Security review request for FundraisingChart extension. Depends on bug #65834
Version: master
Severity: normal
Security review request for FundraisingChart extension. Depends on bug #65834
Version: master
Severity: normal
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Invalid | None | T67834 Review & deploy mediawiki/extensions/FundraisingChart | |||
Invalid | • csteipp | T68805 Security review for mediawiki/extensions/FundraisingChart |
Any update for this? Fundraising is hoping to use this extension for our fiscal year-end report, which will be published at the end of August. Thanks!
For some reason this was assigned to fr-tech and not Chris. That's probably a cause for delay :)
(In reply to Chris Steipp from comment #3)
What domain is this going to be deployed on?
collab and meta
Hi Sherah,
It's a little difficult to do a thorough review because I keep hitting bugs with the version in gerrit, but there are a couple of design issues and some of the ways you're doing things I think are likely going to lead to security issues. Let me know if you want to schedule time to talk through these.
FundraisingChart.body.php
resources/js/fundraising_charts.js
modules/ext.fundraisingChart.datamaps/datamaps.world.js
I'm still working on d3. I think it should be fine, but I noticed the included version is very old. Is someone going to keep it updated in case there are security issues in the library?
(In reply to Chris Steipp from comment #5)
I'm still working on d3. I think it should be fine, but I noticed the
included version is very old. Is someone going to keep it updated in case
there are security issues in the library?
D3 looks like it's pretty sane about how it does what it does. Should be fine to use.
This, and T67834, appear stalled. Is anything more needed/expected on this ticket? We will assume not if no response is given by August 18th, 2016.