Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki
Closed, ResolvedPublic
Actions

Description

According to this discussion and configuration at rOMWC, OAuth and BotPasswords are not enabled for private wikis. Please assess the security issues on allowing those to work on stewardwiki (or other private wikis as well). Thank you.

Related Objects
Search...

		Status	Subtype	Assigned	Task
		Resolved		Urbanecm	T258356 Allow users at all private/fishbowl wikis to use botpasswords
		Resolved		Bawolff	T159519 Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki

Event Timeline

MarcoAurelio created this task.Mar 3 2017, 10:02 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2017, 10:02 AM

Adding @Tgr as the person which I've been talking about this.

I believe the only reason BotPasswords aren't enabled on private wikis is that each non-SUL wiki needs the bot_passwords database table created before it can be enabled.

OAuth is probably a similar situation. There it would need the relevant database tables created and also CommonSettings.php would need updating since it currently assumes every wiki with OAuth enabled is SUL (except for labswiki and labstestwiki, which are hardcoded as exceptions).

MarcoAurelio added projects: Security-Team, Security-Extensions.Mar 5 2017, 11:10 PM

Thanks @Anomie for your reply. I was told that indeed either the OAuth or BotPasswords table needs to be created on those wikis for the feature to work. Given that stewardwiki requires a high level of security, I'd go with OAuth, but I'd like to hear from the Security-Team first (ping @Bawolff and @dpatrick) for any blockers they might think about this. Regards.

@MarcoAurelio, the Security team concurs with @Anomie. The main reason is not related to security concerns. We're okay with OAuth and BotPasswords on these wikis.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 21 2017, 8:25 PM

• dpatrick moved this task from Backlog / Other to Other WMF team on the acl*security board.Mar 21 2017, 8:25 PM

Bawolff triaged this task as Medium priority.Mar 21 2017, 8:25 PM

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".

• Dsfjdsfj raised the priority of this task from Medium to Unbreak Now!.Apr 13 2017, 3:57 PM

• Dsfjdsfj moved this task from Other WMF team to External (Non-WMF) Issues on the acl*security board.

• Dsfjdsfj updated the task description. (Show Details)

Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptApr 13 2017, 3:58 PM

Reedy updated the task description. (Show Details)Apr 13 2017, 4:01 PM

Restricted Application removed a subscriber: TerraCodes. · View Herald TranscriptApr 13 2017, 4:01 PM

Reedy lowered the priority of this task from Unbreak Now! to Medium.Apr 13 2017, 4:02 PM

Hi, I'm going to mark this resolved, as the security concern question was answered. If you want to have bot_passwords or oAuth enabled on any particular wiki its not currently available on, please file whatever-the-modern-name for a shell-request bug is, with community consensus if applicable.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:32 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM

Reedy mentioned this in T246489: enable bot passwords on otrswiki.Jun 9 2020, 6:22 PM

Urbanecm mentioned this in T258356: Allow users at all private/fishbowl wikis to use botpasswords.Jul 19 2020, 6:21 PM

Urbanecm added a parent task: T258356: Allow users at all private/fishbowl wikis to use botpasswords.

Aklapper removed subscribers: • dpatrick, Anomie.Oct 16 2020, 5:42 PM