Page MenuHomePhabricator
Create Task
Maniphest T222089

Allow URL shortening for wikimediafoundation.org domain
Open, Stalled, Needs TriagePublic
Actions

Description

I am not sure why this was not among the white listed domains.

Related Objects

Event Timeline

Ammarpad created this task.Apr 29 2019, 5:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 29 2019, 5:11 PM
Reedy added a project: Wikimedia-Site-requests.Apr 29 2019, 6:30 PM
Reedy subscribed.

I am not sure why this was not among the white listed domains.

Probably because it's not a wiki

Ladsgroup added a project: wikimediafoundation.org.Apr 30 2019, 4:25 AM
Ladsgroup subscribed.

It's actually a little bit more complex. wikimediafoundation.org is not in WMF infrastructure and doesn't go through our varnish/LVS/other bits (don't get me started). It also used to load outside modules T201022: Third party resources loaded by wikimediafoundation.org so it's a little bit scary to allow this as the website might have reflective XSS vulnerabilities and abuses can got hidden through URL shortener. I leave the decision to CPT and Secuirty though.

Legoktm subscribed.Apr 30 2019, 4:29 AM

If someone is reasonably confident/has audited wikimediafoundation.org to make sure there are no open redirects it should be fine to add.

Varnent subscribed.EditedApr 30 2019, 5:37 AM
In T222089#5145745, @Ladsgroup wrote:

It's actually a little bit more complex. wikimediafoundation.org is not in WMF infrastructure and doesn't go through our varnish/LVS/other bits (don't get me started). It also used to load outside modules T201022: Third party resources loaded by wikimediafoundation.org so it's a little bit scary to allow this as the website might have reflective XSS vulnerabilities and abuses can got hidden through URL shortener. I leave the decision to CPT and Secuirty though.

@Ladsgroup: Which outside modules are you referring to? As noted in the ticket you linked to, the ones previously identified have been disabled since August 2018.

I defer to Security and CPT on adding URL shortener to this domain, but want to make sure we are discussing it accurately. Are there additional external modules you are concerned about which are not discussed in T201022: Third party resources loaded by wikimediafoundation.org?

Ladsgroup added a comment.Apr 30 2019, 9:19 AM
In T222089#5145857, @Varnent wrote:
In T222089#5145745, @Ladsgroup wrote:

@Ladsgroup: Which outside modules are you referring to? As noted in the ticket you linked to, the ones previously identified have been disabled since August 2018.

Hey, I used past tense ("used to load"). Still reflective XSS can be a problem in javascript of the website but there are tools to scan for such vulnerabilities. (Security team knows better, does this website passed security review?)

Framawiki subscribed.May 11 2019, 5:24 PM

So if security review of this website is a blocker, has such review already done?

Esanders subscribed.May 30 2019, 10:53 PM

Could wmflabs.org also be considered in this request?

Krenair subscribed.May 30 2019, 10:57 PM

wmflabs.org should probably be a whole separate ticket.

Varnent moved this task from Incoming to Radar on the wikimediafoundation.org board.Jul 2 2019, 7:30 AM
Legoktm added a comment.Jul 23 2019, 8:45 PM
In T222089#5174196, @Framawiki wrote:

So if security review of this website is a blocker, has such review already done?

Not that I'm aware of. Specifically, someone needs to verify there are no open redirects. Also no dangerous URLs that perform actions upon GET requests (e.g. T220923).

Legoktm changed the task status from Open to Stalled.Aug 1 2019, 7:13 AM

Marking as stalled pending confirmation from someone(?) that someone has reviewed wikimediafoundation.org for:

  • reflective XSS
  • open redirects
  • dangerous URLs that perform actions upon GET requests
Husky subscribed.Aug 29 2019, 7:16 AM
In T222089#5225239, @Krenair wrote:

wmflabs.org should probably be a whole separate ticket.

I've added T231518 as a ticket specifically for wmflabs.org.

sbassett subscribed.Sep 25 2019, 4:27 PM
dbarratt awarded a token.Jan 5 2020, 1:17 AM
Varnent added a comment.Feb 26 2020, 8:51 PM
In T222089#5383470, @Legoktm wrote:

Marking as stalled pending confirmation from someone(?) that someone has reviewed wikimediafoundation.org for:

  • reflective XSS
  • open redirects
  • dangerous URLs that perform actions upon GET requests

How can we go about getting this review done for the site?

Ladsgroup added a comment.Feb 26 2020, 9:54 PM
In T222089#5921580, @Varnent wrote:
In T222089#5383470, @Legoktm wrote:

Marking as stalled pending confirmation from someone(?) that someone has reviewed wikimediafoundation.org for:

  • reflective XSS
  • open redirects
  • dangerous URLs that perform actions upon GET requests

How can we go about getting this review done for the site?

I guess someone from Security-Team ?

sbassett added a comment.Feb 27 2020, 3:59 PM
In T222089#5921580, @Varnent wrote:

How can we go about getting this review done for the site?

In T222089#5921792, @Ladsgroup wrote:

I guess someone from Security-Team ?

Correct! @Varnent - You'd want to start out with the new Security-Team services request form. There is some basic, pre-populated information in the description field where you can describe what @Legoktm discusses in T222089#5383470. This will get the request into our queue so we can evaluate options with you and schedule any resultant work. Thanks.

Varnent added a comment.Feb 27 2020, 10:13 PM
In T222089#5923717, @sbassett wrote:
In T222089#5921580, @Varnent wrote:

How can we go about getting this review done for the site?

In T222089#5921792, @Ladsgroup wrote:

I guess someone from Security-Team ?

Correct! @Varnent - You'd want to start out with the new Security-Team services request form. There is some basic, pre-populated information in the description field where you can describe what @Legoktm discusses in T222089#5383470. This will get the request into our queue so we can evaluate options with you and schedule any resultant work. Thanks.

Awesome! Will do - thank you!

Reedy mentioned this in T249416: Allow URL shortening for qrpedia.org domain.Apr 4 2020, 2:04 PM
Legoktm mentioned this in T254427: Specific blog post not accessible from wikimediafoundation.org, redirects to third-party medium.com.Jun 4 2020, 9:01 AM
Legoktm mentioned this in T270792: Add Wikispecies and Wikimediafoundation to UrlShortener.Dec 23 2020, 8:50 PM
Aklapper added a comment.Aug 16 2022, 8:48 PM
In T222089#5924948, @Varnent wrote:

Awesome! Will do - thank you!

@Varnent: Has this happened? If so, could you provide a task ID? Thanks.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL