Page MenuHomePhabricator
Create Task
Maniphest T326915

Prepare VipsScaler extension for IP Masking
Closed, ResolvedPublic
Actions

Description

A preliminary investigation (T326759) has found that the VipsScaler extension may be affected by IP Masking

Related Objects
Search...

Event Timeline

Tchanders created this task.Jan 13 2023, 10:12 AM
TheDJ subscribed.EditedFeb 21 2023, 12:46 PM
  1. I assume this has something to do with a permissions check. In that case, this extension has a Special page, which is not in use currently on wikimedia as far as I can tell (it was purpose build to test extension), which seems to me the only place that this is exposed to.
  2. Is this extension even in use anywhere within Wikimedia after thumbor was introduced ? If not, we should probably decommission it, if it is, we should limit where it is deployed I think. (This seems to be T291014)
TAdeleye_WMF edited projects, added: Trust and Safety Product Team; removed: Anti-Harassment-Team.May 14 2024, 4:16 PM
Tchanders edited projects, added: Temporary accounts (Update unowned extensions); removed: Temporary accounts.Jun 11 2024, 5:10 PM
kostajh subscribed.Aug 26 2024, 5:01 PM
In T326915#8632305, @TheDJ wrote:
  1. I assume this has something to do with a permissions check. In that case, this extension has a Special page, which is not in use currently on wikimedia as far as I can tell (it was purpose build to test extension), which seems to me the only place that this is exposed to.
  2. Is this extension even in use anywhere within Wikimedia after thumbor was introduced ? If not, we should probably decommission it, if it is, we should limit where it is deployed I think. (This seems to be T291014)

It does seem to be used, as far as I can see https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/635d96f93c21d7efcfce782ef5478594be2eadba/wmf-config/InitialiseSettings.php#7426

'wmgUseVips' => [
	'default' => true,
	'group0' => false,
	'wikitech' => false,
	'lockeddown' => false,
],
TheDJ added a comment.EditedAug 27 2024, 10:01 AM
In T326915#10093158, @kostajh wrote:
In T326915#8632305, @TheDJ wrote:
  1. I assume this has something to do with a permissions check. In that case, this extension has a Special page, which is not in use currently on wikimedia as far as I can tell (it was purpose build to test extension), which seems to me the only place that this is exposed to.
  2. Is this extension even in use anywhere within Wikimedia after thumbor was introduced ? If not, we should probably decommission it, if it is, we should limit where it is deployed I think. (This seems to be T291014)

It does seem to be used, as far as I can see https://gerrit.wikimedia.org/g/operations/mediawiki-config/+/635d96f93c21d7efcfce782ef5478594be2eadba/wmf-config/InitialiseSettings.php#7426

That is only because undeploying it is a challenge T290759

A_smart_kitten subscribed.Mar 5 2025, 11:06 AM

Came across this task while going through the revision history of Developers/Maintainers -- just noting that this task is currently under the "Update unowned extensions" column of Temporary accounts, but VipsScaler was added to Developers/Maintainers in October 2024 with the information that MediaWiki-Engineering/Content-Transform-Team stewards this extension.

Dreamy_Jazz edited projects, added: Content-Transform-Team, Temporary accounts; removed: Temporary accounts (Update unowned extensions).Mar 5 2025, 11:07 AM
Dreamy_Jazz moved this task from Inbox to Needs Other Teams on the Temporary accounts board.
Dreamy_Jazz added a parent task: T326874: Update Content Transform Team-owned products that may be affected by IP Masking.Mar 5 2025, 11:09 AM
Dreamy_Jazz mentioned this in T326874: Update Content Transform Team-owned products that may be affected by IP Masking.
Dreamy_Jazz subscribed.Mar 5 2025, 11:13 AM
In T326915#10604576, @A_smart_kitten wrote:

Came across this task while going through the revision history of Developers/Maintainers -- just noting that this task is currently under the "Update unowned extensions" column of Temporary accounts, but VipsScaler was added to Developers/Maintainers in October 2024 with the information that MediaWiki-Engineering/Content-Transform-Team stewards this extension.

Thanks for the information! I've tagged this task with that team for their attention.

SLopes-WMF added subscribers: MSantos, SLopes-WMF.Mar 13 2025, 2:12 PM

@MSantos can you check, please?

MSantos edited projects, added: Content-Transform-Team (Work In Progress); removed: Content-Transform-Team.Apr 14 2025, 12:01 PM
MSantos added a project: Essential-Work.
MSantos moved this task from Backlog to Q4 FY25-26 on the Content-Transform-Team (Work In Progress) board.Apr 14 2025, 12:16 PM
cscott subscribed.May 22 2025, 5:55 PM

I believe the current plan is to try to undeploy T290759: Undeploy VipsScaler from Wikimedia wikis because /in theory/ some other changes in core have made it easier to do this?
See
https://wikis.world/@anticomposite/114489679162565721

kostajh added a comment.May 23 2025, 9:20 AM
In T326915#10849812, @cscott wrote:

I believe the current plan is to try to undeploy T290759: Undeploy VipsScaler from Wikimedia wikis because /in theory/ some other changes in core have made it easier to do this?
See
https://wikis.world/@anticomposite/114489679162565721

Undeploying sounds fine to me.

ABreault-WMF closed this task as Resolved.EditedJun 26 2025, 2:26 PM
ABreault-WMF claimed this task.
ABreault-WMF subscribed.

The special page was disabled in,
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/VipsScaler/+/722385

and, in any case, calls SpecialPage->userCanExecute which seems like it would be prepared for IP masking.

Looking at the methods in T326759, the only thing I see is,

includes/SpecialVipsTest.php:use Wikimedia\IPUtils;
includes/SpecialVipsTest.php:                   $bits = IPUtils::splitHostAndPort( $vipsThumbnailerHost );
includes/SpecialVipsTest.php:                   $proxy = IPUtils::combineHostAndPort( $host, $port );

which seems fine using $vipsThumbnailerHost.

As of T290759#10948723, VipsScaler is undeployed though.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits