Page MenuHomePhabricator

Upstream patches to disable new deletion methods in XHGui 0.9
Closed, ResolvedPublic

Description

Following from T212468, XHGui 0.9 adds two new deletion methods that use the "GET" verb (that is, following or clicking a link) without confirmation or authorization requirements.

I've disabled these during the upgrade with a local hot-fix, but I'm working with upstream to either make these configurable or to make them use POST with a confirmation page.

Then, we can update our server configuration to catch these similar to how we catch the POST routes for the "Watch functions" feature, which we limit to wmf/nda currently. (source config, config params).


=> Upstream: https://github.com/perftools/xhgui/issues/248

Event Timeline

Krinkle created this task.Jan 8 2019, 8:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 8 2019, 8:27 PM
Krinkle added a project: Upstream.EditedJan 8 2019, 8:28 PM
Krinkle updated the task description. (Show Details)
Krinkle moved this task from Backlog to Patch proposed upstream on the Upstream board.

Looks like upstream (https://github.com/perftools/xhgui/issues/248) is fine with using POST for these.

So that means after that's landed on their site but before we pull down the updates into our mirror (operations/software/xhgui.git), we should update the Apache config to block the runs/delete and runs/delete_all routes.

Change 483048 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/puppet@production] xhgui: Disable deletion features

https://gerrit.wikimedia.org/r/483048

Krinkle triaged this task as Normal priority.Jan 9 2019, 5:19 AM

Change 483048 merged by Herron:
[operations/puppet@production] xhgui: Disable deletion features

https://gerrit.wikimedia.org/r/483048

Change 483608 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/puppet@production] xhgui: Fix typo for run/delete* in LocationMatch

https://gerrit.wikimedia.org/r/483608

Change 483608 merged by Herron:
[operations/puppet@production] xhgui: Fix typo for in LocationMatch and double-slash

https://gerrit.wikimedia.org/r/483608

Mentioned in SAL (#wikimedia-operations) [2019-01-10T23:45:09Z] <Krinkle> upgraded xhgui to upstream 2965240c91e52 (current upstream master) - T213218

Mentioned in SAL (#wikimedia-operations) [2019-01-10T23:45:47Z] <Krinkle> krinkle@tunsten: upgrade xhgui to include upstream f039fb9f99f - T213218

Krinkle closed this task as Resolved.Jan 14 2019, 8:29 PM
Krinkle removed a project: Patch-For-Review.
Krinkle moved this task from Patch proposed upstream to Patch merged upstream on the Upstream board.