Page MenuHomePhabricator

Wikidata Lexeme Forms tool configuration was public
Closed, ResolvedPublic


I just noticed that the configuration file of my Wikidata Lexeme Forms tool on Toolforge was world-readable.

lucaswerkmeister@tools-sgebastion-07:~$ ls -l ~tools.lexeme-forms/www/python/src/config.yaml
-rw-r--r-- 1 tools.lexeme-forms tools.lexeme-forms 161 Apr 25  2020 /data/project/lexeme-forms/www/python/src/config.yaml

I’ve fixed this now, but I should replace the OAuth consumer as well, since any Toolforge user could’ve stolen the credentials in the past year or so.

Event Timeline

Mentioned in SAL (#wikimedia-cloud) [2021-07-11T13:36:44Z] <wm-bot> <lucaswerkmeister> chmod go-rwx www/python/src/config.yaml # T286414

New OAuth consumer has been requested and configured; I’ll restart the tool (to pick up the new configuration file) once it’s been approved.

OAuth admins: please approve that consumer, and then disable the 1.1 and 1.2 consumers. Pinging @Tgr who was kind enough to approve the last consumers (since I figure the request will be easier to understand if you have the context of this task right away).

Mentioned in SAL (#wikimedia-cloud) [2021-07-11T17:03:55Z] <wm-bot> <lucaswerkmeister> restarted webservice to pick up 1.3 version of OAuth consumer (T286414)

Alright, @bd808 approved the new consumer and I restarted the tool – seems to work as far as I can tell. (Task remains open since the old consumers are still enabled.)

Alright, the old OAuth consumers are gone. I think we can close this. Thanks @bd808!

Mentioned in SAL (#wikimedia-cloud) [2021-07-18T18:18:39Z] <wm-bot> <lucaswerkmeister> deployed fa64f7e021 (refuse to load non-user-readable config file, guard against recurrence of T286414)

Did I actually need to request a new consumer? It’s now been pointed out to me that there is a checkbox to “Reset the secret key to a new value” in the page to update the consumer – would that have been enough?