Page MenuHomePhabricator
Create Task
Maniphest T318622

Bodh Toolforge OAuth consumer was world-readable
Closed, ResolvedPublic
Actions

Description

The bodh tool (documentation, source)’s config.py file, containing OAuth credentials of two consumers (production and local), was world-readable, so that anyone on Toolforge could read the consumer secret and hijack the consumer. I’ve made the file non-world-readable now, but the consumer should still be revoked and a new one be requested instead.

Event Timeline

LucasWerkmeister created this task.Sep 26 2022, 7:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 26 2022, 7:57 PM
Stashbot added a comment.Sep 26 2022, 7:57 PM

Mentioned in SAL (#wikimedia-cloud) [2022-09-26T19:57:39Z] <wm-bot> <root> made config.py non-world-readable (T318622)

LucasWerkmeister added a project: Tool-bodh.Sep 26 2022, 8:00 PM
bd808 subscribed.Sep 26 2022, 8:13 PM

I have disabled both grants:

RhinosF1 subscribed.Sep 26 2022, 8:13 PM
bd808 added a subscriber: Jay-A2K.Sep 26 2022, 8:15 PM
Ijon subscribed.Sep 30 2022, 9:57 AM
TheresNoTime removed a subscriber: RhinosF1.Dec 15 2022, 11:35 PM
Pppery subscribed.Nov 27 2024, 12:08 AM

Anything left to do here?

Restricted Application added a project: cloud-services-team. · View Herald TranscriptNov 27 2024, 12:08 AM
sbassett closed this task as Resolved.Nov 27 2024, 3:08 PM
sbassett assigned this task to bd808.
sbassett triaged this task as Medium priority.
Restricted Application added a project: User-bd808. · View Herald TranscriptNov 27 2024, 3:08 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits