This extension has some very long standing security issues which led to be disabled globally over a year ago. Glancing at the git repo for the extension, nothing has changed. RegexFunctions should thus be undeployed.
Description
Status | Assigned | Task | ||
---|---|---|---|---|
Resolved | Agent_Isai | T11308 Upgrade to MediaWiki 1.41 | ||
Resolved | Universal_Omega | T10916 Prepare for MediaWiki 1.41 | ||
Resolved | None | T10612 Upgrade to MediaWiki 1.40 | ||
Resolved | None | T10680 Test extensions for MediaWiki 1.40 | ||
Open | None | T10882 Undeploy RegexFunctions for MediaWiki 1.40 |
Event Timeline
Developer Skizzerz, who only pops by at MW.org/Wikimedia once every few months these days, has nonetheless been informed by me just this moment. If possible, I'll try to bring word of the security concerns to WM Phab the sooner I join their equivalent hub. I'll keep you posted.
@Routhwick somewhat unrelated but I tried to email you but you don't have an email verified on your wiki account. Would you be interested in helping us test Semantic MediaWiki on MediaWiki 1.40 to make sure we don't break SMW wikis when we upgrade/to ensure no bugs exist?
Feedback from Skizzerz (now that I've got his last letter right this time), just this moment (bolded emphasis mine):
"Pathological regex patterns are not a security issue, they are a configuration issue. PCRE has multiple php.ini settings to control how much backtracking or recursion will be allowed in a regex before it errors out."