Page MenuHomePhabricator
Feed Advanced Search

Wed, Jul 17

sbassett added a comment to T123978: Bring back abuse_filter_history view.

Per conversations w/ @Daimona and @JFishback_WMF today, provided soft +1 with qualifiers on r498773.

Wed, Jul 17, 8:28 PM · Security-Team, Patch-For-Review, Data-Services
sbassett added a comment to T228247: +2 nomination for Daimona in mediawiki/*.

Strong support (for their work on phan-taint-check-plugin alone)

Wed, Jul 17, 1:28 PM · MediaWiki-Gerrit-Group-Requests

Tue, Jul 16

sbassett added a comment to T123978: Bring back abuse_filter_history view.

Yep, that's what the patch is already doing using LOCATE + SQL conditional.

Tue, Jul 16, 7:24 PM · Security-Team, Patch-For-Review, Data-Services
sbassett added a comment to T123978: Bring back abuse_filter_history view.

I'd definitely be fine with hiding the whole row if afh_flags contains 'hidden'

Tue, Jul 16, 7:12 PM · Security-Team, Patch-For-Review, Data-Services
sbassett updated subscribers of T123978: Bring back abuse_filter_history view.

@bd808 - there'd been some long-running (and kind of incomplete) work on this here, I believe: T103011, particularly T103011#3536648. And some more work here: T169097. Regarding r498773, specifically, it looks like @Bawolff had labeled that Safe to replicate but requires view-based redaction. I'll plan to book some time today or tomorrow with @JFishback_WMF to further review.

Tue, Jul 16, 6:47 PM · Security-Team, Patch-For-Review, Data-Services
sbassett added a comment to T227820: (informal) Security Concept Review For LibUp 2.0.

Will try to look at this soon and get some comments/questions up. Would also love for @Reedy to do the same if he has a minute, once he's back next week.

Tue, Jul 16, 5:35 PM · Restricted Project, LibUp, Security-Team-Reviews
sbassett added a project to T227820: (informal) Security Concept Review For LibUp 2.0: Restricted Project.
Tue, Jul 16, 5:34 PM · Restricted Project, LibUp, Security-Team-Reviews
sbassett moved T227820: (informal) Security Concept Review For LibUp 2.0 from Backlog to In Progress on the Security-Team-Reviews board.
Tue, Jul 16, 5:21 PM · Restricted Project, LibUp, Security-Team-Reviews
sbassett claimed T227820: (informal) Security Concept Review For LibUp 2.0.
Tue, Jul 16, 5:21 PM · Restricted Project, LibUp, Security-Team-Reviews

Mon, Jul 15

sbassett updated subscribers of T227454: Allow $wgSFSIPListLocation to be a url and have proxy support.

I assume we'd be interested in the All Site Data files here, namely the IPv4 and IPv6 Combined files. These have the following sizes:

Mon, Jul 15, 9:13 PM · MediaWiki-extensions-StopForumSpam
sbassett moved T219831: Security Review For Kask from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Mon, Jul 15, 4:40 PM · Restricted Project, Security-Team-Reviews, Services (watching), Core Platform Team Backlog (Watching / External), Core Platform Team (Session Management Service (CDP2)), User-Clarakosi, User-Eevans
sbassett moved T227221: Security review for `countCUstats.js` from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Mon, Jul 15, 4:40 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett moved T227221: Security review for `countCUstats.js` from Awaiting remediation to Archive on the Security-Team-Reviews board.
Mon, Jul 15, 4:39 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett closed T227221: Security review for `countCUstats.js` as Resolved.

Thanks, @MarcoAurelio (and everyone else). Resolving this for now.

Mon, Jul 15, 4:38 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett added a comment to T225872: not possible to set email when email blocked.

@DannyS712 - Sorry for the delay, I'd been working on another incident. And it potentially had some implications for this revert, so I wanted to think a bit more on it. For now, I think this is still fine to revert as long as we keep an eye on it. I've gone ahead and +2'd the patch.

Mon, Jul 15, 1:55 PM · MW-1.34-notes (1.34.0-wmf.14; 2019-07-16), Security, User-DannyS712, Anti-Harassment, MediaWiki-Email, MediaWiki-User-management

Fri, Jul 12

sbassett triaged T227454: Allow $wgSFSIPListLocation to be a url and have proxy support as Normal priority.
Fri, Jul 12, 10:24 PM · MediaWiki-extensions-StopForumSpam
sbassett added a comment to T227454: Allow $wgSFSIPListLocation to be a url and have proxy support.

Looks like it's just an fopen() call. Not sure if it'd be easier to leave $wgSFSIPListLocation as a local file and set up the cron to pick up whatever SFS files we'd like with something like:

export https_proxy=http://webproxy.eqiad.wmnet:8080
0 0 0 0 0 curl https://www.stopforumspam.com/downloads/listed_ip_365_ipv6.zip -o /path/to/local/file

Or if we need to pull down the daily SFS updates and merge those...

Fri, Jul 12, 10:24 PM · MediaWiki-extensions-StopForumSpam
sbassett added a comment to T227221: Security review for `countCUstats.js`.

@MarcoAurelio - weird, it looks like javascript thinks some instances of username and/or cuCount are objects as opposed to strings. Clearly getStatsTable() is expecting them to always be strings. Here's a fix for getStatsTable() I came up with, tested here. It type-checks a bit and then JSON.stringify()'s any unexpected data types.

function getStatsTable( entries ) {
	var html =
        '<table class="wikitable sortable">\n'
        + '<tr>'
        + '<th> Username </th>'
        + '<th> Count </th>'
        + '</tr>\n';
Fri, Jul 12, 2:46 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett triaged T227820: (informal) Security Concept Review For LibUp 2.0 as Normal priority.
Fri, Jul 12, 1:43 PM · Restricted Project, LibUp, Security-Team-Reviews
sbassett triaged T227726: Security review of preact 8.4.2 as Normal priority.
Fri, Jul 12, 1:43 PM · Readers-Web-Backlog (Tracking), Security-Team-Reviews

Wed, Jul 10

sbassett removed a project from T225554: Onboard Jennifer Cross to Security Team as Project Manager (May 24th): Restricted Project.
Wed, Jul 10, 9:11 PM · Security-Team
sbassett moved T225554: Onboard Jennifer Cross to Security Team as Project Manager (May 24th) from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 10, 9:10 PM · Security-Team
sbassett moved T221477: Develop "security testing toolboxes" for manual security reviews, push to wikimedia/security/tooling repo from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 10, 9:10 PM · Restricted Project, Security-Team
sbassett moved T221477: Develop "security testing toolboxes" for manual security reviews, push to wikimedia/security/tooling repo from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 10, 9:10 PM · Restricted Project, Security-Team
sbassett moved T216419: Security review - Wikibase Termbox Front End from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 10, 9:10 PM · Restricted Project, Security-Team-Reviews
sbassett moved T227221: Security review for `countCUstats.js` from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Wed, Jul 10, 9:10 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett moved T227221: Security review for `countCUstats.js` from In Progress to Awaiting remediation on the Security-Team-Reviews board.
Wed, Jul 10, 9:09 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett added a comment to T227221: Security review for `countCUstats.js`.

Ok, a quick review:

  1. In general, these kinds of user-scripts can become an especially ripe attack vector if they are 1) used by privileged users 2) are used by several users and loaded via one entry-point. The first case is certainly true, given the CU right required for queryCheckUserLog(). The second case isn't true so far as I'm only seeing one other user loading it, according to mwgrep. Still, something to be mindful of.
  2. getStewards() - fine, only pulling public data via the API.
  3. queryCheckUserLog() - fine, must have CU to view the CU log.
  4. appendToPage() - fine by itself, if text is trusted/sanitized. See next items below...
  5. getStatsTable() - even though we are pulling from a trusted source (mw API), it is a best practice to sanitize data at all sinks. Wrapping something like mw.html.escape() around entry.name and entry.count would be a good idea here.
  6. init() - again, even though we are pulling from a trusted source (mw API), it is a best practice to sanitize data at all sinks. Wrapping something like mw.html.escape() around username and data within the onError handler would be a good idea. totalCount, within the $.when.apply block, should be fine since it's locally-derived from numerical data and is also being passed to jquery.text().
Wed, Jul 10, 9:09 PM · Restricted Project, User-revi, Stewards-and-global-tools, Security-Team-Reviews
sbassett moved T226963: CentralNotice: Security review of banner preview feature from In Progress to Awaiting remediation on the Security-Team-Reviews board.
Wed, Jul 10, 8:37 PM · Security-Team-Reviews, MediaWiki-extensions-CentralNotice, Fundraising-Backlog
sbassett added a comment to T226963: CentralNotice: Security review of banner preview feature.

@DStrine @AndyRussG - ok, a few more comments with minor issues added to the other three patch sets from T226963#5321539 (r497611, r519959, r516459). And then a more serious concern here. There may be issues with my local testing, but I was getting some... unexpected results with BannerMessage::sanitize().

Wed, Jul 10, 8:31 PM · Security-Team-Reviews, MediaWiki-extensions-CentralNotice, Fundraising-Backlog
sbassett awarded T227697: Remove Brian Wolff from security@ alias in exim a Like token.
Wed, Jul 10, 6:25 PM · Security-Team, Operations
sbassett triaged T227697: Remove Brian Wolff from security@ alias in exim as Normal priority.
Wed, Jul 10, 6:04 PM · Security-Team, Operations
sbassett created T227697: Remove Brian Wolff from security@ alias in exim.
Wed, Jul 10, 6:04 PM · Security-Team, Operations
sbassett added a comment to T226963: CentralNotice: Security review of banner preview feature.

Update: Comment and +1 added to r519974. Still having a look at r497611, r519959 and r516459.

Wed, Jul 10, 4:51 PM · Security-Team-Reviews, MediaWiki-extensions-CentralNotice, Fundraising-Backlog
sbassett added a comment to T226963: CentralNotice: Security review of banner preview feature.

@DStrine @AndyRussG - I don't think anyone's been able to look at this as the Security-Team is currently very short-staffed with recent departures and leaves of absence. I'll try to review today and provide some feedback here.

Wed, Jul 10, 4:23 PM · Security-Team-Reviews, MediaWiki-extensions-CentralNotice, Fundraising-Backlog
sbassett removed a watcher for Security-Team: charlotteportero.
Wed, Jul 10, 4:00 PM
sbassett added a member for Security-Team: Dsharpe.
Wed, Jul 10, 3:59 PM
sbassett changed the status of T227483: #Security access for Urbanecm from Stalled to Open.

Approved by the Security-Team and @JBennett. I'd add them, but I don't have the privs for Security, so a Phab admin will need to as @Reedy and @chasemp are technically away on leave right now.

Wed, Jul 10, 3:35 PM · Security-Team
sbassett updated subscribers of T227629: Security Issue Access Request for colewhite.

Approved by the Security-Team and @JBennett. I'd add them, but I don't have the privs for Security, so a Phab admin will need to as @Reedy and @chasemp are technically away on leave right now.

Wed, Jul 10, 3:35 PM · Security
sbassett triaged T227629: Security Issue Access Request for colewhite as Normal priority.
Wed, Jul 10, 3:33 PM · Security

Tue, Jul 9

sbassett updated the task description for T225554: Onboard Jennifer Cross to Security Team as Project Manager (May 24th).
Tue, Jul 9, 9:07 PM · Security-Team
sbassett added a comment to T225554: Onboard Jennifer Cross to Security Team as Project Manager (May 24th).

Thanks, @Dzahn!

Tue, Jul 9, 9:06 PM · Security-Team
sbassett renamed T227209: [WIP] Security Review For Parsoid-PHP from {WIP] Security Review For Parsoid-PHP to [WIP] Security Review For Parsoid-PHP.
Tue, Jul 9, 8:59 PM · Parsoid-PHP, Security-Team-Reviews
sbassett added a project to T216419: Security review - Wikibase Termbox Front End: Restricted Project.
Tue, Jul 9, 8:59 PM · Restricted Project, Security-Team-Reviews
sbassett triaged T187846: Security Review of Office IT Internal Account Management Tool as Normal priority.
Tue, Jul 9, 8:56 PM · Security-Team-Reviews
sbassett lowered the priority of T149869: Security review for PageForms from Low to Lowest.
Tue, Jul 9, 8:56 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews
sbassett moved T114341: Security review for GPGMail from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Security-Team, MediaWiki-extensions-GPGMail, Security-Team-Reviews
sbassett moved T120922: Security review of the ORES extension from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Security-Team-Reviews, MediaWiki-extensions-ORES, Scoring-platform-team (Current)
sbassett moved T123558: Security review for TextCat library from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Security-Team, MediaWiki-Vendor, Discovery, Security-Team-Reviews
sbassett moved T130695: ACL configuration for url-downloader.wikimedia.org allowing upload.wikimedia.org from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Security-Team, Security-Team-Reviews, Operations, Wikimedia-Site-requests
sbassett moved T154695: Review 2FA login on iOS app from Frozen to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Wikipedia-iOS-App-Backlog, Security-Team-Reviews
sbassett moved T154695: Review 2FA login on iOS app from Scheduled to Frozen on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Wikipedia-iOS-App-Backlog, Security-Team-Reviews
sbassett moved T157077: Security review of Extension:3d from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Multimedia, 3D, Security-Team-Reviews
sbassett moved T202143: Security review for Guzzle 6.3.3 from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · User-Addshore, Security-Team-Reviews, MediaWiki-Vendor
sbassett moved T202295: Security review major redesign of the TwoColConflict extension from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Security-Team-Reviews, Two-Column-Edit-Conflict-Merge, WMDE-QWERTY-Team, TCB-Team
sbassett moved T200755: Security review for SecureLinkFixer extension from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · MediaWiki-extensions-SecureLinkFixer, Security-Team-Reviews
sbassett moved T173014: Security review of pdfrw from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · Reading-Infrastructure-Team-Backlog, Proton, Security-Team-Reviews, Readers-Web-Backlog (Tracking)
sbassett moved T148102: Security review of Quiz Extension from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:28 PM · MediaWiki-extensions-Quiz, Security-Team-Reviews
sbassett moved T62835: Enable cross-domain API requests in API's JSON responses from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-07-12_(1.28.0-wmf.10)), Patch-For-Review, Security-Team, Security-Team-Reviews, Wikimedia-Site-requests
sbassett moved T129584: Security review of Romanian diacritics rendering reader assessment gadget from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · I18n, Security-Other, Security-Team-Reviews
sbassett moved T129609: Security review for MediaWiki extension UploadsLink from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Security-Team, MediaWiki-extensions-UploadsLink, Security-Team-Reviews
sbassett moved T120220: Get security reviews for PageAssessment extension done from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · WikiProject-tools, Security-Team-Reviews, Community-Tech
sbassett moved T116677: Security review of Cards extension and fix any bugs that come out of it from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Reading Web Sprint 61 - Cold Hard Cache, Security-Team-Reviews, MediaWiki-extensions-Cards
sbassett moved T1286: Aphlict security review from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Security-Team, Security-Team-Reviews, Phabricator
sbassett moved T112950: Security review for UrlShortener extension from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Security-Team, Security-Team-Reviews, MediaWiki-extensions-UrlShortener
sbassett moved T110662: QuickSurveys extension should pass security review from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Patch-For-Review, Reading-Web-Sprint-56-Four Lions, Security-Team, Security-Team-Reviews, QuickSurveys
sbassett moved T109384: Security review of apache/avro and nmred/kafka-php from Scheduled to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Security-Team, MediaWiki-Vendor, Security-Team-Reviews
sbassett moved T108702: Security review for tedivm/jshrink from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:27 PM · Security-Team, Security, Security-Team-Reviews, MediaWiki-Vendor
sbassett moved T98921: WikiHiero/Hierator security review from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Security-Team, WikiHiero, Security-Team-Reviews
sbassett moved T120133: security review of ramsey/uuid from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Analytics, Security-Team, Security-Team-Reviews, Services, EventBus, MediaWiki-Vendor
sbassett moved T119478: security review 15.wikipedia/annual2015 code review from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Annual-Report (Policy site), Security-Team, Security-Team-Reviews
sbassett moved T118268: Security Review of Article Placeholder from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Patch-For-Review, Security-Team-Reviews, ArticlePlaceholder, MediaWiki-extensions-WikibaseClient, Wikidata
sbassett moved T120212: Security review of EventBus extension from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Analytics, Security-Team, Security-Team-Reviews, EventBus, Services
sbassett moved T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Security-team-backlog, Wikibase-Quality, Wikidata, Security-Team-Reviews, Wikibase-Quality-External-Validation
sbassett moved T145966: Security review for Extension:DeleteBatch from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Security-Team-Reviews
sbassett moved T65808: Allow cross-site domain access from (tools) Labs via CORS from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Security-Team, Security-Team-Reviews, Wikidata, Wikimedia-Site-requests
sbassett moved T110072: Security Review of Revscoring from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:26 PM · Research, Scoring-platform-team (Current), Security-Team, Security-Team-Reviews
sbassett moved T98096: Security review of Citoid from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:25 PM · User-Ryasmeen, VisualEditor, Citoid, Security-Team-Reviews, Security-Team
sbassett moved T109023: Security review of the MobileApps service from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:25 PM · Reading-Infrastructure-Team-Backlog, Patch-For-Review, Security-Team, Security-Team-Reviews, Mobile-Content-Service, Services
sbassett moved T196075: Security review for the Wikidata primary sources tool MediaWiki extension from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:25 PM · Wikidata-primary-sources, Wikidata, Security-Team-Reviews
sbassett moved T175160: Identify the source of WHOIS data, the retrieval method, and update frequency from Waiting/Blocked to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:25 PM · Security-Team-Reviews
sbassett moved T132063: Security review of 3d2png from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:25 PM · Multimedia, Patch-For-Review, 3D, Security-Team-Reviews
sbassett moved T135784: Security review of Tool Labs console application from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Striker, Toolforge, Community-Tech-Tool-Labs, Cloud-Services, Security-Team-Reviews
sbassett moved T137197: Security review of the Performance Inspector from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Performance-Team, PerformanceInspector, Security-Team-Reviews
sbassett moved T141591: Security review of Html5Depurate and ParserMigration from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Security, Security-Team-Reviews
sbassett moved T149080: Security review for ElectronPdfService Extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · User-Addshore, TCB-Team, Security-Team-Reviews
sbassett moved T142226: Productize the Electron PDF render service & create a REST API end point from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · User-Joe, Security-Team-Reviews, Electron-PDFs, Services (blocked), User-mobrovac, Services-next, Operations
sbassett moved T135198: Security review for RevisionSlider extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · TCB-Team-Sprint-2016-05-19, TCB-Team-Sprint-2016-06-02, Revision-Slider, Community-Tech, TCB-Team, Security-Team-Reviews
sbassett moved T148583: Security review for Linter extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · MediaWiki-extensions-Linter, Security-Team-Reviews
sbassett moved T148133: Security review for Recommendation API from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Services (watching), User-mobrovac, Security-Team-Reviews, Recommendation-API
sbassett moved T149808: Security review for TwoColConflict extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Two-Column-Edit-Conflict-Merge, Patch-For-Review, User-Addshore, Security-Team-Reviews, TCB-Team
sbassett moved T149083: Security review for InterwikiSorting Extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · MediaWiki-extensions-InterwikiSorting, User-Addshore, Wikidata, Security-Team-Reviews
sbassett moved T151902: Security Review of Popups extension library from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Page-Previews (2016-17-Q3-Goal), Readers-Web-Backlog, Security-Team-Reviews
sbassett moved T123594: Security review of the ImageTweaks extension ahead of production deployment from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:24 PM · Security-Team, ImageTweaks, Multimedia, Security-Team-Reviews
sbassett moved T115095: Security review of Newsletter extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:23 PM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Team-Reviews, MediaWiki-extensions-Newsletter
sbassett moved T140167: Security Review of LoginNotify extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:23 PM · Community-Tech, MediaWiki-extensions-LoginNotify, Security-Team-Reviews
sbassett moved T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:23 PM · Services (watching), Security-Team, User-mobrovac, Security-Team-Reviews, Graphoid
sbassett moved T146174: Security review of FileAnnotations from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:23 PM · Patch-For-Review, FileAnnotations (Beta Cluster Release), Security-Team-Reviews
sbassett moved T149082: Security review for Cognate Extension from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:23 PM · Patch-For-Review, User-Addshore, Wikidata, Cognate, Security-Team-Reviews
sbassett moved T151798: add subdomain for annual report 2016 from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Jul 9, 8:23 PM · Patch-For-Review, Security-Team-Reviews, Operations, Annual-Report