Security review for WikibaseMediaInfo extension
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Lydia_Pintscher
	Mar 6 2017, 2:44 PM

Description

Please do a security of the WikibaseMediaInfo extension. It is needed for providing structured data to Wikimedia Commons in the future. It holds the new entity type (next to items and properties) that is going to handle structured data for multimedia files.

Project Information

Name of tool/project: WikibaseMediaInfo
Project home page: https://www.mediawiki.org/wiki/Extension:WikibaseMediaInfo
Name of team requesting review: Wikidata
Primary contact: Lydia Pintscher
Target date for deployment: end of Summer 2017 for test system and end of 2017 for production system
Link to code repository / patchset: https://gerrit.wikimedia.org/r/p/mediawiki/extensions/WikibaseMediaInfo
Programming Language(s) Used: PHP and some JS

Description of the tool/project

The MediaInfo extension provides the new entity type (next to the existing ones: item and property) that is going to handle structured data for multimedia files.

Description of how the tool will be used at WMF

It will be used to improve the storage and editing of meta data about files on Commons like "who took this picture", "which license is it under" and more.

Dependencies

libraries also used by Wikibase. See https://phabricator.wikimedia.org/diffusion/EWBI/browse/master/composer.json

Has this project been reviewed before?

Team-internal code review was done. No security review was done so far.

Working test environment

https://www.mediawiki.org/wiki/Extension:WikibaseMediaInfo for installation instructions
http://structured-commons.wmflabs.org/wiki/MediaInfo:M13 for a test system

Post-deployment

Wikidata team with primary contact Lydia Pintscher

Related Objects
Search...

View Standalone Graph

This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Status	Assigned	Task
		· · ·
Resolved	Jdforrester-WMF	T159708 Deploy WikibaseMediaInfo extension to production
Resolved	Bawolff	T159709 Security review for WikibaseMediaInfo extension
Resolved	WMDE-leszek	T159710 Write basic documentation for WikibaseMediaInfo extension
Resolved	WMDE-leszek	T159239 Ensure all expected functionality of the baseline version of WikibaseMediaInfo extension works correctly
		· · ·

Event Timeline

Lydia_Pintscher created this task.Mar 6 2017, 2:44 PM

Restricted Application added a project: Wikidata. · View Herald TranscriptMar 6 2017, 2:44 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Lydia_Pintscher added a parent task: T159708: Deploy WikibaseMediaInfo extension to production.Mar 6 2017, 2:45 PM

Lydia_Pintscher created subtask T159710: Write basic documentation for WikibaseMediaInfo extension.

Lydia_Pintscher added a subtask: T159239: Ensure all expected functionality of the baseline version of WikibaseMediaInfo extension works correctly.Mar 6 2017, 2:48 PM

Aklapper renamed this task from Security reveiw for WikibaseMediaInfo extension to Security review for WikibaseMediaInfo extension.Mar 6 2017, 9:05 PM

Ricordisamoa subscribed.Mar 8 2017, 10:58 AM

@Lydia_Pintscher, can you update the description of this ticket with the information requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Thanks!

thiemowmde triaged this task as Medium priority.Mar 26 2017, 2:00 PM

@Lydia_Pintscher Ping.

Sorry I wasn't aware of the template. Fixing it now.

Lydia_Pintscher updated the task description. (Show Details)Mar 30 2017, 12:11 PM

• dpatrick mentioned this in E553: Security review for WikibaseMediaInfo extension.Apr 5 2017, 6:45 PM

• dpatrick moved this task from Incoming to Scheduled on the deprecated-security-team-reviews board.

Lydia_Pintscher updated the task description. (Show Details)Apr 10 2017, 1:04 PM

WMDE-leszek closed subtask T159710: Write basic documentation for WikibaseMediaInfo extension as Resolved.Apr 18 2017, 3:50 PM

WMDE-leszek closed subtask T159239: Ensure all expected functionality of the baseline version of WikibaseMediaInfo extension works correctly as Resolved.Apr 19 2017, 9:08 AM

Sorry for the delay in reviewing this one.

Security review passed. There's not much to say. Most of the interface work is done by Wikibase, so there's not very much attack surface in this extension. Two minor comments unrelated to security that I have:

It doesn't matter, but it is kind of odd there is a special page alias file when there's no special pages.
The discussion tab on a MediaInfo page leads the the media info id number in the main namespace. This seems wrong. I would expect either there be no discussion tab in the media info view, or the media info namespace be similar to the annotations extension where it appears as if its attached to the file namespace and the talk tab goes back to the File_talk namespace.