Review Html5mediator
Closed, DeclinedPublic
Actions

Assigned To

Authored By

	Reception123
	Apr 7 2017, 18:56

Description

Review https://www.mediawiki.org/wiki/Extension:Html5mediator

Related Objects

Mentioned In: T4387: Allowing external html5 video (mp4) on my wiki
T3500: Enable VisualEditor, ImageMap and Html5mediator on nrp1.miraheze.org
T2269: Enable html5Mediator(mediawiki.org/wiki/Extension:Html5mediator) on fefoxttt.miraheze.org
T1628: Feature request for modular
Mentioned Here: T1538: Please add Cargo extension to https://scruffy.miraheze.org
T1628: Feature request for modular

Event Timeline

Reception123 created this task.Apr 7 2017, 18:56

@labster The extension looks very simple, as it only has a short (113 line) php file. All it does is take the SRC from videos, so it should really not have any security concerns. I'd say it can be approved, just need a quick approval from you.

Well, not so simple actually. Currently declined due to security issues (arbitrary JS insertion), but easily fixable. I'm going to see if the author will merge someone else's PR from 5 months ago. If he does, then it's worth me writing the code to fix the issue.

Reception123 mentioned this in T1628: Feature request for modular.Aug 24 2017, 05:24

User no longer requires the extension.

Actually, that was someone else's PR from 17 months ago... oops.

I opened https://github.com/lightbinder/Html5mediator/issues/7 with a detailed description of how to exploit it. Unless that gets fixed, we won't be installing this extension here. The word vulnerability might get his attention -- or it might not. And it looks like 1.30 may get some <video> support, so this might become a moot issue before this extension gets fixed.

Setting status to Stalled for now. If nothing happens in a month, we'll decline.

labster added a parent task: T1538: Please add Cargo extension to https://scruffy.miraheze.org.Aug 28 2017, 18:52

John lowered the priority of this task from Normal to Low.Sep 4 2017, 10:30