Page MenuHomePhabricator
Feed Advanced Search

Thu, Apr 8

sbassett added a comment to T279108: Introduce a Front-end Build Step for MediaWiki Skins and Extensions.

If un-audited packages with large numbers of dependencies participate in the build process, it becomes hard to guarantee the security or stability of the final output.

Thu, Apr 8, 8:08 PM · Vue.js Migration, tech-decision-forum
sbassett added a project to T270767: Wg variables aren't validated by CommentBox - possible raw html insertion risk: Vuln-XSS.
Thu, Apr 8, 7:28 PM · Vuln-XSS, MediaWiki-extensions-Commentbox, User-RhinosF1
sbassett added a project to T272333: Disallow the edit if blocking the user didn't succeed: Vuln-MissingAuthz.
Thu, Apr 8, 7:27 PM · Vuln-MissingAuthz, AbuseFilter, Security, Security-Team
sbassett added a project to T272770: Error while usurping an account: Vuln-DoS.
Thu, Apr 8, 7:25 PM · Vuln-DoS, SecTeam-Processed, MW-1.36-notes (1.36.0-wmf.31; 2021-02-16), User-Urbanecm, Security-Team, Security, User-Ladsgroup, MediaWiki-extensions-CentralAuth, GlobalRename
sbassett added a project to T275669: Checkuser stores users to cu_log with trailing spaces, allowing all CUs to turn off Special:CheckuserLog at will: Vuln-DoS.
Thu, Apr 8, 7:24 PM · Vuln-DoS, MW-1.36-notes (1.36.0-wmf.33; 2021-03-02), User-Urbanecm, CheckUser, Security, Security-Team
sbassett closed T266513: Security Readiness Review For the MediaSearch extension as Resolved.
Thu, Apr 8, 4:54 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett moved T266513: Security Readiness Review For the MediaSearch extension from Waiting to Done on the user-sbassett board.
Thu, Apr 8, 4:54 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett closed T266513: Security Readiness Review For the MediaSearch extension, a subtask of T265939: Split MediaSearch out into its own extension, as Resolved.
Thu, Apr 8, 4:54 PM · Patch-For-Review, SDAW-MediaSearch (MediaSearch-ReleaseCandidate), Release-Engineering-Team (Deployment services), Wikimedia-extension-review-queue, Structured-Data-Backlog (Current Work)
sbassett awarded T279690: Enable risk rating field in Phabricator's task form a Like token.
Thu, Apr 8, 4:34 PM · Phabricator, Security-Team

Wed, Apr 7

sbassett added a comment to T264822: (MS 7) Security Readiness Review For Wikidata Query Builder.

@Lydia_Pintscher - We've tentatively scheduled this review for our 4th quarter, which began April 1st and will continue until June 30th, 2021. We should have this review completed by the end of this quarter at the latest. Please feel free to let us know if you have any additional questions or feel free to review our current security readiness reviews SOP.

Wed, Apr 7, 8:23 PM · secscrum, Security Readiness Reviews, Wikidata Query Builder, Wikidata, Security
sbassett added a comment to T266513: Security Readiness Review For the MediaSearch extension.

This all sounds good and thanks for the above summary! Looking at the related change sets, I see:

  1. https://gerrit.wikimedia.org/r/676638 (merged)
  2. https://gerrit.wikimedia.org/r/677030 (merged)
  3. https://gerrit.wikimedia.org/r/677039 (+2'd, should be merged soon)
  4. https://gerrit.wikimedia.org/r/677037 (active)
  5. https://gerrit.wikimedia.org/r/677289 (active)

Once the remaining active patches land, they should address all remaining issues surfaced within the review and reduce the overall risk rating to low. And I'll be happy to resolve this task at that point.

Wed, Apr 7, 6:34 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett added a comment to T279451: CVE-2021-30458: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.

So, how do we want (a) roll this out into production (b) get this into the security release planned for release this week (c) get this into a parsoid/js security release?

@Reedy, @sbassett your input would be helpful here for (a) and (b) especially.

Wed, Apr 7, 5:43 PM · Vuln-XSS, Security-Team, Security, Parsoid
sbassett added a comment to T273020: Security Readiness Review For Toolhub.

@bd808 - sounds good, we'll await an update from your team. We'll also plan to keep this in our Q4 column for now, with the assumption that we'll complete the review towards the end of this quarter. If the project gets pushed back to Q1 or Q2, that shouldn't be a problem.

Wed, Apr 7, 3:01 PM · Toolhub, Security, secscrum, Security Readiness Reviews

Tue, Apr 6

sbassett changed the status of T273020: Security Readiness Review For Toolhub, a subtask of T271483: Prepare for production deployment, from Open to Stalled.
Tue, Apr 6, 9:01 PM · Epic, Toolhub
sbassett changed the status of T273020: Security Readiness Review For Toolhub from Open to Stalled.
Tue, Apr 6, 9:01 PM · Toolhub, Security, secscrum, Security Readiness Reviews
sbassett added a comment to T273020: Security Readiness Review For Toolhub.

Hey @bd808 - I know you had mentioned on IRC that your team was deciding on whether to pursue another round of new features for Toolhub this quarter or to just freeze the code for a bit. Were you closer to making a decision? The Security-Team tentatively has this review scheduled for this quarter (Q4 2021) but we can bump it out if you decide to pursue more features this quarter. Thanks.

Tue, Apr 6, 9:01 PM · Toolhub, Security, secscrum, Security Readiness Reviews
sbassett updated subscribers of T257734: Security Readiness Review For Vue version 3.

@Volker_E @Jdlrobson - as the ostensible current requesters of this review, is there anything on your or your teams' end blocking this review? The Security-Team would like to attempt to complete this review this quarter (Q4 2021), if possible. Also - this will not be a line-by-line code review of Vue3, but more of a vendor review focused upon higher-level security models and best practices.

Tue, Apr 6, 8:55 PM · secscrum, Security Readiness Reviews, Security, Vue.js
sbassett added a comment to T279451: CVE-2021-30458: Parsoid comment fostering allows for inserting mostly arbitrary <meta> tags.

Maybe worth hiding https://gerrit.wikimedia.org/r/c/mediawiki/services/parsoid/+/677297/1#message-b9eae79b4f5b009c0aea6c24a01df33204c41406 and arlo's followup comments? Or does it just draw more attention to this?

Tue, Apr 6, 8:40 PM · Vuln-XSS, Security-Team, Security, Parsoid
sbassett added a comment to T279449: Spurious MD5 errors ("SFS IP file contents and file md5 do not match!").

How is it possible though that stopforumspam.com is serving two different versions of that file, seemingly randomly? This is definitely not increasing my trust in them. Anyway…

Tue, Apr 6, 4:46 PM · Patch-For-Review, MediaWiki-extensions-StopForumSpam
sbassett added a comment to T279449: Spurious MD5 errors ("SFS IP file contents and file md5 do not match!").

I disabled the extension on Patchdemo on all existing wikis, and by default for newly created wikis (you can still enable it for testing if you want): https://github.com/MatmaRex/patchdemo/issues/284

Tue, Apr 6, 4:41 PM · Patch-For-Review, MediaWiki-extensions-StopForumSpam
sbassett moved T275751: Security review of backbone.js and underscore.js library updates from Back Orders to Q4: 2021 Planning Queue on the secscrum board.
Tue, Apr 6, 3:54 PM · Security-Team, Security Readiness Reviews, secscrum, PageCuration, Security Team AppSec, Growth-Team, Patch-For-Review, Security
sbassett moved T257734: Security Readiness Review For Vue version 3 from Q4: 2021 Planning Queue to Q4:2021 Review Queue on the secscrum board.
Tue, Apr 6, 3:47 PM · secscrum, Security Readiness Reviews, Security, Vue.js
sbassett moved T274875: Security Readiness Review For mapbox-gl-leaflet from Q4: 2021 Planning Queue to Q4:2021 Review Queue on the secscrum board.
Tue, Apr 6, 3:45 PM · secscrum, Security Readiness Reviews, Security, Product-Infrastructure-Team-Backlog
sbassett moved T274356: Security Readiness Review For maplibre-gl-js from Q4: 2021 Planning Queue to Q4:2021 Review Queue on the secscrum board.
Tue, Apr 6, 3:45 PM · Product-Infrastructure-Team-Backlog, secscrum, Security, Security Readiness Reviews
sbassett moved T273020: Security Readiness Review For Toolhub from Q4: 2021 Planning Queue to Q4:2021 Review Queue on the secscrum board.
Tue, Apr 6, 3:42 PM · Toolhub, Security, secscrum, Security Readiness Reviews
sbassett moved T264822: (MS 7) Security Readiness Review For Wikidata Query Builder from Q4: 2021 Planning Queue to Q4:2021 Review Queue on the secscrum board.
Tue, Apr 6, 3:42 PM · secscrum, Security Readiness Reviews, Wikidata Query Builder, Wikidata, Security
sbassett moved T269007: Security Readiness Review For Citoid VE Mobile ISBN Barcode Scanner from Our Part Is Done to Waiting on the secscrum board.
Tue, Apr 6, 3:29 PM · secscrum, Editing-team (FY2020-21 Kanban Board), Security, Security Readiness Reviews
sbassett moved T266510: Security Readiness Review For Diff Blog oAuth plugin from Our Part Is Done to Waiting on the secscrum board.
Tue, Apr 6, 3:29 PM · Diff-blog, secscrum, Security, Security Readiness Reviews
sbassett moved T269291: Security Readiness Review For Extension:NearbyPages from Q4:2021 Review Queue to Waiting on the secscrum board.
Tue, Apr 6, 3:27 PM · Security, Security Readiness Reviews, secscrum, NearbyPages

Mon, Apr 5

sbassett updated the task description for T278160: Updates to php-security-tools.
Mon, Apr 5, 9:26 PM · user-sbassett, Security-Team
sbassett updated the task description for T278160: Updates to php-security-tools.
Mon, Apr 5, 9:25 PM · user-sbassett, Security-Team
sbassett added a comment to T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users.

Huh, the patch at T270453#6723168 didn't work for me? Anyhow, I made another one:


And re-deployed to wmf.37. Also tracking again at T276237.

Mon, Apr 5, 9:06 PM · Patch-For-Review, Security-Team, VisualEditor, Vuln-Infoleak, User-DannyS712, Security
sbassett added a comment to T270988: CVE-2021-30155: Titleblacklist didn't prevent creation of pages by Special:ChangeContentModel when a rule was met.

Re-deployed master patch to wmf.37. Tracking again at T276237.

Mon, Apr 5, 8:51 PM · Patch-For-Review, User-Majavah, User-DannyS712, MediaWiki-Page-editing, Security-Team, Security, TitleBlacklist
sbassett added a comment to T277336: Element (Matrix client) Bridge Encryption - security review request.

I can take them up on their offer to set up a test environment for us that we can access on their end if that would be useful for you. Would that be part of the vendor review that you mentioned? Thanks.

Mon, Apr 5, 4:12 PM · secscrum, Security Readiness Reviews, Security
sbassett added a project to T279120: Misc changes to index.php?action=raw for perf and error logging: SecTeam-Processed.
Mon, Apr 5, 3:34 PM · Performance-Team (Radar), SecTeam-Processed, User-ArielGlenn, Patch-For-Review, Security-Team, MediaWiki-General, Instrument-ClientError
sbassett moved T279120: Misc changes to index.php?action=raw for perf and error logging from Incoming to Watching on the Security-Team board.
Mon, Apr 5, 3:34 PM · Performance-Team (Radar), SecTeam-Processed, User-ArielGlenn, Patch-For-Review, Security-Team, MediaWiki-General, Instrument-ClientError
sbassett edited projects for T279009: Cleanup duplicate indices in cloudelastic, added: SecTeam-Processed; removed Security-Team.
Mon, Apr 5, 3:31 PM · SecTeam-Processed, Discovery-Search, Vuln-Infoleak, Security, Tool-global-search
sbassett edited projects for T214579: Some very specific Maniphest search queries by RelEng, Sec Team and WMCS are global and shown for all users, added: SecTeam-Processed; removed Security-Team.

Hey @Aklapper - I reviewed https://phabricator.wikimedia.org/maniphest/query/advanced/ and the Security-Team related searches all just seem to point to various workboard columns, etc. Any protected tasks within those searches should still be protected. I don't know how or why these searches were added to that left nav, but I'm pretty sure they can be removed if they are cluttering things up.

Mon, Apr 5, 3:16 PM · SecTeam-Processed, Developer Productivity, Release-Engineering-Team (Development services), Release-Engineering-Team-TODO, Phabricator
sbassett moved T278160: Updates to php-security-tools from In Progress to Backlog on the user-sbassett board.
Mon, Apr 5, 3:09 PM · user-sbassett, Security-Team
sbassett moved T278160: Updates to php-security-tools from Incoming to Back Orders on the Security-Team board.
Mon, Apr 5, 3:07 PM · user-sbassett, Security-Team

Fri, Apr 2

sbassett moved T101017: Early security release access for Lcawte (ShoutWiki) from Postponed to Backlog on the user-sbassett board.
Fri, Apr 2, 7:08 PM · user-sbassett, Security-Team, ShoutWiki, WMF-Legal
sbassett moved T278160: Updates to php-security-tools from Backlog to In Progress on the user-sbassett board.
Fri, Apr 2, 7:06 PM · user-sbassett, Security-Team
sbassett changed the visibility for T240010: Security Review For Wikipedia Previews.
Fri, Apr 2, 6:45 PM · secscrum, Security, Security Readiness Reviews, user-sbassett, Inuka-Team
sbassett changed the visibility for T243778: Sanitize API response used in Wikipedia Previews HTML.
Fri, Apr 2, 6:44 PM · Inuka-Team (Kanban), Wikipedia-Preview (Mobile-Prototype), Security
sbassett moved T266904: Performance review of ext:StopForumSpam from Waiting to In Progress on the user-sbassett board.
Fri, Apr 2, 6:30 PM · Patch-For-Review, user-sbassett, Performance-Team
sbassett added a comment to T279140: Prototyping a vulnerability management dashboard.

Ah, now I remember T265923, and how frustrating Phabricator's complete lack of collective bot ownership is. I suppose the best we can do is have @Reedy grab the api token and keep it safe within our team vault.

Fri, Apr 2, 6:21 PM · Patch-For-Review, Security-Team, Security
sbassett moved T264822: (MS 7) Security Readiness Review For Wikidata Query Builder from Incoming to Q4: 2021 Planning Queue on the secscrum board.
Fri, Apr 2, 6:02 PM · secscrum, Security Readiness Reviews, Wikidata Query Builder, Wikidata, Security
sbassett added a comment to T279140: Prototyping a vulnerability management dashboard.

Nice catch! I am using a token linked to my account. I'd be grateful if I could be given the relevant bot's credentials and added as a maintainer. Let me know if there's anything I need to do for that.

Fri, Apr 2, 5:48 PM · Patch-For-Review, Security-Team, Security
sbassett updated subscribers of T279140: Prototyping a vulnerability management dashboard.

I see, then it's fine since I was able to collect all the existing tags from the Conduit API as well using the Vuln- prefix.

Fri, Apr 2, 3:53 PM · Patch-For-Review, Security-Team, Security
sbassett shifted T279140: Prototyping a vulnerability management dashboard from the Restricted Space space to the S1 Public space.
Fri, Apr 2, 3:08 PM · Patch-For-Review, Security-Team, Security
sbassett moved T279140: Prototyping a vulnerability management dashboard from Incoming to In Progress on the Security-Team board.
Fri, Apr 2, 3:08 PM · Patch-For-Review, Security-Team, Security
sbassett added a comment to T279140: Prototyping a vulnerability management dashboard.

Honestly, I just erred on the side of caution and made it non-public from the beginning. I'm glad to make it public if there are not strong objections.

Fri, Apr 2, 3:04 PM · Patch-For-Review, Security-Team, Security
sbassett added a comment to T279140: Prototyping a vulnerability management dashboard.

A few thoughts:

  1. Is there a reason this task can't be public? Some of the relevant data concerning this project might be sensitive, but Phabricator should keep that information secure from public audiences. For example, if I reference a protected security bug (T268377), Phabricator should hide that effectively within a public view.
  2. The Vuln- tags should be relatively up-to-date, though there may be a few we'd want to add and some could potentially have their descriptions updated.
  3. Regarding the technical stack - I'd imagine wmcs would be the likely hosting environment? We do have a couple of existing, security-related cloud instances (see here) and there are at least a couple (1. 2) of security-related toolforge projects.
  4. I would imagine for this dashboard to offer the most value, it would need to be able to robustly filter data on a project, team, user, date/time and risk level. Some of that data is available via Phabricator as part of the task, but some (especially team ownership and risk) is not, at least not at the moment.
Fri, Apr 2, 2:27 PM · Patch-For-Review, Security-Team, Security
sbassett moved T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews from Backlog to Done on the user-sbassett board.
Fri, Apr 2, 2:18 PM · Security-Team, user-sbassett
sbassett moved T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews from In Progress to Our Part Is Done on the Security-Team board.
Fri, Apr 2, 2:18 PM · Security-Team, user-sbassett
sbassett merged task T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews into T278160: Updates to php-security-tools.
Fri, Apr 2, 2:18 PM · Security-Team, user-sbassett
sbassett merged T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews into T278160: Updates to php-security-tools.
Fri, Apr 2, 2:18 PM · user-sbassett, Security-Team

Thu, Apr 1

sbassett moved T266513: Security Readiness Review For the MediaSearch extension from In Progress to Waiting on the user-sbassett board.
Thu, Apr 1, 10:35 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett moved T266513: Security Readiness Review For the MediaSearch extension from In Progress to Waiting on the secscrum board.
Thu, Apr 1, 10:35 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett added a comment to T266513: Security Readiness Review For the MediaSearch extension.

Security Review Summary - T266513 - 2021-03-30
Last commit reviewed: 8aeaef361d

Thu, Apr 1, 10:35 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews

Wed, Mar 31

sbassett added a comment to T266513: Security Readiness Review For the MediaSearch extension.

@AnneT - I'm about 75% complete with the review and should have it completed by tomorrow or this Friday. Apologies for the delay - lots of end-of-quarter items needing attention.

Wed, Mar 31, 9:27 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews
sbassett moved T278562: Cache pollution after a revert causing autoblocks on WMCS ranges from Incoming to Our Part Is Done on the Security-Team board.
Wed, Mar 31, 2:36 PM · Vuln-DoS, Vuln-Misconfiguration, SecTeam-wikimedia-project-event, User-Urbanecm, cloud-services-team (Kanban), Security, Security-Team

Fri, Mar 26

sbassett added projects to T278562: Cache pollution after a revert causing autoblocks on WMCS ranges: SecTeam-wikimedia-project-event, Vuln-Misconfiguration, Vuln-DoS.

Thanks for investigating and getting this fixed. Unless someone has an issue with exposing a toolforge IP (can't imagine anyone would), we should be able to make this public next week. Thankfully this appears to be a case where something broke and while, technically making things _more_ secure, it introduced a Vuln-DoS for those on various exemption lists for an extended period of time.

Fri, Mar 26, 6:24 PM · Vuln-DoS, Vuln-Misconfiguration, SecTeam-wikimedia-project-event, User-Urbanecm, cloud-services-team (Kanban), Security, Security-Team

Thu, Mar 25

sbassett added a comment to T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level.

What's the status here? Is this fixed in master?

Thu, Mar 25, 2:16 PM · MW-1.36-notes, MW-1.37-notes (1.37.0-wmf.1; 2021-04-13), Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Vuln-MissingAuthz, Security-Team, Security, MediaWiki-API

Wed, Mar 24

sbassett updated subscribers of T266904: Performance review of ext:StopForumSpam.

I rebased the patch above. Once this is merged, I can consider this task closed.

Wed, Mar 24, 3:11 PM · Patch-For-Review, user-sbassett, Performance-Team

Tue, Mar 23

sbassett updated the task description for T273020: Security Readiness Review For Toolhub.
Tue, Mar 23, 9:52 PM · Toolhub, Security, Security Readiness Reviews, secscrum
sbassett added a comment to T273020: Security Readiness Review For Toolhub.

@bd808 - Ah, the "wait a few minutes" trick seems to have worked, thanks! I'll add a note to the task description above.

Tue, Mar 23, 9:49 PM · Toolhub, Security, Security Readiness Reviews, secscrum
sbassett added a comment to T273020: Security Readiness Review For Toolhub.

I and one of our vendors are having an issue building and running the docker-based development environment as described within the task description:

$ git clone "https://gerrit.wikimedia.org/r/wikimedia/toolhub"
$ cd toolhub
$ make init

I can get the make init to complete successfully, but when I try to access the web app at http://localhost:8000, I see the following error:

OSError at /
Error reading /srv/app/vue/dist/webpack-stats.json. Are you sure webpack has generated the file and the path is correct?
Request Method:	GET
Request URL:	http://localhost:8000/
Django Version:	2.2.17
Exception Type:	OSError
Exception Value:	
Error reading /srv/app/vue/dist/webpack-stats.json. Are you sure webpack has generated the file and the path is correct?
Exception Location:	/opt/lib/poetry/toolhub-2uZo5AhP-py3.7/lib/python3.7/site-packages/webpack_loader/loader.py in load_assets, line 31
Python Executable:	/opt/lib/poetry/toolhub-2uZo5AhP-py3.7/bin/python3
Python Version:	3.7.3
Python Path:	
['/srv/app',
 '/usr/lib/python37.zip',
 '/usr/lib/python3.7',
 '/usr/lib/python3.7/lib-dynload',
 '/opt/lib/poetry/toolhub-2uZo5AhP-py3.7/lib/python3.7/site-packages']

Am I missing something here? Some additional env config or build steps maybe? This was on MacOS Mojave 10.14.6 with Docker Engine v20.10.5.

Tue, Mar 23, 9:18 PM · Toolhub, Security, Security Readiness Reviews, secscrum
sbassett added a comment to T277690: Security Readiness Review for SD Image Recommendations UI.

Nevermind, I thought this was a different task, sorry about that!

Tue, Mar 23, 9:10 PM · Image-Recommendations, Security Readiness Reviews, secscrum
sbassett changed the status of T277690: Security Readiness Review for SD Image Recommendations UI from Open to Stalled.

Backlogged and stalled to await completion of review template.

Tue, Mar 23, 8:50 PM · Image-Recommendations, Security Readiness Reviews, secscrum
sbassett triaged T277690: Security Readiness Review for SD Image Recommendations UI as Lowest priority.
Tue, Mar 23, 8:50 PM · Image-Recommendations, Security Readiness Reviews, secscrum
sbassett moved T277690: Security Readiness Review for SD Image Recommendations UI from Incoming to Back Orders on the secscrum board.
Tue, Mar 23, 8:34 PM · Image-Recommendations, Security Readiness Reviews, secscrum

Mon, Mar 22

sbassett triaged T278160: Updates to php-security-tools as Low priority.
Mon, Mar 22, 6:10 PM · user-sbassett, Security-Team
sbassett moved T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles from In Progress to Our Part Is Done on the Security-Team board.
Mon, Mar 22, 6:08 PM · MW-1.31-release-notes, MW-1.31-release, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett added a comment to T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles.

Thanks, @sbassett ! Just for my reference on if I find any more of these in core or WMF deployed extensions, is it OK to push straight to Gerrit, and I assume we'd still want a ticket created for reference?

Mon, Mar 22, 6:06 PM · MW-1.31-release-notes, MW-1.31-release, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett updated the task description for T278160: Updates to php-security-tools.
Mon, Mar 22, 6:02 PM · user-sbassett, Security-Team
sbassett created T278160: Updates to php-security-tools.
Mon, Mar 22, 6:02 PM · user-sbassett, Security-Team
sbassett added a project to T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles: SecTeam-Processed.
Mon, Mar 22, 3:40 PM · MW-1.31-release-notes, MW-1.31-release, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett moved T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) from Incoming to In Progress on the Security-Team board.
Mon, Mar 22, 3:36 PM · MW-1.31-release-notes, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MW-1.31-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett triaged T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist) as Low priority.
Mon, Mar 22, 3:36 PM · MW-1.31-release-notes, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MW-1.31-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett added a project to T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist): SecTeam-Processed.
Mon, Mar 22, 3:36 PM · MW-1.31-release-notes, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MW-1.31-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett added a comment to T278058: CVE-2021-30157: Unescaped messages used in HTML on ChangesList pages (e.g. RecentChanges and Watchlist).

Thanks again for the report and patch. Making this public and pushing through gerrit as low-risk.

Mon, Mar 22, 3:36 PM · MW-1.31-release-notes, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MW-1.31-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett moved T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles from Incoming to In Progress on the Security-Team board.

Thanks again for the report and patch. Making this public and pushing through gerrit as low-risk.

Mon, Mar 22, 3:26 PM · MW-1.31-release-notes, MW-1.31-release, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett triaged T278014: CVE-2021-30154: Unescaped messages used in HTML on Special:NewFiles as Low priority.
Mon, Mar 22, 3:25 PM · MW-1.31-release-notes, MW-1.31-release, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, MW-1.35-release, MediaWiki-Special-pages, Vuln-XSS, Security, Security-Team
sbassett updated the task description for T273220: Deploy StopForumSpam extension to production.
Mon, Mar 22, 3:16 PM · user-sbassett, User-notice, Wikimedia-Extension-setup, MediaWiki-extensions-StopForumSpam

Fri, Mar 19

sbassett added a comment to T277336: Element (Matrix client) Bridge Encryption - security review request.

@sbassett Estimated deployment date is end of fiscal year. Is that a realistic goal for your team? Per my request, New Vector enabled the encryption tool on one Slack channel bridged to Element, #matrix-encryption-test, but I don't have any visibility into the backend. Would server logs suffice or do you need some sort of real-time access to the bridge to see what's going on?

Fri, Mar 19, 3:56 PM · secscrum, Security Readiness Reviews, Security
sbassett changed the visibility for T277009: CVE-2021-30158: Allow blocked users to access Special:ResetTokens.
Fri, Mar 19, 3:49 PM · Vuln-DoS, SecTeam-Processed, Security, Privacy, MW-1.35-notes, MW-1.31-release-notes, MW-1.36-notes (1.36.0-wmf.35; 2021-03-16), Growth-Team, MediaWiki-Watchlist, Security-Team
sbassett closed T277009: CVE-2021-30158: Allow blocked users to access Special:ResetTokens as Resolved.
In T277009#6928372, @IN wrote:

Is this mission over now?

Fri, Mar 19, 3:48 PM · Vuln-DoS, SecTeam-Processed, Security, Privacy, MW-1.35-notes, MW-1.31-release-notes, MW-1.36-notes (1.36.0-wmf.35; 2021-03-16), Growth-Team, MediaWiki-Watchlist, Security-Team

Thu, Mar 18

sbassett added a comment to T274158: Improve revision visibility after recent security patches.

@sbassett Could you please make this public? Seems like I can't.

Thu, Mar 18, 3:13 PM · MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, AbuseFilter, Security, Security-Team
sbassett changed the visibility for T274158: Improve revision visibility after recent security patches.
Thu, Mar 18, 3:11 PM · MW-1.36-notes (1.36.0-wmf.36; 2021-03-23), SecTeam-Processed, AbuseFilter, Security, Security-Team

Wed, Mar 17

sbassett added a project to T277009: CVE-2021-30158: Allow blocked users to access Special:ResetTokens: Vuln-DoS.
Wed, Mar 17, 3:09 PM · Vuln-DoS, SecTeam-Processed, Security, Privacy, MW-1.35-notes, MW-1.31-release-notes, MW-1.36-notes (1.36.0-wmf.35; 2021-03-16), Growth-Team, MediaWiki-Watchlist, Security-Team

Tue, Mar 16

sbassett removed a project from T272082: Reflected XSS on archiva.wikimedia.org (due to Jetty, likely CVE-2019-10241): Patch-For-Review.
Tue, Mar 16, 9:59 PM · Vuln-XSS, Security, Security-Team
sbassett added a project to T269718: RCE in Widgets extension (CVE-2020-35625): Vuln-DirectObjectReference.
Tue, Mar 16, 9:49 PM · Vuln-DirectObjectReference, Vuln-MissingAuthz, ShoutWiki, MediaWiki-extensions-Widgets, Security
sbassett added a project to T263498: Logins to MW with at least one SSO client extension allows masquerading as another user (CVE-2020-35623): Vuln-Authn/Session.
Tue, Mar 16, 9:39 PM · Vuln-Authn/Session, MediaWiki-Authentication-and-authorization, Security, Security-Team
sbassett added a project to T269718: RCE in Widgets extension (CVE-2020-35625): Vuln-MissingAuthz.
Tue, Mar 16, 9:37 PM · Vuln-DirectObjectReference, Vuln-MissingAuthz, ShoutWiki, MediaWiki-extensions-Widgets, Security
sbassett added a project to T205908: Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477): Vuln-Misconfiguration.
Tue, Mar 16, 9:33 PM · Vuln-Misconfiguration, MW-1.35-notes, MW-1.31-release-notes, MW-1.36-notes (1.36.0-wmf.25; 2021-01-05), User-DannyS712, Security-Team, Security, MediaWiki-Logevents, Wikimedia-General-or-Unknown, Trust-and-Safety, Regression, MediaWiki-Revision-deletion
sbassett added a project to T268938: BlockLogFormatter can output raw html (CVE-2020-35478, CVE-2020-35479): Vuln-XSS.
Tue, Mar 16, 9:30 PM · Vuln-XSS, MW-1.31-release-notes, MW-1.35-notes, MW-1.36-notes (1.36.0-wmf.21; 2020-12-08), Anti-Harassment (The Letter Song), MediaWiki-Logevents, MediaWiki-Blocks, Security, Security-Team
sbassett added a project to T268917: Messages userrights-expiry-current and userrights-expiry-none can contain raw html (CVE-2020-35475): Vuln-XSS.
Tue, Mar 16, 9:30 PM · Vuln-XSS, MW-1.35-notes, MW-1.31-release-notes, MW-1.36-notes (1.36.0-wmf.21; 2020-12-08), MediaWiki-User-management, Security, Security-Team
sbassett added a project to T265810: mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621): Vuln-Misconfiguration.
Tue, Mar 16, 9:30 PM · Vuln-Misconfiguration, MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), WMDE-QWERTY-Sprint-2020-10-07, Unplanned-Sprint-Work, Move-Files-To-Commons, Security, Security-Team
sbassett added a comment to T266513: Security Readiness Review For the MediaSearch extension.

Update: I still plan to complete this security readiness review by the end of this quarter, but it might not be completed until quite literally the end of this quarter.

Tue, Mar 16, 3:54 PM · Patch-For-Review, user-sbassett, Security, secscrum, Security Readiness Reviews