Page MenuHomePhabricator
Create Task
Maniphest T213218

Upstream patches to disable new deletion methods in XHGui 0.9
Closed, ResolvedPublic
Actions

Description

Following from T212468, XHGui 0.9 adds two new deletion methods that use the "GET" verb (that is, following or clicking a link) without confirmation or authorization requirements.

I've disabled these during the upgrade with a local hot-fix, but I'm working with upstream to either make these configurable or to make them use POST with a confirmation page.

Then, we can update our server configuration to catch these similar to how we catch the POST routes for the "Watch functions" feature, which we limit to wmf/nda currently. (source config, config params).

=> Upstream: https://github.com/perftools/xhgui/issues/248

Details

SubjectRepoBranchLines +/-
xhgui: Fix typo for in LocationMatch and double-slashoperations/puppetproduction+3 -3
xhgui: Disable deletion featuresoperations/puppetproduction+18 -0
Customize query in gerrit

Related Objects

Event Timeline

Krinkle created this task.Jan 8 2019, 8:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 8 2019, 8:27 PM
Krinkle added a project: Upstream.EditedJan 8 2019, 8:28 PM
Krinkle updated the task description. (Show Details)
Krinkle moved this task from Backlog to Patch proposed upstream on the Upstream board.

Looks like upstream (https://github.com/perftools/xhgui/issues/248) is fine with using POST for these.

So that means after that's landed on their site but before we pull down the updates into our mirror (operations/software/xhgui.git), we should update the Apache config to block the runs/delete and runs/delete_all routes.

gerritbot subscribed.Jan 9 2019, 12:58 AM

Change 483048 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/puppet@production] xhgui: Disable deletion features

https://gerrit.wikimedia.org/r/483048

gerritbot added a project: Patch-For-Review.Jan 9 2019, 12:58 AM
Krinkle triaged this task as Medium priority.Jan 9 2019, 5:19 AM
gerritbot added a comment.Jan 10 2019, 9:50 PM

Change 483048 merged by Herron:
[operations/puppet@production] xhgui: Disable deletion features

https://gerrit.wikimedia.org/r/483048

gerritbot added a comment.Jan 10 2019, 10:02 PM

Change 483608 had a related patch set uploaded (by Krinkle; owner: Krinkle):
[operations/puppet@production] xhgui: Fix typo for run/delete* in LocationMatch

https://gerrit.wikimedia.org/r/483608

gerritbot added a comment.Jan 10 2019, 10:11 PM

Change 483608 merged by Herron:
[operations/puppet@production] xhgui: Fix typo for in LocationMatch and double-slash

https://gerrit.wikimedia.org/r/483608

Stashbot subscribed.Jan 10 2019, 11:45 PM

Mentioned in SAL (#wikimedia-operations) [2019-01-10T23:45:09Z] <Krinkle> upgraded xhgui to upstream 2965240c91e52 (current upstream master) - T213218

Stashbot added a comment.Jan 10 2019, 11:45 PM

Mentioned in SAL (#wikimedia-operations) [2019-01-10T23:45:47Z] <Krinkle> krinkle@tunsten: upgrade xhgui to include upstream f039fb9f99f - T213218

Krinkle closed this task as Resolved.Jan 14 2019, 8:29 PM
Krinkle removed a project: Patch-For-Review.
Krinkle moved this task from Patch proposed upstream to Patch merged upstream on the Upstream board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits