Page MenuHomePhabricator
Create Task
Maniphest T77494

Security (self-)review of MediaViewer
Closed, ResolvedPublic
Actions

Description

Migrated from: https://wikimedia.mingle.thoughtworks.com/projects/multimedia/cards/580

We should do a minimal security review before moving on completely for MediaViewer - what are the possible attack vectors, are they mitigated, what's the information flow with other components.

See Chris' brownbag for inspiration:https://www.mediawiki.org/wiki/Security_for_developers/Architecture

Related Objects

Event Timeline

MingleTerminator raised the priority of this task from to Medium.Dec 8 2014, 5:49 PM
MingleTerminator added projects: Multimedia, MediaViewer.
Tgr mentioned this in T76046: Media Viewer Retrospective.Dec 11 2014, 4:08 AM
Krenair added a project: deprecated-security-team-reviews.Dec 14 2014, 12:32 AM
Krenair subscribed.
Tgr renamed this task from Security review to Security (self-)review of MediaViewer.Dec 14 2014, 6:53 AM
Tgr set Security to None.
MZMcBride subscribed.Feb 11 2015, 7:03 AM
Liuxinyu970226 subscribed.Mar 7 2015, 10:27 AM
Restricted Application added a subscriber: Matanya. · View Herald TranscriptAug 24 2015, 7:04 PM
Jdforrester-WMF moved this task from Untriaged to Backlog on the Multimedia board.Sep 4 2015, 6:29 PM
Jdforrester-WMF subscribed.Sep 21 2015, 3:41 PM

Mass-removing the Multimedia tag from MediaViewer tasks, as this is now being worked on by the Reading department, not Editing's Multimedia team.

Jdforrester-WMF removed a project: Multimedia.Sep 21 2015, 3:51 PM
csteipp closed this task as Resolved.Sep 21 2015, 5:18 PM
csteipp claimed this task.
csteipp subscribed.

Multimedia Viewer (as of mid-December 2014) was reviewed as part of the iSec audit last year.

If the (new) owners still want to do a self assessment, I'm happy to facilitate. Just reopen.

Krenair added a comment.Sep 21 2015, 5:20 PM

So was this extension not actually reviewed before deployment?

csteipp added a comment.Sep 21 2015, 5:38 PM
In T77494#1660001, @Krenair wrote:

So was this extension not actually reviewed before deployment?

I reviewed it in Oct 2013

Liuxinyu970226 unsubscribed.Sep 23 2015, 10:18 AM
sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:34 PM
Restricted Application added a project: Multimedia. · View Herald TranscriptApr 24 2019, 6:34 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL