[00:00:17] plenty of other raw html vulnerabilities without javascript
[00:00:33] Alright, let's see if this looks like it's supposed to do.
[00:00:39] I need HTML to add 3-D models to my site
[00:00:53] The 3-D models are HTML pages with a bunch of accompianing images
[00:00:55] write a parser tag extension
[00:01:26] http://www.mediawiki.org/wiki/Manual:Tag_extensions
[00:01:55] then you can generate the arbitrary HTML safely (if input is properly sanitized)
[00:06:04] ...now what
[00:06:34] Don't tell me I managed to save over something here so I have to redo everything
[00:07:04] Goddamnit.
[00:07:08] Goddamnit.
[00:08:04] Splarka: It looks like the HTML files which create the 3-d model are full of javascript
[00:08:14] so disabling javascript isn't an option
[00:08:38] But my users are a closed community of college students/staff/faculty which all can be traced back to a real person
[00:09:09] So if there is any way to monitor HTML additions to the wiki, I would be able to find easily those which are abusing rawhtml to try and exploit vulnerabilities
[00:13:56] lymeca: well, then you should be fine. While you cannot get changes to the html-pages only, you can subscribe to an RSS feed that outputs every change on the wiki
[00:14:18] with that feed, it should be possible to monitor potentially bad changes to the html
[00:16:22] still the best solution is an extension that constructs the html for you, easier to use in the long run too if there is any sort of repetitive code
[00:20:00] Skizzerz: This is a great idea. There would be multiple people in the wiki project willing to monitor the RSS feeds. Not sure how to do this off the top of my head but I think we can manage figuring it out.
[00:20:27] Splarka: See, the HTML we need it a file chock full of Javascript which calls a bunch of JPG images when the user clicks, holds, and rotates the mouse.
[00:20:39] It shows different JPG images as they rotate to simulate a 3-D model
[00:24:11] 03(mod) MediaZilla Email Address Privacy Concerns - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=148 +upstream; +comment (10brion)
[00:40:14] 03(mod) Create "Maps" component in MediaWiki extensions product - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18391 (10brion)
[00:41:48] 03(mod) add {{revisiontime:}}/{{lastrevision:}} colon/parser function or {{REVISIONtimeformat|}} functionality to current magic words - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=6092 (10bugreporter)
[00:51:11] That kinda worked.
[00:51:22] Now I just need to figure out why that one's white. Though I may have an idea.
[00:57:43] Is anyone available to help me debug a template?
[00:57:48] :)
[00:58:05] Genius.
[00:58:10] http://en.wikipedia.org/wiki/Wikipedia:Help_desk#Request_for_assistance_due_to_my_own_stupid_mistake
[00:58:14] Splarka juaknapp has a q that is right up your street :-) sorry :-)
[01:00:06] is it correct that i should not change the status of a bug after adding a patch in bugzilla?
[01:00:15] add a patch keyword
[01:00:19] but that's it
[01:00:24] I'm going to catch the bus; I'll try checking in here later.
[01:00:31] Thanks to whomever takes a look.
[01:01:19] 03(FIXED) add {{revisiontime:}}/{{lastrevision:}} colon/parser function or {{REVISIONtimeformat|}} functionality to current magic words - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=6092 +patch (10bugreporter)
[01:01:38] I believe that made things better
[01:02:01] Skizzerz thx. done ;-)
[01:02:15] ...now that I've done a lot of things that were unrelated to my original problem, let's see what the hell the proposed solution to my original asked-two-hours-ago problem was
[01:02:35] Merlissimo: uh... did you mark it as fixed?
[01:02:47] no
[01:03:07] weird
[01:03:27] ah, I get it
[01:03:30] normally i set it to "resolved" but bugzilla has no such status
[01:04:28] but history say that i did ???
[01:05:20] you did
[01:05:21] https://bugzilla.wikimedia.org/show_activity.cgi?id=6092
[01:05:46] a typed patch in the keyword field and pressed enter
[01:06:45] Splarka can you fix it?
[01:06:48] bugzilla gremlins
[01:07:01] you already +FIXED it ^_^
[01:07:16] and it should be fixed?
[01:07:35] you mean un-FIXED it?
[01:07:40] because it it not in svn
[01:07:44] just choose (*) Reopen bug
[01:07:57] i only created the patch
[01:08:30] *^demon FIXED's things sometimes
[01:08:56] 04(REOPENED) add {{revisiontime:}}/{{lastrevision:}} colon/parser function or {{REVISIONtimeformat|}} functionality to current magic words - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=6092 (10bugreporter)
[01:09:07] ... lots of mails ...
[01:09:45] *Splarka thinks nobody really understands bugzilla
[01:10:09] I don't think anybody really understands Splarka either
[01:10:13] <^demon> I understand it.
[01:10:20] <^demon> Not Splarka...Bugzilla.
[01:10:41] Is it intentional that you need the createpage right to upload files?
[01:10:58] I don't need to be understood
[01:11:25] emu: do you need it to reupload too?
[01:11:33] if that is the case, that doesn't quite make sense
[01:11:47] <^demon> Emufarmers: It depends on if you're having to make a new page (createpage) for the description.
[01:12:15] here is a funny: http://en.wikipedia.org/wiki/Special:ListGroupRights
[01:12:21] Splarka my previous hail was re. a helpme from a relative new user on 'wikipedia-en' re. template issues; I thought they'd prob get a much better answer here; ref http://en.wikipedia.org/wiki/Wikipedia:Help_desk#Request_for_assistance_due_to_my_own_stupid_mistake - sorry for 'passing the buck', hope that makes sense
[01:12:22] autoconfirmed: upload, reupload
[01:12:22] i understood Splarka - most of the time
[01:12:29] user: reupload-own
[01:12:34] er
[01:12:41] sorry, I meant the edit right
[01:12:42] so
[01:12:56] you can upload or reupload if you're autoconfirmed
[01:13:04] but if not, all you can do is reupload-own
[01:13:14] ... which you can't do, since you can't upload in the first place
[01:13:35] (well, there are cases where this could happen, like if you reached the autoconfirmed threshhold and the switched to tor)
[01:13:38] I get this error sometimes: 'Error creating thumbnail: convert: unable to open image /some/path/to/images/' but I know that the path is correct. What reason could there be for that?
[01:13:49] chzz: saw, will look later since they left
[01:13:59] <^demon> mvatki: If you don't have permissions to that directory.
[01:14:06] Woo
[01:14:19] that's something that I hadn't though about, thanks
[01:14:28] <^demon> no problem.
[01:15:05] Hey Sparkla remember that thing I asked about two hours ago? I finally got done. Thanks for the help, now it doesn't look stupid anymore.
[01:15:12] heh
[01:15:18] deeper problems are fun, eh
[01:15:37] In the meantime I edited the same main.css twice because I lost my original edit somewhere!
[01:15:43] [AMB]Tolsome uggraded earlier to 1.14, and their skin lost Common.css
[01:15:50] ugh-graded, heh
[01:15:54] Haha
[01:16:03] Splarka many thx as always; no rush
[01:16:14] but the only symptom was a link being centered
[01:16:41] I'm still on 1.13.4, I'm waiting for Dreamhost to provide the 1.14 upgrade.
[01:17:03] Dreamhost panel, that is.
[01:17:44] Be a real man and do it yourself
[01:18:40] Not that DH's panel isn't pretty good, but...
[01:18:40] hey emu, has Mediawiki.org always had this much daily IP vandalism?
[01:18:43] Does it count as doing it myself if I after hitting the "upgrade" button in the web panel have to SSH into the server and run some scripts?
[01:18:57] KennyMan666: no
[01:19:03] D'oh.
[01:19:06] That just means that their upgrader sucks
[01:19:11] So I retract my previous statement
[01:19:20] Actually, I'm not sure I -have- to do that
[01:19:24] Well
[01:19:26] Splarka: no
[01:19:41] I did select the "advanced" option, as opposed to the "we handle absolutely everything for you" option
[01:19:47] When I installed it
[01:19:55] ialex probably pissed somebody off on Wikipedia :D
[01:20:00] heh
[01:20:25] werdna sysopped me so I could update the scapmap gadget, so suddenly I feel a tiny bit guilty for not patrolling it
[01:20:38] when I was looking at his talk page, I came across http://www.mediawiki.org/wiki/User_talk:IAlex#Your_deleting_my_image_before_I_was_even_done_was_the_last_straw_for_me._I.27m_quitting_wiki which made me laugh pretty hard
[01:20:47] rc is pretty well covered
[01:21:04] if it was I wouldn't have anything to do
[01:21:28] hrm... chmod'ing didn't work...
[01:21:29] All I need now is a better background image, but that's a job for our graphics person, not me.
[01:21:54] but randomly visiting it (usually when I reference a page I'll hit alt+r just to check), I'll see something to delete or rollback once in a while
[01:22:11] I would call that "pretty well covered"
[01:22:21] http://www.mediawiki.org/w/index.php?title=Special:Log&user=Splarka
[01:22:29] *Splarka throws ostrich eggs at ya
[01:22:40] My favorite
[01:23:30] Anyway, so is it intended behavior that you can't upload a file without the edit right?
[01:25:12] well, to upload a new file you have to create a description page, which is typically associated with editing (you need the edit right to create other pages), so that seems logical
[01:25:16] is it needed for reuploading?
[01:25:29] Yes
[01:25:44] that makes a tiny bit less sense, but maybe is intended
[01:25:55] you need 'edit' rights to do most things
[01:26:23] I ask because the upload form is still accessible (and linked on the toolbar) if you have the upload right but not the edit right
[01:26:43] If it being a requirement is intended, then it should be hidden
[01:33:24] hmm
[01:33:34] looks like the intention is there, sort of
[01:33:57] possibly as a lazy check to see if the user has permission to edit the description page of the chosen filename
[01:34:18] this probably covers all the bases, like protection, title blacklist, namespace restrictions, etc
[01:35:02] Well, it's a question of granularity versus intuitive customization
[01:35:27] it is also silly to give upload permission without edit
[01:35:46] I can't think of any other reason why the images directory wouldn't be accessible. I checked the permissions...
[01:35:49] I mean, if all the permissions are granular, then somebody who doesn't want regular users to edit will have to disable upload for user and so on
[01:35:53] but yeah, there is that
[01:36:14] mvatki: what are the permissions on it?
[01:36:23] 777 for now
[01:36:29] what about the subdirectories?
[01:36:49] (though I forget whether that matters)
[01:37:00] I said chmod 777 -R ./path/to/images
[01:37:10] Well, that would do it
[01:37:46] that's what I thought... but I still get the same error. This is with a shared image directory on the same server
[01:38:19] but when I plug the path into the browser, I get the image that I'm looking for
[01:39:16] hmm, what user does convert run under?
[01:41:50] not root
[01:42:16] ok, well, su to whatever user it runs as and make sure you can access the files then
[01:42:17] but the web directory is located in a sub folder of that user's home
[01:42:31] oh
[01:43:39] and, a brand-new [[WP:WTF]] comes into being; [[Wikipedia:IDONTLIKETHENOMINATOR]] :--)
[01:44:09] 03(NEW) Special:Specialpages shouldn't link to the upload form if you don't have the upload right - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18407 trivial; Normal; MediaWiki: Uploading; (Emufarmers)
[01:53:21] 03(NEW) The upload form should not be visible or linked to for users who don't have the edit right - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18408 minor; Normal; MediaWiki: Uploading; (Emufarmers)
[01:53:23] 03(mod) Special:Specialpages shouldn't link to the upload form if you don't have the upload right - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18407 (10Emufarmers)
[01:57:44] 03(NEW) Special:Specialpages should not link to the upload form if uploads are disabled - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18409 trivial; Normal; MediaWiki: Uploading; (Emufarmers)
[01:57:51] woo
[01:58:23] sheesh
[01:58:35] *Splarka idly wonders if rollback is appropriate for resetting the sandbox
[01:59:15] You're supposed to use "Click here to reset the sandbox."
[02:00:07] *Splarka is so lazy though
[02:00:24] You're too lazy to move the mouse down a few inches?
[02:00:43] You've just set a new standard for laziness
[02:00:45] *Emufarmers salutes
[02:01:30] http://www.mediawiki.org/w/index.php?title=Sandbox&curid=31964&diff=248585&oldid=248581
[02:01:42] Yes, I saw
[02:01:47] but I didn't
[02:01:52] "Click here to reset the sandbox."
[02:01:53] ?
[02:02:01] ah
[02:02:01] *Splarka could move the mouse many inches and not see it
[02:02:17] Then it wasn't laziness! :(
[02:02:23] I wouldn't have bothered rolling them back, except they removed the first line
[02:03:21] they did it again but left the line alone <3
[02:03:57] :3
[02:04:08] is there a way to set global preferneces on WMF wikis?
[02:04:18] no
[02:04:23] but you're right, there should be :)
[02:04:37] I might think about doing it in my general preferences work branch
[02:04:49] werdna: please??
[02:07:48] 03(ASSIGNED) Change global defaults doesn't work for registered users - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=5363 +comment (10agarrett)
[02:13:04] 03(ASSIGNED) Special:Preferences should list account registration date - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=17191 +comment (10agarrett)
[02:16:58] 03(FIXED) Gender switch in user preferences - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=13040 (10agarrett)
[02:18:03] 03(ASSIGNED) Global preferences - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=14950 +comment (10agarrett)
[02:20:41] i'm trying to upload an 8 meg file. max. file size is set to 12 MB (per Special:Upload). Whether it's through pywikipedia or manually, after commencing the upload, the Special:Upload page returns to me with no error message, and a non-existant upload. where do i go from here? 23 other uploads (of much smaller sizes) went fine.
[02:21:30] 03(NEW) Merge preferences-work branch with trunk - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18410 enhancement; Normal; MediaWiki: User preferences; (agarrett)
[02:21:46] 03(mod) Change global defaults doesn't work for registered users - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=5363 (10agarrett)
[02:21:49] 03(mod) A hook to enable putting options to the preferences tab - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=14806 (10agarrett)
[02:21:53] 03(mod) Possibility to link to particular section of [[Special:Preferences]] - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=16013 (10agarrett)
[02:22:17] 03(mod) Special:Preferences should list account registration date - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=17191 (10agarrett)
[02:22:52] 03demon * r49324 10/trunk/phase3/ (6 files in 2 dirs):
[02:22:52] Stage 2 of war on $wgTitle!! Make OutputPage, Skin and children rely on mTitle
[02:22:52] rather than $wgTitle. In theory, you could have an OutputPage/Skin that was
[02:22:53] referring to some title other than $wgTitle, unlikely though. In any case, make
[02:22:53] getTitle() return $wgTitle for now, just in case.
[02:23:40] i'm not seeing anything with debug on either.
[02:24:36] upload_limit is set to 12MB in php.ini?
[02:25:06] upload_max_filesize = 12M
[02:25:07] ayup.
[02:25:18] in the past, it looks like i've been able to upload 5.89MB (from pywikipedia) no problem.
[02:25:22] just choking on this 8megger
[02:25:35] How long does it take?
[02:25:50] before choking? 10 seconds or so.
[02:25:55] lemme time it and watch my outgoing.
[02:27:06] yeah. hrm. about 10 seconds at 650k according to outbound.
[02:27:37] *Morbus wonders how he clears this stupid log so he can't start at 0 upload.
[02:27:53] What's max_input_time at?
[02:28:00] is post_max_size above 12 as well?
[02:28:30] 60, and 8 (!) respectively.
[02:28:34] *Morbus tweaks the 8.
[02:28:42] heh
[02:28:56] !filesize
[02:28:56] --mwbot-- The size of files you can upload to PHP is limited by the upload_max_filesize and post_max_size directives in your php.ini. MediaWiki itself only limits direct (copy) uploads from a URL, this is configured via $wgMaxUploadSize.
[02:29:08] even a macro for it, handy
[02:29:13] *Morbus grins.
[02:29:40] you'd think they'd put the damn setting somewhere near upload_max, but nOooOOo.
[02:29:45] first time i've heard of it/run into this.
[02:30:28] "illogic? in my php? it's more likely than you think"
[02:30:41] heh, yeah, i shoulda known.
[02:30:43] Splarka: does the limit printed on Special:Upload take upload_max_filesize?
[02:31:00] Emufarmers: it's gotta, as that's the only 12M in the php.ini.
[02:31:12] *^demon hates $wgTitle
[02:31:18] in that case, it should probably take post_max_size into account too
[02:31:40] hmm
[02:32:02] $wgUploadSizeWarning
[02:32:09] which does nothing of course
[02:32:20] yep, it went swimmingly that time.
[02:32:44] thanks (http://www.videounderbelly.com/wiki/Image:Destination_Moon-1950-Italian-Poster-1.jpg SFW; rest of site NSFW)
[02:32:46] http://www.mediawiki.org/wiki/Manual:$wgUploadSizeWarning
[02:33:36] no idea where that "Maximum" comes from though
[02:33:40] *Splarka ponders
[02:33:56] whelp, easy way to find out...
[02:34:01] I believe it's the max for upload_by_url?
[02:34:02] *Morbus greps.
[02:34:12] ...I completely forgot, what's the title of the page for editing the navigation box...
[02:34:16] https://bugzilla.wikimedia.org/show_bug.cgi?id=17941
[02:34:19] upload-maxfilesize
[02:34:44] phase3/includes/specials/SpecialUpload.php
[02:34:49] Special:Sidebar
[02:35:03] <^demon> Would be nice to have it check filesize by callback during-upload, so we can abort early if it's too big.
[02:35:15] $wgLang->formatSize( $val2 ) ) .
[02:35:37] Is it possible to know the file size before the file is uploaded?
[02:35:37] $val = trim( ini_get( 'upload_max_filesize' ) );
[02:35:43] *werdna big commit
[02:35:53] index.php?title=Special:Sidebar gives me "No such special page"
[02:35:54] not really
[02:35:58] Er
[02:36:00] 03werdna * r49325 10/branches/preferences-work/phase3/ (4 files in 2 dirs):
[02:36:00] * Add the user information panel to the new preferences form.
[02:36:00] * Add signature cleaning.
[02:36:01] * Replace some $wgUser with $user.
[02:36:01] * Prod form values in from the user object. Note that 'default' refers to 'state before any user input is given', and not 'preference default', which comes from the user object.
[02:36:01] web sucks for uploads
[02:36:01] MediaWiki:Sidebar
[02:36:02] * Fix loadOptions() in User object.
[02:36:04] * Add some stuff stored in the User object to the preferences list
[02:36:23] Emufarmers: Ah yes, that did it
[02:36:24] Thanks
[02:36:25] so yes Emufarmers, it does not take into account post size
[02:36:36] open a bug, you're on a roll ^_^
[02:36:43] Already one it ^____^
[02:39:14] 03(NEW) The upload form only checks upload_max_filesize, not post_max_size - 10https://bugzilla.wikimedia.org/show_bug.cgi?id=18411 minor; Normal; MediaWiki: Uploading; (Emufarmers)
[02:42:02] 03demon * r49326 10/trunk/phase3/skins/ (CologneBlue.php Standard.php): Cleanup, these can use mTitle rather than getting it from $wgOut.
[02:42:27] Emufarmers, Splarka: thanks again.
[02:42:28] *Morbus waves.
[02:42:47] http://www.mediawiki.org/w/index.php?diff=248591&oldid=245166 okay... wat
[02:42:51] ciao Morbus
[02:43:47] bye
[02:46:59] hmm, does PHP have a "return the smaller of the parameters" function?
[02:48:20] min()?
[02:48:27]