Bawolff (Brian Wolff)
Security

Today

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (147 w, 4 d)
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff

I work on the MediaWiki Security Team.

Recent Activity

Today

Bawolff committed rELGN7822af6607ea: Do not record failures for non-existent accounts (authored by Bawolff).
Do not record failures for non-existent accounts
Wed, Aug 23, 8:59 PM
Bawolff added a comment to T173888: LoginNotify not working for everyone apparently.

There's a lot of log entries that look like:

Wed, Aug 23, 8:52 PM · MW-1.30-release-notes (WMF-deploy-2017-08-22 (1.30.0-wmf.15)), Patch-For-Review, MediaWiki-extensions-LoginNotify, Community-Tech
Bawolff committed rELGNbfff0f89cdb6: Fix typo where IP wasn't retrieved from job (authored by Bawolff).
Fix typo where IP wasn't retrieved from job
Wed, Aug 23, 7:55 PM
Bawolff added a comment to T173856: #Security access for Niharika.

@Niharika Do you currently have 2FA enabled in phabricator (If not please enable)

Wed, Aug 23, 7:07 PM · Security, WMF-NDA-Requests
Bawolff committed rELGN697ff06befe5: Use global stash instance instead of local cluster intance. (authored by Bawolff).
Use global stash instance instead of local cluster intance.
Wed, Aug 23, 7:02 PM
Bawolff updated subscribers of T173891: create production ip_changes table for RangeContributions.

The table should not be in dumps - it could contain revision deleted IPs.

@Bawolff: How are revision deleted IPs currently dealt with in dumps?

Wed, Aug 23, 6:04 PM · Security, Community-Tech, DBA
Bawolff updated the task description for T173891: create production ip_changes table for RangeContributions.
Wed, Aug 23, 5:55 PM · Security, Community-Tech, DBA
Bawolff added a comment to T173891: create production ip_changes table for RangeContributions.

Should the data be made available on the labs replicas and/or dumps: Yes, nothing in the table is private data

Wed, Aug 23, 5:54 PM · Security, Community-Tech, DBA
Bawolff added a comment to T155678: Provide an easy to use support system for contributors to ask technical questions .

How about Flow?

Its worked well enough for Project:Support_desk

I can't even figure out how to search for solutions to problems / answers to questions there :/

Wed, Aug 23, 5:23 PM · TCB-Team, Developer-Relations
Bawolff added a comment to T155678: Provide an easy to use support system for contributors to ask technical questions .

How about Flow?

Wed, Aug 23, 3:16 PM · TCB-Team, Developer-Relations

Mon, Aug 21

Bawolff added a comment to T54921: Database tables to be dropped on Wikimedia wikis and other WMF databases (tracking).

In case its helpful here: While working on a bug about what tables to classify for labs, I categorized the db tables at T103011#3536648 - the "useless" category mostly contains things that probably should be dropped.

Mon, Aug 21, 3:56 AM · Epic, DBA, Tracking

Sun, Aug 20

Bawolff added a subtask for T18660: Database table cleanup (tracking): Unknown Object (Task).
Sun, Aug 20, 9:22 PM · DBA, Tracking, Wikimedia-Site-requests

Fri, Aug 18

Bawolff added a subtask for T54921: Database tables to be dropped on Wikimedia wikis and other WMF databases (tracking): Unknown Object (Task).
Fri, Aug 18, 10:05 PM · Epic, DBA, Tracking
Bawolff added a comment to T173468: Publish dumps of Wikimedia's globalblock database.

How often would we want this dump generated? And just ot be sure, there is no possibility that an entry in the globalblock table could be hidden or otherwise not visible to the public, right?

Weekly sounds reasonable to start with. And, I believe so. It would be good to have @Bawolff or someone else from Security-Team to confirm though.

Fri, Aug 18, 9:33 PM · Patch-For-Review, GlobalBlocking, Dumps-Generation
Bawolff added a comment to T173581: Petition can not be signed when transcluded, says user is blocked.

Oh, that might be my fault. I suspect this is a side effect of 7730dee63b1 (Transcluded special pages are now always treated as if they come from 127.0.0.1 to prevent data leaks, and be nicer to caching)

Fri, Aug 18, 6:18 PM · MediaWiki-extensions-Petition
Bawolff updated the task description for T173589: CodeReview extension reads from updatelog table in onLoadExtensionSchemaUpdates breaking sql.php maintaince script when run on different cluster.
Fri, Aug 18, 6:15 PM · MediaWiki-Maintenance-scripts, MediaWiki-extensions-CodeReview
Bawolff added a subtask for T54921: Database tables to be dropped on Wikimedia wikis and other WMF databases (tracking): Unknown Object (Task).
Fri, Aug 18, 6:13 PM · Epic, DBA, Tracking
Bawolff created T173589: CodeReview extension reads from updatelog table in onLoadExtensionSchemaUpdates breaking sql.php maintaince script when run on different cluster.
Fri, Aug 18, 5:51 PM · MediaWiki-Maintenance-scripts, MediaWiki-extensions-CodeReview
Bawolff added a project to T173580: $wgMaxAnimatedGifArea is not honored : Thumbor.

I suspect this is due to thumbor.

Fri, Aug 18, 4:45 PM · Thumbor, Commons, MediaWiki-File-management, MediaWiki-extensions-VipsScaler, Multimedia

Thu, Aug 17

Bawolff closed T173390: securepoll should use MWCryptRand not mt_rand() when creating a random temp directory as Resolved.
Thu, Aug 17, 8:48 PM · MW-1.30-release-notes (WMF-deploy-2017-08-22 (1.30.0-wmf.15)), MediaWiki-extensions-SecurePoll, Easy
Bawolff added a comment to T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.

I think we should remove the restrictive security ACL here. This is a policy and notification issue rather than a sensitive security issue.

Thu, Aug 17, 8:46 PM · Privacy, cloud-services-team (Kanban), Cloud-Services, Security
Bawolff changed the visibility for T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.
Thu, Aug 17, 8:46 PM · Privacy, cloud-services-team (Kanban), Cloud-Services, Security
Bawolff updated subscribers of T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.
Thu, Aug 17, 5:57 PM · Privacy, cloud-services-team (Kanban), Cloud-Services, Security
Bawolff renamed T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users from "last" command accessible via WMF Labs/Tools to "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.
Thu, Aug 17, 5:56 PM · Privacy, cloud-services-team (Kanban), Cloud-Services, Security
Bawolff added a project to T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users: Privacy.
Thu, Aug 17, 5:56 PM · Privacy, cloud-services-team (Kanban), Cloud-Services, Security
Bawolff added a comment to T170907: Security Issue Access Request for VColeman.

Ok. Do I need to create MFA for the vcoleman account on LDAP? How do I do that?

Thu, Aug 17, 5:16 PM · Security
Bawolff added a subtask for T54921: Database tables to be dropped on Wikimedia wikis and other WMF databases (tracking): Unknown Object (Task).
Thu, Aug 17, 4:12 PM · Epic, DBA, Tracking

Wed, Aug 16

Bawolff added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

@Bawolff What's the status of this? At least from this task it looks like it's been stalled for quite a while?

Wed, Aug 16, 8:35 PM · TechCom-Has-shepherd, RfC, JavaScript, Security-Team, TechCom-RfC
Bawolff added a subtask for T18660: Database table cleanup (tracking): Unknown Object (Task).
Wed, Aug 16, 6:05 PM · DBA, Tracking, Wikimedia-Site-requests
Bawolff added a subtask for T54921: Database tables to be dropped on Wikimedia wikis and other WMF databases (tracking): Unknown Object (Task).
Wed, Aug 16, 6:04 PM · Epic, DBA, Tracking

Tue, Aug 15

Bawolff created T173390: securepoll should use MWCryptRand not mt_rand() when creating a random temp directory.
Tue, Aug 15, 10:16 PM · MW-1.30-release-notes (WMF-deploy-2017-08-22 (1.30.0-wmf.15)), MediaWiki-extensions-SecurePoll, Easy
Bawolff added a project to T173370: Support restricted execution of external commands: Security-Team.
Tue, Aug 15, 8:15 PM · Security-Team, MediaWiki-General-or-Unknown, MediaWiki-Platform-Team
Bawolff awarded T173370: Support restricted execution of external commands a Like token.
Tue, Aug 15, 8:13 PM · Security-Team, MediaWiki-General-or-Unknown, MediaWiki-Platform-Team
Bawolff added projects to T173375: Special:SkinDistributor fails HTML validation: Easy, ExtensionDistributor.

The image issue should probably just have an alt text set to the empty string (in ExtensionDistributor/includes/specials/SpecialBaseDistributor.php )

Tue, Aug 15, 8:13 PM · ExtensionDistributor, Easy, MediaWiki-Special-pages
Bawolff added a comment to T173237: Provide a dump (in .sql format) of a redacted version of the user table.

I think its very unlikely we will provide redacted sql files for the entire db. (Roughly) Equivalent data in xml format is available at https://dumps.wikimedia.org

Tue, Aug 15, 1:56 AM · Datasets-General-or-Unknown

Mon, Aug 14

Bawolff renamed T173237: Provide a dump (in .sql format) of a redacted version of the user table from Scrubbed database backup feature to Provide a dump (in .sql format) of a redacted version of the user table.
Mon, Aug 14, 5:00 AM · Datasets-General-or-Unknown
Bawolff edited projects for T173237: Provide a dump (in .sql format) of a redacted version of the user table, added: Datasets-General-or-Unknown; removed Privacy, MediaWiki-API.
Mon, Aug 14, 4:59 AM · Datasets-General-or-Unknown

Sun, Aug 13

Bawolff added a comment to T132022: Add AbuseFilter integration to Extension:Newsletter.

Sorry for the offtopic but does Newsletter have CheckUser integration? If not, it must have it.

Sun, Aug 13, 7:24 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff added a comment to T132022: Add AbuseFilter integration to Extension:Newsletter.

It looks like abusefilter stops the edit, but not the custom newsletter table edits

Sun, Aug 13, 4:08 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff added a comment to T132022: Add AbuseFilter integration to Extension:Newsletter.

In theory content handler should make abuse filter integration autoamtic. We should test to see if that actually works properly

Sun, Aug 13, 3:52 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff added a comment to T132022: Add AbuseFilter integration to Extension:Newsletter.

In theory content handler should make abuse filter integration autoamtic. We should test to see if that actually works properly

Sun, Aug 13, 3:43 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff closed T132016: Add CheckUser integration to Extension:Newsletter as Resolved.

This seems done as newsletter now uses content handler, and that automatically adds check user entries.

Sun, Aug 13, 3:42 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff closed T132016: Add CheckUser integration to Extension:Newsletter, a subtask of T115095: Security review of Newsletter extension, as Resolved.
Sun, Aug 13, 3:42 PM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Bawolff added a comment to T173237: Provide a dump (in .sql format) of a redacted version of the user table.
Sun, Aug 13, 2:55 PM · Datasets-General-or-Unknown
Bawolff changed the visibility for T173236: trash.
Sun, Aug 13, 1:01 PM · Security, Trash
Bawolff closed T173236: trash as Invalid.
Sun, Aug 13, 1:00 PM · Security, Trash

Sat, Aug 12

Bawolff closed T173224: Newsletter should support editing previous revisions as Resolved.
Sat, Aug 12, 10:52 PM · MW-1.30-release-notes (WMF-deploy-2017-08-22 (1.30.0-wmf.15)), Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff added a comment to T173220: The dropdown menu in flow (three dots on a thread) has weird borders in Timeless.

on https://www.mediawiki.org/wiki/Project:Support_desk?useskin=timeless

Sat, Aug 12, 8:22 PM · Collaboration-Team-Triage, Flow, Timeless
Bawolff created T173220: The dropdown menu in flow (three dots on a thread) has weird borders in Timeless.
Sat, Aug 12, 8:21 PM · Collaboration-Team-Triage, Flow, Timeless
Bawolff created T173219: Timeless uses words instead of a heart for wikilove.
Sat, Aug 12, 8:18 PM · WikiLove, Collaboration-Team-Triage, Timeless
Bawolff created T173218: https://www.mediawiki.org/wiki/Project:Support_desk?useskin=timeless has white underline on discussion tab.
Sat, Aug 12, 8:16 PM · Timeless
Bawolff closed T162066: Cannot revert revision on Newsletter description edit as Resolved.
Sat, Aug 12, 7:59 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff closed T169421: Newsletter publisher name not showing up correctly on Manage page. as Resolved.
Sat, Aug 12, 7:58 PM · MW-1.30-release-notes (WMF-deploy-2017-08-15 (1.30.0-wmf.14)), Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff closed T169421: Newsletter publisher name not showing up correctly on Manage page. , a subtask of T110170: Goal: Deploy Newsletter extension in Wikimedia, as Resolved.
Sat, Aug 12, 7:58 PM · MW-1.30-release-notes (WMF-deploy-2017-08-08_(1.30.0-wmf.13)), User-Addshore, Patch-For-Review, User-notice, Goal, Community-Liaisons, Wikimedia-Hackathon-2016, MediaWiki-extensions-Newsletter
Bawolff added a comment to T173111: Testing Newsletter extension in test.wikipedia.org.

Arguably it might make sense to have different rights on test then on real wikis

Sat, Aug 12, 7:56 PM · User-Addshore, MediaWiki-extensions-Newsletter

Thu, Aug 10

Bawolff added a comment to T150421: Provide a sender email address alias for use in Special:Emailuser.

I'm not sure how i feel about this, but... if we do something like this, I think it would make sense to do foo@wikipedia.invalid so its clearly a non-real email address.

Thu, Aug 10, 8:40 PM · Anti-Harassment, Privacy, Support-and-Safety, Mail, MediaWiki-Email
Bawolff changed the visibility for T172878: Can’t disable 2FA.
Thu, Aug 10, 8:36 PM · Security, Wikimedia-Site-requests, Support-and-Safety
Bawolff created T173041: Newsletter extension should have an rss feed for newsletters.
Thu, Aug 10, 6:56 PM · MediaWiki-extensions-Newsletter
Bawolff added a comment to T172878: Can’t disable 2FA.

In the end, no private info was revealed, so this can be public again?

Thu, Aug 10, 1:26 PM · Security, Wikimedia-Site-requests, Support-and-Safety

Wed, Aug 9

Bawolff added a comment to T172878: Can’t disable 2FA.

Yes, I’ve tried. But the problem is that I can’t use TFA and it needs to work to disable it. I have a Token, a Secret Key, and 4 scratch codes. All the scratch codes have been used, and the TFA process doesn’t send a new code to my device.

——
Mark Adler

Wed, Aug 9, 4:41 PM · Security, Wikimedia-Site-requests, Support-and-Safety
Bawolff changed the visibility for T127397: "(Wiki Ed)" username can bypass permissions.
Wed, Aug 9, 3:24 PM · Education-Program-Dashboard, Programs-and-Events-Dashboard-Sprint 2, Security
Bawolff closed T127397: "(Wiki Ed)" username can bypass permissions as Resolved.

@Ragesoss says this could be closed

Wed, Aug 9, 3:23 PM · Education-Program-Dashboard, Programs-and-Events-Dashboard-Sprint 2, Security

Tue, Aug 8

Bawolff changed the visibility for T109652: Ex:SMW Special:SMWAdmin vulnerable to csrf.
Tue, Aug 8, 6:28 PM · Vuln-CSRF, Security-Extensions, Security
Bawolff closed T109652: Ex:SMW Special:SMWAdmin vulnerable to csrf as Resolved.
Tue, Aug 8, 6:28 PM · Vuln-CSRF, Security-Extensions, Security
Bawolff added a comment to T172785: Github.

For reference, google translate was

Tue, Aug 8, 1:58 PM · Trash
RandomDSdevel awarded T29884: enotif doesn't send email if page on watchlist edited following a minor edit and enotif not configured to send minor edits. a Baby Tequila token.
Tue, Aug 8, 12:45 AM · User-notice, MediaWiki-Email

Mon, Aug 7

Bawolff added a project to T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users: Cloud-Services.

My initial reaction would be that this is probably working as intended, but I'm not really sure what the privacy model for tool labs is.

Mon, Aug 7, 1:35 AM · Privacy, cloud-services-team (Kanban), Cloud-Services, Security
Bawolff added a subtask for T54921: Database tables to be dropped on Wikimedia wikis and other WMF databases (tracking): Unknown Object (Task).
Mon, Aug 7, 1:25 AM · Epic, DBA, Tracking

Sat, Aug 5

Nemo_bis awarded T169676: Remove EducationProgram in favour of EducationDashboard a Mountain of Wealth token.
Sat, Aug 5, 10:25 AM · Security-Team, MediaWiki-extensions-EducationProgram, Education-Program-Dashboard
Bawolff added a comment to T109652: Ex:SMW Special:SMWAdmin vulnerable to csrf.

ok cool, please let me know when all that happens.

Sat, Aug 5, 8:00 AM · Vuln-CSRF, Security-Extensions, Security
Bawolff removed a project from T125433: [Epic] Open security and admin issues with the WMF wikiedu dashboard: Security.

rm tag Security . imo that tag should probably not be used for tracking bugs unless the thing they are tracking is a specific issue

Sat, Aug 5, 7:02 AM · Epic, Programs-and-Events-Dashboard-Sprint 2, Education-Program-Dashboard
Bawolff changed the visibility for T47501: IE6 XSS when MediaWiki is behind mod_proxy.
Sat, Aug 5, 6:58 AM · Vuln-XSS, Security, Security-General
Bawolff closed T47501: IE6 XSS when MediaWiki is behind mod_proxy as Declined.

Ok, I'm going to make a decision to call this wontfix. At the time this was reported in 2013 it was a legit bug imo, but at this point, an XSS against IE6, which can't even view most modern websites due SSLv3 only, when using an obscure (?) apache configuration, is simply not a bug. People on IE6 have so many other problems to worry about, its not worth caring about their security against an XSS.

Sat, Aug 5, 6:58 AM · Vuln-XSS, Security, Security-General
Bawolff moved T48843: [SimpleSecurity] Feeds from private namespaces and pages not restricted at all from External (Non-WMF) Issues to Open, Public & Abandoned on the Security board.
Sat, Aug 5, 6:50 AM · MediaWiki-extensions-SimpleSecurity, Security, Security-Extensions
Bawolff added a comment to T151425: Enlarge Popular Password File to 100,000 entries.

Hmm, the cdb thing is perhaps not the best data structure, really we should use bloom filters instead.

Sat, Aug 5, 6:41 AM · MediaWiki-User-login-and-signup, Security-Team
Bawolff added a comment to T109652: Ex:SMW Special:SMWAdmin vulnerable to csrf.

Addressed with https://github.com/SemanticMediaWiki/SemanticMediaWiki/pull/2590.

Sat, Aug 5, 6:25 AM · Vuln-CSRF, Security-Extensions, Security

Thu, Aug 3

Bawolff added a comment to T147199: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support).

perhaps in the error page, the "use Firefox!" should be directly linked to the firefox 52 esr download page. The easier for users to find the link, and the less clicks the user has to go through, the more likely they will actually do it.

+1 to that. The next issue of Tech/News (draft, but will be frozen for translators in ~20 hours) points directly to the ESR page.
However, note that Firefox ESR 52 is ending support in Q2 of 2018, IIUC from the FAQ
But there are no decent alternatives for WinXP, at all.

Thu, Aug 3, 11:01 PM · User-notice, Patch-For-Review, Operations, Traffic
Bawolff added a comment to T171274: Security review of wikiba.se.

To answer my own question: https://github.com/wikimedia/wikiba.se

Thu, Aug 3, 6:41 PM · Security-Reviews, Wikidata
Bawolff added a comment to T171274: Security review of wikiba.se.

Is the site in a git repo somewhere?

Thu, Aug 3, 6:39 PM · Security-Reviews, Wikidata
Bawolff added a comment to T147199: Removing support for DES-CBC3-SHA TLS cipher (drops IE8-on-XP support).

perhaps in the error page, the "use Firefox!" should be directly linked to the firefox 52 esr download page. The easier for users to find the link, and the less clicks the user has to go through, the more likely they will actually do it.

Thu, Aug 3, 6:00 PM · User-notice, Patch-For-Review, Operations, Traffic
Liuxinyu970226 awarded T29884: enotif doesn't send email if page on watchlist edited following a minor edit and enotif not configured to send minor edits. a Like token.
Thu, Aug 3, 7:47 AM · User-notice, MediaWiki-Email

Wed, Aug 2

Bawolff added a comment to T170927: Make wbqc_constraints table available on Quarry et al..

I approve on behalf of Security-Team

Wed, Aug 2, 6:56 PM · cloud-services-team (Kanban), Data-Services, WMF-Legal, Security-Team, Patch-For-Review, DBA, Wikibase-Quality-Constraints, Wikibase-Quality, Wikidata
Bawolff added a comment to T172065: Hunt for Toolforge tools that loads resources from third party sites.

If we want to flat outban this sort of thing, we could use csp to do it.

Wed, Aug 2, 4:16 PM · Toolforge-standards-committee, Tools, Privacy

Mon, Jul 31

Ahecht awarded T106516: Greyscale pngs without gAMA chunk rendered with incorrect contrast [or setting the gamma in GIMP exports to PNG] a The World Burns token.
Mon, Jul 31, 8:58 PM · Multimedia, MediaWiki-File-management, Patch-For-Review, Easy, Upstream, Commons

Fri, Jul 28

Julle awarded T29884: enotif doesn't send email if page on watchlist edited following a minor edit and enotif not configured to send minor edits. a Like token.
Fri, Jul 28, 12:32 AM · User-notice, MediaWiki-Email

Jul 21 2017

Bawolff updated subscribers of T171293: Activation DynamicPageList Extension on Wikivoyage/de.
Jul 21 2017, 9:49 PM · Wikimedia-Extension-setup
Bawolff added a comment to T171293: Activation DynamicPageList Extension on Wikivoyage/de.

I don't think we can deploy this to more wikis taking into count what it is happening at T31596 and T124841. Pinging @Bawolff for advice.

Jul 21 2017, 9:45 PM · Wikimedia-Extension-setup

Jul 19 2017

Bawolff changed the visibility for T170729: rest api help should not request external things.
Jul 19 2017, 8:02 PM · Services (done), RESTBase, Privacy, Security
Bawolff added a comment to T170808: 500: Internal Server Error with ArticleInfo when using an apostrophe in article title.

No need for ears to bleed, I just want to ensure that the potential impact of sql injections are not underestimated, or underestimated by other people who might be reading the comments on this bug.

Jul 19 2017, 7:36 PM · Security, Vuln-Inject, XTools
Bawolff added a comment to T170808: 500: Internal Server Error with ArticleInfo when using an apostrophe in article title.
It's very bad, no doubt, but this db is read-only and public so there's no real harm.
Jul 19 2017, 4:37 PM · Security, Vuln-Inject, XTools
Bawolff added a comment to T134863: Reflected XSS in GlobalGroupPermissions.

The CentralAuth patch for SECURITY XSS in Special:GlobalGroupPermissions has NOT been cherry picked to REL1_29.

List of patches: https://gerrit.wikimedia.org/r/#/q/fadb367ad16a228cc

Jul 19 2017, 3:06 PM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security
Bawolff changed the status of T166039: Extension:TimedMediaHandler - ogv-worker-video/audio.js files from Invalid to Declined.
Jul 19 2017, 6:37 AM · Upstream, TimedMediaHandler, Security
Bawolff changed the visibility for T166039: Extension:TimedMediaHandler - ogv-worker-video/audio.js files.
Jul 19 2017, 6:37 AM · Upstream, TimedMediaHandler, Security
Bawolff closed T166039: Extension:TimedMediaHandler - ogv-worker-video/audio.js files as Invalid.

I'm going to resolve this bug. There's literally nothing we can do here.

Jul 19 2017, 6:37 AM · Upstream, TimedMediaHandler, Security
Bawolff created T171025: SQLite - cannot start a transaction inside a transaction from resource loader.
Jul 19 2017, 6:09 AM · MediaWiki-General-or-Unknown, SQLite
Bawolff closed T134863: Reflected XSS in GlobalGroupPermissions as Resolved.

Everything merged and publicly announced.

Jul 19 2017, 5:19 AM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security
Bawolff closed T134931: Security review of GlobalGroupPermissions as Resolved.

Everything done and publically announced.

Jul 19 2017, 5:18 AM · MW-1.30-release-notes (WMF-deploy-2017-07-25_(1.30.0-wmf.11)), Patch-For-Review, Security, Security-Reviews
Bawolff added a comment to T48843: [SimpleSecurity] Feeds from private namespaces and pages not restricted at all.

Now that I made this public, I don't know if I should change the status of this bug, maybe remove the security tag and have it off the Security workboard? I don't think it should be closed, since its a valid bug in the MediaWiki-extensions-SimpleSecurity project, but it maybe should not be cluttering up Security - i don't really know.

Jul 19 2017, 5:17 AM · MediaWiki-extensions-SimpleSecurity, Security, Security-Extensions
Bawolff changed the visibility for T134863: Reflected XSS in GlobalGroupPermissions.
Jul 19 2017, 4:37 AM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security
Bawolff changed the visibility for T134931: Security review of GlobalGroupPermissions.
Jul 19 2017, 4:16 AM · MW-1.30-release-notes (WMF-deploy-2017-07-25_(1.30.0-wmf.11)), Patch-For-Review, Security, Security-Reviews