Topic on User talk:Skizzerz

Slgrandson (talkcontribs)

As noted on their Phabricator recently, Miraheze is considering retirement of the ReplaceText extension from their list during their transition to MW 1.40. As Agent Isai (talk · contribs) has pointed out, "This extension has some very long standing security issues which led to be disabled globally over a year ago. Glancing at the git repo...nothing has changed. [It] should thus be undeployed." While porting conlang-dictionary entries from Referata to my MH site, yours truly found out the hard way back then (as documented at length in T8866).

In case you've caught this message now or in the next few days, maybe you could try upgrading it to a level that meets MH's security threshold, or take up the matter to a developer who knows their way around regex. Perhaps Wikimedia's own Phab might be informed next?

To @Bawolff: From here, I'll leave further commentary/ideas/suggestions to you. --Slgrandson (talk) 20:14, 26 May 2023 (UTC)

Skizzerz (talkcontribs)

Nobody has notified me about any security issues with RegexFunctions so I haven’t the slightest idea of what they’re talking about.

Bawolff (talkcontribs)

I'm not really sure why im pinged here, but is there a public description of the issue? Are we talking about ReDOS or something else?

Nothing pops out to me at a quick glance through the repo. Other than maybe a ReDoS risk, but i don't really think that matters in context to most users, practically speaking.

Slgrandson (talkcontribs)

@Skizzerz: /@Bawolff: Long story short: Per Universal Omega (talk · contribs) last year at T8866, MH Phab:

  • "RegexFunctions has been disabled as it's causing OOMs."
  • "We do not want to optimize regexes, since we don't control what users use it for, so it is not a suitable option for us."

--Slgrandson (talk) 22:18, 26 May 2023 (UTC)

Skizzerz (talkcontribs)

Pathological regex patterns are not a security issue, they are a configuration issue. PCRE has multiple php.ini settings to control how much backtracking or recursion will be allowed in a regex before it errors out.

Reply to "Re: RegexFunctions"