Page MenuHomePhabricator
Create Task
Maniphest T411649

Application Security Review Request : MultiTitle
Closed, ResolvedPublic
Actions

Description

Project Information 

───────────────────────────────────────────────────────────────────────────────
Language            Files       Lines    Blanks  Comments       Code Complexity
───────────────────────────────────────────────────────────────────────────────
JSON                    5          89         0         0         89          0
PHP                     4         125        23        13         89          4
License                 1         339        58         0        281          0
Markdown                1           5         2         0          3          0
XML                     1           7         0         0          7          0
───────────────────────────────────────────────────────────────────────────────
Total                  12         565        83        13        469          4
───────────────────────────────────────────────────────────────────────────────
Estimated Cost to Develop (organic) $12,199
Estimated Schedule Effort (organic) 2.58 months
Estimated People Required (organic) 0.42
───────────────────────────────────────────────────────────────────────────────
Processed 24299 bytes, 0.024 megabytes (SI)
───────────────────────────────────────────────────────────────────────────────

Description of the tool/project:
MW extension to display as if multiple titles are the same page

Description of how the tool will be used at WMF:
Deployed on tok.wikipedia.org

Dependencies
None beyond MediaWiki core

Has this project been reviewed before?
No

Working test environment
https://www.mediawiki.org/wiki/Extension:MultiTitle#Installation

Post-deployment
@cscott of Content Transform team

Details

Risk Rating
Low

Related Objects
Search...

Event Timeline

Tbodt created this task.Dec 3 2025, 4:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 3 2025, 4:56 PM
Tbodt added a parent task: T404461: Enable Extension:MultiTitle on tok.wikipedia.org.Dec 3 2025, 4:56 PM
taavi added a project: MediaWiki-extensions-MultiTitle.Dec 3 2025, 4:57 PM
A_smart_kitten subscribed.Dec 4 2025, 11:14 AM
sbassett moved this task from Incoming to Upcoming Quarter Planning Queue on the secscrum board.Dec 4 2025, 3:24 PM
Tbodt updated the task description. (Show Details)Dec 8 2025, 7:23 AM
sbassett changed the task status from Open to In Progress.Jan 5 2026, 5:55 PM
sbassett claimed this task.
sbassett triaged this task as Medium priority.
sbassett moved this task from Upcoming Quarter Planning Queue to In Progress on the secscrum board.
sbassett added projects: Security-Team, SecTeam-Processed.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: user-sbassett.
sbassett added a comment.Jan 7 2026, 3:40 PM

Hey @Tbodt, @cscott - We're planning to review this extension this quarter. Is what's currently on master the entire extension? Basically just the new includes/Hooks.php file?

Tbodt added a comment.Jan 7 2026, 4:47 PM

Yep!

sbassett added a comment.Jan 8 2026, 6:31 PM

Security Review Summary - T411649 - 2026-01-08
Last commit reviewed: f452a4a299f

Summary

Overall, the MultiTitle extension appears to be in great shape with an overall risk rating of: low.

Outdated Packages
Risk: low.
As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWantedDescription
mediawiki/phan-taint-check-plugin7.0.08.0.0A Phan plugin to do security checking
netresearch/jsonmapper4.5.05.0.0Map nested JSON structures onto PHP classes
phan/phan5.5.15.5.2A static analyzer for PHP
phpcsstandards/phpcsextra1.4.01.5.0A collection of sniffs and standards for use with PHP_CodeSniffer.
phpcsstandards/phpcsutils1.1.11.2.2A suite of utility functions for use with PHP_CodeSniffer
phpdocumentor/reflection-docblock5.6.66.0.0With this component, a library can provide support for annotations via DocBlocks...
phpdocumentor/type-resolver1.12.02.0.0A PSR-5 based resolver of Class names, Types and Structural Element Names
sabre/event5.1.76.0.1sabre/event is a library for lightweight event-based programming
squizlabs/php_codesniffer3.13.24.0.1PHP_CodeSniffer tokenizes PHP, JavaScript and CSS files and detects violations o...

General code health score
Risk: low.

  1. The Wikimedia code health check tool returned a weighted risk score of low.
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
| Vuln Pkgs | Pkg Mgmt | Test Cov | SAST | Non-auto Cmts | Uniq Contribs | Contrib Conc | Lang Guides | Staff Supp | Task Backlog | Code Stew | Weighted Risk |
+===========+==========+==========+======+===============+===============+==============+=============+============+==============+===========+===============+
|         0 |        4 |        7 |    0 |            10 |            10 |            7 |           0 |         10 |            0 |         0 |         34.40 |
+-----------+----------+----------+------+---------------+---------------+--------------+-------------+------------+--------------+-----------+---------------+
sbassett closed this task as Resolved.Jan 8 2026, 6:31 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.Jan 8 2026, 6:35 PM
sbassett moved this task from Backlog to Done on the user-sbassett board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits