Security review for FileExporter extension
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Addshore
	Feb 21 2017, 3:42 PM

Description

Project Information

Name of tool/project: FileExporter Extension
Project home page: https://www.mediawiki.org/wiki/Extension:FileExporter
Name of team requesting review: WMDE-TechWish (Wikimedia Deutschland)
Primary contact: @Addshore @WMDE-Fisch @Tobi_WMDE_SW @Bmueller @Lea_WMDE
Target date for deployment: Before Q4 2017
Link to code repository / patchset: https://gerrit.wikimedia.org/r/#/admin/projects/mediawiki/extensions/FileExporter
Programming Language(s) Used: PHP

Description of the tool/project

A simple extension to provide a link on File pages which will redirect the user to page provided by the FileImporter extension on Wikimedia Commons.

Description of how the tool will be used at WMF

If will be installed on all wikis (except for commons).

Dependencies

This also depends on the development of the FileImporter extension

Has this project been reviewed before?

Only review inside the WMDE-TechWish team.

Working test environment

None setup on labs, but the extension is easy to install (see instructions on mw.org)
After enabling the extension, navigate to a file page and see the new link in the top bar

Post-deployment

WMDE-TechWish

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
Add basic README file	mediawiki/extensions/FileExporter	master	+4 -0
TAB indents in .json files	mediawiki/extensions/FileExporter	master	+35 -35
Add COPYING file	mediawiki/extensions/FileExporter	master	+347 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	None	T140462 Correctly move files from Wikipedia to Commons (2013)
Resolved	None	T190716 Deploying FileExporter and FileImporter
Resolved	Addshore	T181383 Deploy FileImporter & FileExporter to beta sites
Resolved	Reedy	T160982 Security review for FileImporter extension
Duplicate	None	T179643 FileImporter import file URL entry field example url should include file extension
Resolved	None	T179645 FileImporter, importing https://commons.wikimedia.org/wiki/File:30th_Street_at_5th_Avenue_-_Stra%C3%9Fe_in_New_York.jpg fails
Resolved	Anomie	T184445 Broken image URL in API response when an image is missing from a file revision
Resolved	Andrew-WMDE	T179647 FileImporter, Make limit of importable number revisions (file/file page) into a $wg
Open	None	T179646 FileImporter, Better duplicate handling when a file exists locally, Allowing re import / addition of missing revisions
Resolved	Reedy	T158661 Security review for FileExporter extension
Resolved	Tobi_WMDE_SW	T158072 Create extension manual for FileExporter and FileImporter

Event Timeline

Addshore created this task.Feb 21 2017, 3:42 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 21 2017, 3:42 PM

Addshore moved this task from Proposed to Watching/Blocked/External on the WMDE-TechWish board.Feb 21 2017, 3:43 PM

Addshore moved this task from Unsorted 💣 to Watching 👀 on the User-Addshore board.

• dpatrick mentioned this in E506: Security review for Extension:FileExporter.Feb 22 2017, 7:41 PM

• dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.

btw, https://www.mediawiki.org/wiki/Extension:FileExporter is a 404. Did you mean to link to somewhere else?

Addshore added a subtask: T158072: Create extension manual for FileExporter and FileImporter.Feb 26 2017, 12:02 PM

Code is fine security wise. Literally nothing to it.

Minor non security issues:

i18n/en.json should be tab indented
extension.json should be tab indented
Readme.md is empty, should at least have a basic description (possibly after T158072 ?)
Add COPYING or similar licence file to root

Change 341537 had a related patch set uploaded (by addshore):
[mediawiki/extensions/FileExporter] Add COPYING file

https://gerrit.wikimedia.org/r/341537

Change 341538 had a related patch set uploaded (by addshore):
[mediawiki/extensions/FileExporter] TAB indents in .json files

https://gerrit.wikimedia.org/r/341538

Reedy moved this task from Scheduled to Waiting on the deprecated-security-team-reviews board.Mar 7 2017, 2:46 PM

Change 341537 merged by jenkins-bot:
[mediawiki/extensions/FileExporter] Add COPYING file

https://gerrit.wikimedia.org/r/341537

Change 341539 had a related patch set uploaded (by addshore):
[mediawiki/extensions/FileExporter] Add basic README file

https://gerrit.wikimedia.org/r/341539

Patches uploaded for the comments from the review.

Change 341538 merged by jenkins-bot:
[mediawiki/extensions/FileExporter] TAB indents in .json files

https://gerrit.wikimedia.org/r/341538

Reedy closed this task as Resolved.Mar 7 2017, 2:50 PM

Reedy claimed this task.

Change 341539 merged by jenkins-bot:
[mediawiki/extensions/FileExporter] Add basic README file

https://gerrit.wikimedia.org/r/341539

Addshore moved this task from Watching/Blocked/External to Done on the WMDE-TechWish board.Mar 7 2017, 2:56 PM

I should note...

We had an extension like this for the WikimediaShopLink, and we eventually just swapped it for a hook in CommonSettings and messages in WikimediaMessages

https://github.com/wikimedia/mediawiki-extensions-WikimediaShopLink/commit/a8cfbfce9eee3fef6c1bec3635d0e5e2e415745a

It's possible the functionality of this might expand slightly over the coming year, hence the extension.
Permission checks & other possible checks with the FileImporter extension.

Addshore moved this task from Done to Demoed on the WMDE-TechWish board.Mar 9 2017, 9:40 AM

Tobi_WMDE_SW closed subtask T158072: Create extension manual for FileExporter and FileImporter as Resolved.Mar 10 2017, 2:24 PM

Addshore moved this task from Watching 👀 to Closing ✔️ on the User-Addshore board.Mar 20 2017, 12:00 PM

Tobi_WMDE_SW removed a project: WMDE-TechWish.Jun 7 2017, 12:00 PM

Addshore added a parent task: T181383: Deploy FileImporter & FileExporter to beta sites.Nov 27 2017, 11:23 AM

• Lea_WMDE mentioned this in T190716: Deploying FileExporter and FileImporter.Mar 26 2018, 7:19 PM

• Lea_WMDE added a parent task: T190716: Deploying FileExporter and FileImporter.

sbassett moved this task from Waiting to Done on the deprecated-security-team-reviews board.Jul 9 2019, 8:22 PM

• chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:12 PM

• chasemp added a project: Application Security Reviews.Jan 8 2020, 4:38 PM

• chasemp moved this task from Incoming to Our Part Is Done on the Application Security Reviews board.Jan 8 2020, 4:43 PM

• chasemp added a project: secscrum.Mar 10 2020, 8:11 PM