Page MenuHomePhabricator
Create Task
Maniphest T126481

Security review of Extension:Lockdown
Closed, DeclinedPublic
Actions

Description

  • Review the extension for code safety
  • Review features for effectiveness with core permissions

Related Objects
Search...

StatusSubtypeAssignedTask
 DeclinedNoneT95954 Deploy Extension:Lockdown to the cluster and enable on OTRS Wiki
 DeclinedNoneT299546 Install Lockdown in zhwiki
DeclinedNoneT126481 Security review of Extension:Lockdown

Event Timeline

csteipp created this task.Feb 10 2016, 5:52 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: deprecated-security-team-reviews.
csteipp added a subscriber: csteipp.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 10 2016, 5:52 PM
csteipp moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.Apr 5 2016, 11:56 PM
Bawolff changed the task status from Open to Stalled.Jun 21 2016, 3:50 PM
Bawolff added a subscriber: Bawolff.

marking stalled, pending how discussion goes on T95954 since we might not want to install this extension after all.

Krenair added a subscriber: Krenair.Jun 21 2016, 3:56 PM
dpatrick moved this task from Scheduled to Incoming on the deprecated-security-team-reviews board.Jun 29 2016, 5:33 PM
MarcoAurelio added a subscriber: MarcoAurelio.Jan 19 2017, 12:17 PM
Bawolff closed this task as Declined.Jun 27 2017, 2:28 PM

No response on the other bug. Marking declined. Please feel free to reopen when/if this needs a security review for deployment

Overall, I would prefer to have wikis be either all private or all public. If we need partial readability, I would prefer simple solutions like whitelists. MediaWiki is a complex application that overall is not designed for fine grained access controls, so having fine grained access controls implemented in extensions increases the risk of information disclosure significantly.

sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:10 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:13 PM
Bugreporter reopened this task as Open.Jan 19 2022, 5:10 PM
Bugreporter added a parent task: T299546: Install Lockdown in zhwiki .
Stang added a subscriber: Stang.Jan 19 2022, 8:32 PM
Aklapper closed this task as Declined.Jan 19 2022, 10:15 PM
Stang removed a subscriber: Stang.Feb 12 2022, 4:50 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL