Page MenuHomeMiraheze
Create Task
Maniphest T4788

Extension review: Avatar
Closed, DeclinedPublic
Actions

Description

https://github.com/nbdd0121/MW-Avatar

Related Objects
Search...

StatusAssignedTask
 InvalidNoneT4612 Add some extensions on "mcspringfieldserver.miraheze.org"
 DeclinedNoneT4788 Extension review: Avatar

Event Timeline

Zppix triaged this task as Normal priority.Oct 10 2019, 14:48
Zppix created this task.
Herald added a subscriber: CnocBride. · View Herald TranscriptOct 10 2019, 14:48
John added a project: Extensions.Apr 8 2020, 23:50
Herald added subscribers: Examknow, Void, NDKilla. · View Herald TranscriptApr 8 2020, 23:50
John removed a project: Extension-Review.Apr 8 2020, 23:57
Paladox moved this task from Backlog to Security Review Needed on the Extensions board.Apr 9 2020, 00:05
Reception123 mentioned this in T4612: Add some extensions on "mcspringfieldserver.miraheze.org".Apr 11 2020, 16:54
Samwilson subscribed.May 6 2020, 04:56

I would advise against this extension.

It creates its own web entry point, extensions/Avatar/avatar.php, as well as a custom file-upload process. Both of these things are a security risk. I'm not saying that there's any particular vulnerability with either of them (I haven't looked). There are other, more secure and well-known, ways of doing what it's trying to do.

@Zppix could you explain a bit more of what you're trying to do with this extension? It looks like displaying a user avatar on profile pages and user links could be done via a gadget and some file naming conventions. Are there other aspects of this extension that you need?

AmandaCath added a project: Configuration.May 6 2020, 13:16
AmandaCath moved this task from Security Review Needed to Backlog on the Extensions board.
Herald added a subscriber: Reception123. · View Herald TranscriptMay 6 2020, 13:16
AmandaCath moved this task from Backlog to Pending answer on the Configuration board.May 6 2020, 13:16
AmandaCath subscribed.

Security review declined per above. Pending answer from task author.

John subscribed.May 6 2020, 15:27

@Aunst see Sam’s message above as requester

Paladox closed this task as Declined.May 14 2020, 19:59
Aunst added a comment.EditedMay 30 2020, 23:09

Oh, ok, I think my wiki not must to have a avatar system.

Thanks a lot.

Hispano76 mentioned this in T5945: I need help!.Jul 21 2020, 00:40