On Mon, 17 Dec 2012, Platonides wrote: > http://www.mediawiki.org/wiki/Extension:RSS_Reader seems to live > exclusively at the wiki page, instead of being at a repository. […] > Just edit the page when fixing the bug.
Oh, okay. I just did so. On Mon, 17 Dec 2012, Jonathan Wiltshire wrote: > (for those following at home: Debian can only issue CVEs for non-public > issues AIUI, which is why it's a shame you didn't bring them into the > loop before opening a bug.) Oh, I didn’t know that. I’ve got about zero experience dealing with security issues. This might show. I’ll listen and learn ☺ (Why? I mean, I’d make all issues public immediately, no?) > Ok, what I really meant was that you'd have to know someone is using > Mediawiki to read your feed, which is probably feasible but I can't > imagine there are thousands of people doing so. We don't really know > either way, we should probably play it cautious. Hrm. tg@eurynome:~ $ fgrep tag_event.rss /var/www/logs/access_log […] fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:16:08:25 +0000] -:-:IPv4"www.mirbsd.org" "GET /tag_event.rss HTTP/1.0" 200 66185 "-" "-" fb-n15-11.unbelievable-machine.net - - [17/Dec/2012:17:07:49 +0000] -:-:IPv4"www.mirbsd.org" "GET /tag_event.rss HTTP/1.1" 200 66185 "http://www.mirbsd.org/tag_event.rss"; "SimplePie/1.1.3 (Feed Parser; http://simplepie.org; Allow like Gecko) Build/20081219" SimplePie is used by FusionForge (that’s the thing which actually does strip <script> but not <yurt> or </yurt>; maybe I should clone the bug, with lower severity, against it to ask they should validate that titles don’t contain HTML?), and the other is probably Mediawiki (there’s only a third UA in my access_log, and that’s Google’s feed fetcher, so it has to be this one, and the IPv4 matches). So when you get requests without a referer or UA, which are *not* periodic, from some site, you can assume with a not-low chance that it’s Mediawiki. (Feeds are read upon first access and then cached for a while.) bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-314 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Boris Esser, Sebastian Mancke -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
