I work on the MediaWiki Security Team.
Fri, May 17
Tue, May 14
Fri, May 10
So I guess this isn't quite ready for a security review given previous comment, but some thoughts
This is old enough now to no longer be relevant.
Ah, that's confusing. Thanks.
The threat model here is kind of debatable. Its unclear what security goals we are trying to accomplish with the displaytitle restrictions, and thus I'm unsure (unsure in the sense of actually do not know, not unsure in the sense of disagreeing) if further restrictions on it are justified.
Thu, May 9
Wed, May 8
wikititle:/// is supposed to prevent query paramters from being used, however it could probably be bypassed if they are percent encoded due to T96274 (e.g. https://en.wikipedia.org/wiki/Main_Page%3faction=history%26curid=2120 is interpreted by our servers incorrectly )
Tue, May 7
Mon, May 6
I think the main things we want to check:
Thu, May 2
Note security did some minor adjustments to the revdel process on tuesday but nothing that should cause this.
Mon, Apr 29
My understanding is that the content translation tool is optimized for the use case where the two translations are independent (e.g. between wikis), where E:Translate is optimized for the use case of translating documents where one of the languages are controlling (e.g. Like software translation). Admittedly I don't follow translation stuff very closely, so I may just be mistaken, but assuming that assumption is correct, may I ask what the rationale is for integrating into ContentTranslation over E:Translate is?
Fri, Apr 26
For what you are literally asking for: https://tools.wmflabs.org/guc/
Tue, Apr 23
so I think we've done everything on our end. See my comment above for my comments on the library - please address those things before using vega 3. Let me know if you have any questions.
Mon, Apr 22
Apr 20 2019
https://www.ssllabs.com/ssltest/analyze.html?d=gerrit.wikimedia.org&s=2620%3a0%3a861%3a3%3a208%3a80%3a154%3a85&latest suggests ssl3 is already disabled
Apr 18 2019
Hmm, L and K having a hamming distance of 3 - Could this possibly be a memory error that wasn't detectable by ECC as a 3 bit error?
Apr 16 2019
There is no formal definition, but in practice, it means anything that is maintained by WMF staff
Apr 9 2019
Apr 8 2019
Screenshot. Note that not a single row of the history page shows up. (Note: My font size may be mildly above normal. Some of us like big letters to help our eyes. Notwithstanding that, I would consider this an unreasonable amount of screen real-estate being taken up).
Just fyi, I would describe half as an underexageration. Screenshot incoming
Apr 7 2019
Note, @RhinosF1 is also complaining about this issue in #mediawiki irc about the site https://thelostjewel.com/index.php?title=Special:Log&dir=prev&type=newusers&user=&page=&wpdate=&tagfilter=
Apr 5 2019
Apr 4 2019
Honestly, probably better to use the extension if it still works, uncyclomedia probably doesn't have big enough categories to matter.
Apr 3 2019
Apr 2 2019
Apr 1 2019
(e.g. Checking what percentage of enwiki admins have 2FA enabled).
For reference, the english translation of the error seems to be:
Bad username given Cannot look for contributions without a user or with a user that does not exist.
So reading a bit about client side performance [This is not my area of expertise] - the best thing (all other things being equal) to do is transfer less bytes. But that's easier said then done.
Mar 31 2019
"EventFactory.php" line 144 also seems kind of wrong. Its passing the wiki name to self::getDomain, but the docs for self::getDomain indicate that that parameter is a boolean for whether or not the wiki display name is used, not as a value to pass the wikiid
I think there might be more than one thing going wrong here, but primarily:
So I think we should do some research into how much different CSS footprints affect performance before actually doing anything, but some initial thoughts on CSS in timeless:
Thank you for your detailed response.
Mar 30 2019
Mar 28 2019
Mar 27 2019
I'm cc'ing @Anomie as I'm not 100% sure, but this sounds very much like a regression from the actor migration.
FWIW, given how much press https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ has been getting, view-as-other-people features make me nervous.
Mar 26 2019
We're a little worried about the ever expanding size of the security group in phabricator. There are very few visual editor related tasks in Security (You should be able to see them all now). For the moment we would like to just add you to the relevant tasks but not to the security group in general (Please ask if there is ever one you need to see that you can't). Please note this is not about you, we just needed to draw the line somewhere lest the security group becomes a total slippery slope.
I don't think there's anything to do here.
Mar 25 2019
In regards to API modules, you may want to consider making it similar to the authmanager login module, as during the normal login process people will be prompted for the 2FA stuff, so it will have to work with that flow anyways.
The user should be able to choose between enabled modules and maybe use them in parallel. But this will be put to the end of the project, as it may require some more work.
Mar 22 2019
Mar 21 2019
Mar 20 2019
So this is a bit of a grey area of if this change is within the realm of things that a community can request. The foundation may feel it wants a consistent feel to all the projects that it hosts.
FYI, these tests should already be run via CI (as part of composer tests)
Mar 18 2019
yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.
Reading https://meta.wikimedia.org/w/api.php?action=help&modules=shortenurl - doesn't seem to require a CSRF token, so I'm not sure that CORS is needed here? (more specifically, you can use the generic origin=* I think).
Mar 15 2019
Mar 13 2019
I'm not sure how to say this without coming off as a dick, so I'm just going to go ahead: Jeroen De Dauw already has 2 failed requests for +2 in mediawiki/core 1 2. Admittedly this was a long time ago, but the last time he did anything non-trivial in MW core was in 2013. I feel like this is sort of a backdoor around previous community consensus.
I think this should be explicitly announced on wikitech-l, and not just buried in a techcom update
Mar 12 2019
Overall: Looks good - Extension passes security review. There are a couple very small things though I would like to see changed.
Mar 8 2019
This sounds like a bad idea. Administrators probably shouldn't normally be able to do that, without someone literally going into MySQL etc.
Mar 7 2019
Ok, I tried to make a more restrictive group called VandalFighters, which i added WMFOffice to (And removed WMFOffice from Administrators). It has the ability to abandon patches, delete patches (Note there is no undo, so be careful with the delete button), mark patches -2, flush caches, and adjust accounts (in particular mark an account "inactive" which is like block).
Done. User is now in Administrator group
Mar 5 2019
Sorry, but we're not going to review this unless there is definite interest in using production.