Page MenuHomePhabricator
Create Task
Maniphest T239940

Security review of OAuth 2.0 patches
Closed, ResolvedPublic
Actions

Description

The patches resulting from T229501 and its subtasks could benefit from a security review before merge.

Related Objects
Search...

Event Timeline

CCicalese_WMF created this task.Dec 5 2019, 6:24 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 5 2019, 6:24 PM
CCicalese_WMF triaged this task as Medium priority.Dec 5 2019, 6:24 PM
CCicalese_WMF added parent tasks: T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients, T229505: Admin adds new client, T229506: Admin removes client, T229508: User requests login using OAuth 2.0, T229511: Admin whitelists client, T232634: Manage OAuth 2.0 grants for a user.
Jcross subscribed.Dec 9 2019, 4:28 PM

Hi @CCicalese_WMF - can you please let us know if this is the only patch set you'd like us to look at? https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/OAuth/+/550847/

Cheers,

Jennifer

CCicalese_WMF added a comment.Dec 9 2019, 10:58 PM

The patches that need review are:

Thanks!

Anomie subscribed.Dec 11 2019, 3:36 PM
CCicalese_WMF added a comment.Dec 11 2019, 3:39 PM

@Jcross, do you have an estimate of when this will be able to be scheduled and how long it might take? @Anomie has already reviewed the patches as well, so we're hoping this will not need to be an intensive or time consuming review.

Jcross added a comment.Dec 13 2019, 5:05 PM

Hi @CCicalese_WMF - apologies, I'm out of the office. Do you have a date you're aiming for? Let me know and we'll try and get someone on it fairly quickly.

CCicalese_WMF added a comment.Dec 13 2019, 5:36 PM

We were hoping to have the patches merged by the end of the calendar year, but I do understand that is a very short turnaround at this point. And, of course, if issues are found that need remediation, that will not be possible. Our assumption has been that, since this is an incremental change to an existing reviewed extension, this should not be a very time-consuming review. But, please let me know if your assessment is different.

sbassett assigned this task to Reedy.Dec 16 2019, 4:23 PM
sbassett moved this task from Incoming to In Progress on the deprecated-security-team-reviews board.
chasemp added a project: Application Security Reviews.Jan 7 2020, 3:38 PM
chasemp moved this task from Incoming to In Progress on the Application Security Reviews board.Jan 7 2020, 3:44 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 7 2020, 3:46 PM
Reedy closed this task as Resolved.Jan 13 2020, 4:19 PM

Sorted. Patches shepherded and merged!

Jcross moved this task from In Progress to Our Part Is Done on the Application Security Reviews board.Jan 15 2020, 4:21 PM
CCicalese_WMF removed a parent task: T229511: Admin whitelists client.Jan 17 2020, 8:49 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
Reedy mentioned this in T257930: Security Readiness Review For OAuthRateLimiter.Aug 7 2020, 5:07 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL