- I guess we'll link to https://meta.wikimedia.org/wiki/CentralNotice/Banner_guidelines and add security/privacy guidelines there?
- We could make the link configurable and actually set it via config, maybe?
- I couldn't find any explicit site-wide policy about not loading external resources... Does anyone know where one might be, if it exists?
Fri, Mar 16
A bit of brainstorming about steps to carry out here...
- CentralNotice EventLogging (done)
- Donate Wiki EventLogging
- Adjust DB ingress scripts to accept both EL events and data in the current format
- Analytics, Traffic and FR infrastructure changes to send the event data to the DB ingress script
- Create a parallel database for data from EL
- Activate both systems in parallel to test
- De-activate old system
Quick sanity check:
Thu, Mar 15
Tenative EL schema: https://meta.wikimedia.org/wiki/Schema:LandingPageImpression
Tue, Mar 13
Hi! @Mpany, thanks for these reports. It would be helpful to have more details...
Mon, Mar 12
+2 Patches for REL1_30, reviewed and smoke tested
+2 Patches for REL1_29, reviewed and smoke tested
+2 Patches for REL1_27, reviewed and smoke tested
Fri, Mar 9
@Imarlier thanks for this!!!!
Thu, Mar 8
Wed, Mar 7
+2 @Ejegg's minor change in 0002-SECURITY-Cleanup-of-database-queries.patch :) Thanks!!!
Tue, Mar 6
@Bawolff, thanks again for such amazing work on this!!!!!! :)
Here are the changes from @Bawolff's original patch:
Series of patches again, rebased on current CentralNotice master:
Mon, Mar 5
Here's the whole series of patches (including a slightly revised version of the one already uploaded, above).
Wed, Feb 28
Tue, Feb 27
Here is a first, smaller patch, with only the output-escaping bits.
Thanks @MarcoAurelio! The fix for this is deployed, so I'm closing the ticket... Please re-open if you run into this again (or make new ticket if you think it's a different issue). :)
More specific questions about escaping output:
Mon, Feb 26
Since we can't put this in Gerrit just yet, we've been using this Google Doc for notes about this. Hope that's OK! (What do you normally use?)
Feb 16 2018
Great, thanks so much! Quite a terrifying vulnerability... Patch looks great, locally smoke tested and verified that it blocks the attack :)
Feb 15 2018
Feb 14 2018
Feb 13 2018
Thanks, all, for fixing this!!! 😺
Feb 12 2018
Feb 6 2018
Just discovered this is also an issue for controls to enable and disable mixins!
Feb 5 2018
Feb 1 2018
Jan 31 2018
Jan 30 2018
- T185932: CentralNotice: use EventLogging instead of custom beacon
- T185933: Donatewiki: use EventLogging to log pageloads
- T186047: centralnotice_analytics: adapt ImpressionsQuery for EventLogging-based impressions recording
- T186048: Adapt Druid banenr_activity jobs to EventLogging-based impression recording
I expect this was due to maintenance and minor issues on the Analytics cluster around this time, though I don't have a confirmation of that for the exact time of the reported issue. @Mpany has this happened again recently (i.e. within the past month or so)? Thanks!! :D
Just fixed a few things in centralnotice_analytics, and figured out a silly regex, so we could now pull the same data more simply:
Jan 29 2018
Here is the Jupyter notebook showing how we pulled the initial data:
The attached patch fixes the JS issue, which addresses the main use case in the bug's description. With the fix, if the user clicks to remove all items from a multiselect (whether or not they clicked to add all items before), then re-adds any of them, the changes should save correctly.
Some more details:
Jan 27 2018
Jan 23 2018
Seems to be a bug in the "Remove all" code...
The select form element work fine with JS disabled. CentralNotice does little other than activate this widget (which is included in CN code), so the first thing I'm looking at is a possible bug in the widget itself... Thanks!!!
Jan 22 2018
I was able to remove all the languages except aa by clicking repeatedly on the buttons to remove languages one-by-one, and submitting changes in batches. Interestingly, at one point the JS widget told me that a negative number of languages were selected, even though the widget showed several languages still selected.