityCheck-ReDoS phan check

From the looks of it, it seems Miraheze hasn't undergone that check just yet; a wait-and-see approach is in order.

First in a brief series of post-MW 1.39 bug reports I'll be filing over the next several days.

On a related note: RgxF itself remains on hold (T8866) till we get Semantic Result Formats off the ground (T9287#210981).

Related Objects

Event Timeline

Routhwick created this task.Feb 14 2023, 23:34
Herald added projects: Universal Omega, MediaWiki (SRE). · View Herald TranscriptFeb 14 2023, 23:34
Herald added subscribers: OrangeStar, Agent_Isai, Unknown Object (User). · View Herald Transcript
BrandonWM triaged this task as Normal priority.Feb 15 2023, 00:15
Unknown Object (User) added a comment.Feb 15 2023, 02:20

I updated DPL3 for ReDOS validation, if it further broke things, apologies, but it is only meant to disallow dangerous regex patterns that can lead to ReDoS. So if it uses one, then the behavior is expected. Could you provide an example regex that is broken, and a page that shows it broken please? Thanks!

As for RegexFunctions itself, I will be looking to try to re-enable it shortly as well, or if it is still dangerous, a permanent removal of the extension entirely. Security is a foremost concern and we must be sure we only have extensions adhearing to that. I apologise for the inconvenience, but depending here, this may not be possible to fix.

Routhwick added a comment.EditedFeb 15 2023, 03:03

Bit of a long story, but here goes...

  • The dictionary entries use {{Decl}}, a tag used to determine declension codes in Tovasala; the relevant detection is {{#dplreplace:{{PAGENAME}}|([eoaiu]{{!}}é{{!}}ê{{!}}ọ{{!}}ạ{{!}}ar{{!}}(?<![eou])at)$||{{PAGENAME}}}}. (Morpheme tables are unaffected output-wise [while entries display "Unknown error"], but the coding residue from the RgxF days is another matter entirely; I'll try to clean that up as I find time.)
  • Meanwhile, the entries themselves use {{#dplreplace:{{#arrayprint:word-stem}}|((?<![iu])e{{!}}ē).$|è{{#sub:{{#arrayprint:word-stem}}|-1}}}} in sub-entries for derivative forms of Tovasala headwords. (Note the {{#arrayprint:}} from the Arrays extension.) For an example of the missing stems, see "esil" (an adposition meaning "from").
  • Furthermore, {{Definition/Arrays}} is awash in replacement calls.
Routhwick added a comment.EditedFeb 15 2023, 03:03

...How was this a double post? (I only pressed "Submit" just once...)

Routhwick updated the task description. (Show Details)Feb 17 2023, 14:49
Routhwick mentioned this in T10518: Namespace deficiencies post-MW 1.39.Feb 18 2023, 15:00
Routhwick mentioned this in T10560: Common word fetching no search results.Feb 28 2023, 22:04
Routhwick mentioned this in T10578: AutoCreatePage transfers raw template parameters instead of supplied values into new pages.Mar 7 2023, 11:19
Unknown Object (User) closed this task as Resolved.Mar 12 2023, 21:05
Unknown Object (User) claimed this task.
Unknown Object (User) added a project: Upstream.

I've changed this in DPL3 now it'll be updated during next round of extension updates.

Herald added subscribers: Bukkit, BrandonWM. · View Herald TranscriptMar 12 2023, 21:05