Page MenuHomePhabricator
Create Task
Maniphest T106762

Security review for firebase/php-jwt
Closed, ResolvedPublic1 Estimated Story Points
Actions

Description

Parent tasks requires a jwt library.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add firebase/php-jwt for ContentTranslationmediawiki/vendormaster+1 K -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Nikerabbit created this task.Jul 23 2015, 11:12 PM
Nikerabbit claimed this task.
Nikerabbit raised the priority of this task from to High.
Nikerabbit updated the task description. (Show Details)
Nikerabbit added projects: MediaWiki-Vendor, LE-CX6-Sprint 1, ContentTranslation-Release6, Patch-For-Review, ContentTranslation.
Nikerabbit added subscribers: gerritbot, csteipp, Arrbee and 4 others.
Amire80 set Security to None.Jul 27 2015, 4:21 PM
Amire80 edited a custom field.
csteipp added projects: deprecated-security-team-reviews, Security-Team.Jul 28 2015, 12:25 AM
csteipp moved this task from Incoming to Ready on the Security-Team board.
Amire80 moved this task from Needs Triage to CX6 on the ContentTranslation board.Jul 28 2015, 6:19 PM
csteipp closed this task as Resolved.Jul 28 2015, 8:52 PM

We're already using an earlier version of php-jwt in Ex:OAuth. I just reviewed the latest version (fa8a06e96526eb7c0eeaa47e4f39be59d21f16e1 on github), and it looks fine as well, although disappointing it still doesn't support EC signatures.

In production, you shouldn't set JWT::$leeway to more than a few seconds, if at all.

Arrbee moved this task from Backlog to Done on the LE-CX6-Sprint 1 board.Jul 29 2015, 7:03 AM
Amire80 moved this task from Backlog to Tech Debt on the ContentTranslation-Release6 board.Aug 2 2015, 6:37 AM
gerritbot added a comment.Aug 17 2015, 7:46 AM

Change 226616 had a related patch set uploaded (by Nikerabbit):
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

gerritbot added a comment.Aug 17 2015, 6:50 PM

Change 226616 merged by jenkins-bot:
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

Nikerabbit mentioned this in rMWVDad1427661afb: Add firebase/php-jwt for ContentTranslation.Aug 17 2015, 7:08 PM
Arrbee added a project: Essential-Work.Sep 7 2015, 11:40 AM
GWicke mentioned this in T111264: Decouple chronology protector from authentication .Sep 29 2015, 12:17 AM
csteipp moved this task from Ready to Our Part Is Done on the Security-Team board.Oct 13 2015, 11:56 PM
sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:36 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits