[Rack] Syntax highlighting for the NB wiki

Thu Nov 25 08:40:38 UTC 2010

Hi Andy,

Am Mittwoch, den 24.11.2010, 16:42 -0800 schrieb Andy Isaacson:
> On Tue, Nov 23, 2010 at 11:52:59PM -0800, Benny Baumann wrote:
> > it would be nice for people on the NB wiki to be able to highlight
> > source code in their documentation of their projects. There are several
> > possibilities to do this with one of the most common ones being the
> > SyntaxHighlight_GeSHi extension for MediaWiki which uses GeSHi as the
> > backend highlighting library.
> > 
> > GeSHi itself supports about 180 different languages including C, C++,
> > Java, Perl, PHP, Python, HTML, Whitespace, Brainfuck, Erlang, F#, C#,
> > and many many more.
> > 
> > The plugin is being in active use by several big pages including the
> > Wikipedia and other Wikimedia projects as well as many content
> > management systems like Joomla and Typo3. Other software known to
> > include GeSHi or supporting its use is WordPress, phpBB2&3 and many
> > pastebins you see on the web.
> 
> I looked into this when it was first suggested.
> 
> We're currently on Mediawiki 1.15; that apparently limits us to a
> backrev version of GeSHi.
All GeSHi releases since 1.0.7.14 onward are compatible API-wise, so
just drop in the newest one from the newer GeSHi releases or the SVN
trunk/release branch (stable version which is labelled 1.0.X).

>   ... really, we should get up to the most
> recent stable Mediawiki, but I'll go ahead and do GeSHi anyways.  I'm a
> little concerned that the old version may miss security patches and/or
> features, but we need to upgrade MW anyways, so it's probably not worth
> worrying about too much.
In regards to GeSHi: No. No new features since 1.0.8.4 IIRC in regards
to the API. So You're missing nothing.
> 
> > GeSHi itself is very secure: There have only been 3 CVEs in 5 years,
> 
> Uh, apparently you and I have different definitions of "very secure".
> 
> -andy
There is software with more bugs and security flaws in it on the server
than GeSHi and the guy at Wikimedia reviewing the code said he couldn't
find flaws at all ;-)

The CVEs I was referring to were:
- One issue with local/remote file inclusion which was in a function
that was never called with user-controllable data (and has been fixed by
me knowing no application uses this function in any way it can become
dangerous).
- One infinite loop that got in there by accident (which was while the
parser was restructured between 1.0.7.20 and 1.0.8.1).
- An XSS from the early days which was with one of the really early
version. Since then the parser has been rewritten at least two times
from scratch.

The infinite loop CVE was my fault when I missed one testcase in one
release, all the others came from the opriginal author, thus they are
history now, since there's not much of the original code left.

Furthermore the point that even many major sites use it in setups with
high security standards (and not only Joe Average's webserver waiting to
be hacked) indicates there is at least some security in there.

And by the way: Being able to give an exact number of CVEs without
having to look up that number clearly speaks for its security. BTW: The
last CVE got created 4 months AFTER 2 releases with the bugfix for the
respective bugs was out. Debian took another 2 months to do the bugfix.
For more details on the Debian issue you might want to read in my blog
(english):
- http://blog.benny-baumann.de/?p=22
- http://blog.benny-baumann.de/?p=42

Regarding MediaWiki Updating: 1.15 is kinda "recent"; the last Mediawiki
I updated was 1.4 ... The SyntaxHighlighting_GeSHi extension should work
there even without updating it. Just make sure to grab the more recent
files for GeSHi from the GeSHi release as mentioned above.

Regards,
BenBE.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://www.noisebridge.net/pipermail/rack/attachments/20101125/fdeda5ef/attachment-0001.sig>