Page MenuHomePhabricator

Security review for WikibaseMediaInfo extension
Closed, ResolvedPublic

Description

Please do a security of the WikibaseMediaInfo extension. It is needed for providing structured data to Wikimedia Commons in the future. It holds the new entity type (next to items and properties) that is going to handle structured data for multimedia files.

Project Information

Description of the tool/project

The MediaInfo extension provides the new entity type (next to the existing ones: item and property) that is going to handle structured data for multimedia files.

Description of how the tool will be used at WMF

It will be used to improve the storage and editing of meta data about files on Commons like "who took this picture", "which license is it under" and more.

Dependencies

libraries also used by Wikibase. See https://phabricator.wikimedia.org/diffusion/EWBI/browse/master/composer.json

Has this project been reviewed before?

Team-internal code review was done. No security review was done so far.

Working test environment

https://www.mediawiki.org/wiki/Extension:WikibaseMediaInfo for installation instructions
http://structured-commons.wmflabs.org/wiki/MediaInfo:M13 for a test system

Post-deployment

Wikidata team with primary contact Lydia Pintscher

Related Objects

StatusAssignedTask
OpenNone
Declineddchen
OpenNone
OpenNone
DuplicateNone
OpenNone
ResolvedAbit
OpenNone
DuplicateNone
OpenNone
OpenNone
Resolveddaniel
OpenMholloway
OpenMholloway
OpenNone
OpenNone
OpenNone
Resolveddaniel
Resolveddaniel
InvalidTgr
Resolveddaniel
ResolvedTgr
ResolvedTgr
ResolvedTgr
ResolvedBstorm
ResolvedCCicalese_WMF
ResolvedCparle
Resolvedmatthiasmullie
Resolvedegardner
ResolvedCparle
Resolvedegardner
Resolvedmatthiasmullie
ResolvedCparle
ResolvedCparle
OpenNone
ResolvedCparle
ResolvedJdforrester-WMF
OpenNone
ResolvedNone
ResolvedCparle
ResolvedJdforrester-WMF
ResolvedCparle
Resolvedmatthiasmullie
Resolvedmatthiasmullie
ResolvedCparle
Resolvedmatthiasmullie
Resolvedmatthiasmullie
Resolvedmatthiasmullie
Resolvedmatthiasmullie
Resolvedmatthiasmullie
ResolvedCparle
Resolvedegardner
OpenNone
OpenNone
Resolvedmatthiasmullie
Resolvedegardner
ResolvedRamsey-WMF
ResolvedEdtadros
ResolvedEdtadros
ResolvedEdtadros
ResolvedHa78na
OpenNone
OpenCparle
ResolvedCparle
ResolvedCparle
ResolvedCparle
ResolvedCparle
OpenNone
OpenCparle
ResolvedCparle
ResolvedCparle
OpenNone
DuplicateCparle
ResolvedCparle
ResolvedCparle
OpenNone
Resolvedmatthiasmullie
OpenNone
Resolvedmatthiasmullie
ResolvedEBernhardson
ResolvedRamsey-WMF
Resolvedmatthiasmullie
Resolvedmatthiasmullie
Resolvedmatthiasmullie
Resolvedmatthiasmullie
ResolvedCparle
OpenNone
Openmatthiasmullie
Resolvedmatthiasmullie
OpenNone
Openmatthiasmullie
OpenNone
ResolvedCparle
ResolvedRamsey-WMF
Resolvedthiemowmde
ResolvedMarkTraceur
Resolvedmatthiasmullie
Resolvedmatthiasmullie
ResolvedCparle
DeclinedCparle
DeclinedCparle
DeclinedCparle
ResolvedCparle
ResolvedEdtadros
OpenNone
OpenNone
OpenNone
OpenNone
OpenCparle
ResolvedCparle
OpenNone
OpenNone
ResolvedJdforrester-WMF
ResolvedJdforrester-WMF
ResolvedBawolff
ResolvedWMDE-leszek
ResolvedWMDE-leszek
ResolvedWMDE-leszek

Event Timeline

Restricted Application added a project: Wikidata. · View Herald TranscriptMar 6 2017, 2:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Aklapper renamed this task from Security reveiw for WikibaseMediaInfo extension to Security review for WikibaseMediaInfo extension.Mar 6 2017, 9:05 PM

@Lydia_Pintscher, can you update the description of this ticket with the information requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Thanks!

thiemowmde triaged this task as Normal priority.Mar 26 2017, 2:00 PM

Sorry I wasn't aware of the template. Fixing it now.

Bawolff closed this task as Resolved.
Bawolff claimed this task.
Bawolff added a subscriber: Bawolff.

Sorry for the delay in reviewing this one.

Security review passed. There's not much to say. Most of the interface work is done by Wikibase, so there's not very much attack surface in this extension. Two minor comments unrelated to security that I have:

  • It doesn't matter, but it is kind of odd there is a special page alias file when there's no special pages.
  • The discussion tab on a MediaInfo page leads the the media info id number in the main namespace. This seems wrong. I would expect either there be no discussion tab in the media info view, or the media info namespace be similar to the annotations extension where it appears as if its attached to the file namespace and the talk tab goes back to the File_talk namespace.

Thanks a lot for the review!