Page MenuHomePhabricator
Create Task
Maniphest T243398

Security Readiness Review for one skin and five plugins to be used in Tech Blog based on Wordpress
Closed, ResolvedPublicSecurity
Actions

Description

Related Objects
Search...

Event Timeline

Aklapper created this task.Jan 22 2020, 12:42 PM
Aklapper added a parent task: T242619: Set up Tech blog to share stories from the Wikimedia Technical community.
Aklapper added a project: Application Security Reviews.
Reedy triaged this task as Medium priority.Jan 22 2020, 5:13 PM
chasemp assigned this task to Reedy.Jan 22 2020, 5:14 PM
chasemp removed a project: Security-Team.
chasemp moved this task from Incoming to In Progress on the Application Security Reviews board.
chasemp subscribed.

Application Security Reviews 's have their own workflow so we aren't double tagging with Security-Team for now

Jcross subscribed.Jan 22 2020, 5:19 PM

This task has been resourced but reviewing by the planned deployment date (month) can not be guaranteed as we are out for All Hands next week, leaving less than 30 days. We will do our best to meet the requested timeline and will be in contact as work progresses.

Reedy updated the task description. (Show Details)Jan 25 2020, 3:03 PM
Legoktm subscribed.Jan 27 2020, 10:13 AM

Does this task itself need to be private?

Aklapper added a comment.Jan 28 2020, 1:10 PM
In T243398#5833508, @Legoktm wrote:

Does this task itself need to be private?

I myself do not think so, but others I talked to were not sure, hence my action. If Sec Team sees no issues it would be great to make this task public.

sbassett reassigned this task from Reedy to chasemp.Feb 3 2020, 4:50 PM
sbassett added subscribers: Reedy, sbassett.

Assigning to @chasemp for a quick review of our intake process to make sure our various Phab forms are set up correctly :)

@Aklapper @Legoktm - I think the Security-Team is fine with Application Security Reviews and Security Preview requests being public with the discretion to protect if certain vulnerabilities are found during a review within production/live code and possibly even within certain public gerrit/github/etc repos.

chasemp added a comment.EditedFeb 3 2020, 6:28 PM

The form at https://phabricator.wikimedia.org/maniphest/task/edit/form/79/ sets things to be viewable or all users and has an indicator at the top so that folks filing requests know that upfront. In concert with @sbassett 's notes above I think things are cool. I believe this task itself was filed as a security issue task type, which security readiness reviews are not.

(small edit: concept reviews are private when filing due to the nature of the requests.)

chasemp reassigned this task from chasemp to sbassett.Feb 3 2020, 6:28 PM
chasemp removed a project: acl*security.
chasemp changed the visibility from "Custom Policy" to "All Users".
chasemp changed the edit policy from "Custom Policy" to "All Users".
Aklapper changed the visibility from "All Users" to "Public (No Login Required)".Feb 3 2020, 6:38 PM
sbassett reassigned this task from sbassett to Reedy.Feb 3 2020, 6:44 PM
Reedy closed this task as Resolved.Feb 10 2020, 6:43 PM

This seems fine to go ahead. I've documented this on officewiki (along with other wordpress based sites), to keep track of what's going on across them. Looking into Wordpress things is hard, as looking into CVE lists for wordpress finds a lot of results...

https://wordpress.org/plugins/gutenberg/ (@srodlund is not sure if this is available for our installation -- it has to do with the WP Editor redesign)

When we know about this, updating the document on officewiki would be appreciated :)

srodlund added a project: Technical Blog.Feb 28 2020, 11:26 PM
Jcross moved this task from In Progress to Our Part Is Done on the Application Security Reviews board.Mar 10 2020, 5:09 PM
chasemp added a project: secscrum.Mar 10 2020, 8:11 PM
chasemp moved this task from Incoming to Our Part Is Done on the secscrum board.Mar 10 2020, 8:19 PM
bd808 subscribed.EditedMar 13 2020, 3:16 PM
In T243398#5866044, @Reedy wrote:

This seems fine to go ahead. I've documented this on officewiki (along with other wordpress based sites), to keep track of what's going on across them. Looking into Wordpress things is hard, as looking into CVE lists for wordpress finds a lot of results...

https://wordpress.org/plugins/gutenberg/ (@srodlund is not sure if this is available for our installation -- it has to do with the WP Editor redesign)

When we know about this, updating the document on officewiki would be appreciated :)

Gutenberg is available as part of the default https://github.com/automattic/vip-go-mu-plugins bundle on wpvip. We enabled it with this config change -- https://github.com/wpcomvip/wikimedia-techblog/commit/d3e509a77ad045749e10853b7e87e3e3cfc04a61. I will update the table at [[officewiki:WordPress]] to reflect this.

Aklapper mentioned this in T254628: Security Readiness Review For Diff (diff.wikimedia.org).Jul 17 2020, 1:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL