Page MenuHomePhabricator

Bawolff (Brian Wolff)
SecurityAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (302 w, 20 h)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Tue, Jul 14

aborrero awarded T125589: Allow each tool to have its own subdomain for browser sandbox/cookie isolation a Love token.
Tue, Jul 14, 9:12 AM · Security, cloud-services-team (Kanban), Toolforge

Jul 4 2020

Bawolff updated subscribers of T257102: Mediawiki 1.34.2 tarball incompatible with 7zip on windows due to Pax format.
Jul 4 2020, 9:04 AM · MediaWiki-Releasing
Bawolff created T257102: Mediawiki 1.34.2 tarball incompatible with 7zip on windows due to Pax format.
Jul 4 2020, 9:03 AM · MediaWiki-Releasing

May 27 2020

Lens0021 awarded T215713: Missing dependencies in extension snapshots a Like token.
May 27 2020, 11:14 PM · MW-1.34-release, MW-1.33-release, VPS-project-Extdist, MW-1.32-release, ExtensionDistributor

May 25 2020

Bawolff closed T248583: PollNY: Classic CSRF in Special:CreatePoll & Special:UpdatePoll + API module as Resolved.
May 25 2020, 11:35 PM · Social-Tools, PollNY, Security, Security-Team
Bawolff changed the visibility for T248583: PollNY: Classic CSRF in Special:CreatePoll & Special:UpdatePoll + API module.
May 25 2020, 11:35 PM · Social-Tools, PollNY, Security, Security-Team
Bawolff closed T215713: Missing dependencies in extension snapshots as Resolved.

This should be fixed now

May 25 2020, 7:43 PM · MW-1.34-release, MW-1.33-release, VPS-project-Extdist, MW-1.32-release, ExtensionDistributor
Bawolff added a comment to T253586: extensions including semantic-forms via composer are broken and breaking extension distributor.

This might be less of an issue in practise, because except when force rebuilding like i did just now, this code path will only be execute if someone commits to the branch in question.

May 25 2020, 7:32 PM · MediaWiki-extensions-MediaWikiFarm, MediaWiki-extensions-SemanticSignup, MediaWiki-extensions-Page_Forms, VPS-project-Extdist
Bawolff added a project to T253588: extdist is not rotating logs: VPS-project-Extdist.
May 25 2020, 7:26 PM · VPS-project-Extdist
Bawolff created T253588: extdist is not rotating logs.
May 25 2020, 7:26 PM · VPS-project-Extdist
Bawolff added a comment to T253586: extensions including semantic-forms via composer are broken and breaking extension distributor.

At least one of the problematic extensions is SemanticPageSeries and SemanticImageInput

May 25 2020, 7:21 PM · MediaWiki-extensions-MediaWikiFarm, MediaWiki-extensions-SemanticSignup, MediaWiki-extensions-Page_Forms, VPS-project-Extdist
Bawolff created T253586: extensions including semantic-forms via composer are broken and breaking extension distributor.
May 25 2020, 7:02 PM · MediaWiki-extensions-MediaWikiFarm, MediaWiki-extensions-SemanticSignup, MediaWiki-extensions-Page_Forms, VPS-project-Extdist
Bawolff added a comment to T215713: Missing dependencies in extension snapshots.

New issue:

May 25 2020, 6:37 PM · MW-1.34-release, MW-1.33-release, VPS-project-Extdist, MW-1.32-release, ExtensionDistributor
Bawolff added a comment to T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled.

Things like Kalai's 3<span style="position: absolute; top: -9999px;">^</span><sup><i>d</i></sup> conjecture are really interesting though, as that's kind of what this task specifically wants to prevent.

May 25 2020, 6:01 PM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser
Bawolff added a comment to T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled.

Everyone talks about user-space, but some mainspace examples:

<span class="texhtml mvar" style="font-style:italic;">e</span> (mathematical constant)
<span class="texhtml mvar" style="font-style:italic;">p</span>-group
<span class="texhtml mvar" style="font-style:italic;">σ</span>-algebra
<i>Pseudotsuga menziesii <span style="font-style:normal;">var.</span> glauca</i>
<span lang="mi" style="font-style:normal;" title="Māori language text">Paikea</span>
<span class="texhtml mvar" style="font-style:italic;">e</span> (number)
<span style="text-decoration:overline;">SOS</span>
<i>Lactobacillus delbrueckii <span style="font-style:normal;">subsp.</span> bulgaricus</i>
Proof that <span class="texhtml mvar" style="font-style:italic;">e</span> is irrational
Proof that 22/7 exceeds <span class="texhtml mvar" style="font-style:italic;">π</span>
<span class="texhtml mvar" style="font-style:italic;">π</span>-calculus
List of topics related to <span class="texhtml mvar" style="font-style:italic;">π</span>
<i>Ulmus minor <span style="font-style:normal;">subsp.</span> minor</i>
<i>Sidalcea oregana <span style="font-style:normal;">var.</span> calva</i>
<span lang="gd" style="font-style:normal;" title="Scottish Gaelic language text">Bòrd na Gàidhlig</span>
<i>Capsicum annuum <span style="font-style:normal;">var.</span> glabriusculum</i>
Leibniz formula for <span class="texhtml mvar" style="font-style:italic;">π</span>
<i>Argyroxiphium sandwicense <span style="font-style:normal;">subsp.</span> macrocephalum</i>
<span class="texhtml mvar" style="font-style:italic;">x̅</span> and R chart
<i>S<span style="position:relative"><sup>m</sup><sub style="position:absolute; left:0; bottom:0">n</sub></span></i> theorem
<span lang="gd" style="font-style:normal;" title="Scottish Gaelic language text">Corrachadh Mòr</span>
<span class="texhtml mvar" style="font-style:italic;">e</span> (constant)
ISO-8859-8-<span style="font-family: &#39;Georgia Pro&#39;, Georgia, &#39;DejaVu Serif&#39;, Times, &#39;Times New Roman&#39;, serif;">I</span>
<i>Acacia ramulosa <span style="font-style:normal;">var.</span> linophylla</i>
<span style="font-family:Cambria">Ƙ</span>
List of newspapers that reprinted <i>Jyllands-Posten</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s Muhammad cartoons
<i>Rolling Stone</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s 500 Greatest Albums of All Time
<i>Rolling Stone</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s 500 Greatest Songs of All Time
Chronology of computation of <span class="texhtml mvar" style="font-style:italic;">π</span>
Approximations of <span class="texhtml mvar" style="font-style:italic;">π</span>
<span class="texhtml mvar" style="font-style:italic;">n</span>-ary
List of formulae involving <span class="texhtml mvar" style="font-style:italic;">π</span>
<i>Ulmus davidiana <span style="font-style:normal;">var.</span> japonica</i>
<i>Ulmus</i> 'Nanguen' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Lutece</span>
<i>Paeonia daurica <span style="font-style:normal;">subsp.</span> mlokosewitschii</i>
<i>TV Guide</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s 50 Greatest TV Shows of All Time
<i>Correa reflexa <span style="font-style:normal;">var.</span> speciosa</i>
<i>Ulmus</i> 'Wanoux' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Vada</span>
<i>Ampelopsis glandulosa <span style="font-style:normal;">var.</span> brevipedunculata</i>
<i>Ulmus</i> 'Morton' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Accolade</span>
<i>Ulmus</i> 'Morton Glossy' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Triumph</span>
<i>Ulmus</i> 'Morton Plainsman' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Vanguard</span>
<i>Ulmus</i> 'Morton Red Tip' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Danada Charm</span>
<i>Ulmus</i> 'Morton Stalwart' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Commendation</span>
<i>Banksia integrifolia <span style="font-style:normal;">subsp.</span> integrifolia</i>
<i>Banksia integrifolia <span style="font-style:normal;">subsp.</span> compar</i>
<i>Banksia integrifolia <span style="font-style:normal;">subsp.</span> monticola</i>
<i>Ulmus minor <span style="font-style:normal;">subsp.</span> canescens</i>
<i>Capparis spinosa <span style="font-style:normal;">subsp.</span> nummularia</i>
<i>Ulmus parvifolia</i> 'UPMTF' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Bosque</span>
<i>Ulmus parvifolia</i> 'Emer II' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Allee</span>
<i>Ulmus parvifolia</i> 'A. Ross Central Park' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Central Park Splendor</span>
<i>Ulmus parvifolia</i> 'Zettler' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Heritage</span>
<i>Ulmus davidiana</i> var. <i>japonica</i> 'JFS-Bieberich' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Emerald Sunshine</span>
<i>Ulmus laevis <span style="font-style:normal;">var.</span> celtidea</i>
<i>Eriogonum longifolium <span style="font-style:normal;">var.</span> harperi</i>
<i>Anadenanthera peregrina <span style="font-style:normal;">var.</span> falcata</i>
<i>Anadenanthera colubrina <span style="font-style:normal;">var.</span> cebil</i>
<i>Ulmus laciniata <span style="font-style:normal;">var.</span> nikkoensis</i>
<i>Ulmus americana <span style="font-style:normal;">var.</span> floridana</i>
<i>Ulmus bergmanniana <span style="font-style:normal;">var.</span> bergmanniana</i>
<i>Ulmus bergmanniana <span style="font-style:normal;">var.</span> lasiophylla</i>
<i>Ulmus changii <span style="font-style:normal;">var.</span> changii</i>
<i>Ulmus changii <span style="font-style:normal;">var.</span> kunmingensis</i>
<i>Ulmus glaucescens <span style="font-style:normal;">var.</span> glaucescens</i>
<i>Ulmus glaucescens <span style="font-style:normal;">var.</span> lasiocarpa</i>
<i>Ulmus macrocarpa <span style="font-style:normal;">var.</span> glabra</i>
<i>Ulmus macrocarpa <span style="font-style:normal;">var.</span> macrocarpa</i>
<i>Ulmus davidiana <span style="font-style:normal;">var.</span> davidiana</i>
<i>Ulmus parvifolia <span style="font-style:normal;">var.</span> coreana</i>
<i>Coincya monensis <span style="font-style:normal;">subsp.</span> monensis</i>
<i>Coincya monensis <span style="font-style:normal;">subsp.</span> recurvata</i>
<i>Muehlenbeckia horrida <span style="font-style:normal;">subsp.</span> abdita</i>
<i>Parapuzosia <span style="font-style:normal;">(</span>Austiniceras<span style="font-style:normal;">)</span></i>
<i>Puzosia <span style="font-style:normal;">(</span>Bhimaites<span style="font-style:normal;">)</span></i>
<i>Banksia armata <span style="font-style:normal;">var.</span> armata</i>
<i>Banksia armata <span style="font-style:normal;">var.</span> ignicida</i>
<i>Olea europaea <span style="font-style:normal;">subsp.</span> cuspidata</i>
<i>Ulmus laevis <span style="font-style:normal;">var.</span> simplicidens</i>
<i>Yucca gloriosa <span style="font-style:normal;">var.</span> tristis</i>
<i>Lilium pardalinum <span style="font-style:normal;">subsp.</span> pitkinense</i>
<i>Lupinus latifolius <span style="font-style:normal;">var.</span> barbatus</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> adstringens</i>
<i>Acacia ayersiana <span style="font-style:normal;">var.</span> latifolia</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> cupressiformis</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> hemispherica</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> indica</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> kraussiana</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> nilotica</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> subalata</i>
<i>Vachellia nilotica <span style="font-style:normal;">subsp.</span> tomentosa</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> aneura</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> argentea</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> fuliginea</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> intermedia</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> macrocarpa</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> major</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> microcarpa</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> pilbarana</i>
<i>Acacia aneura <span style="font-style:normal;">var.</span> tenuis</i>
<i>Anadenanthera peregrina <span style="font-style:normal;">var.</span> peregrina</i>
<i>Acacia coriacea <span style="font-style:normal;">subsp.</span> coriacea</i>
<i>Acacia coriacea <span style="font-style:normal;">subsp.</span> pendens</i>
<i>Acacia coriacea <span style="font-style:normal;">subsp.</span> sericophylla</i>
<i>Acaciella angustissima <span style="font-style:normal;">var.</span> suffrutescens</i>
<i>Acacia acuminata <span style="font-style:normal;">subsp.</span> acuminata</i>
<i>Vachellia aroma <span style="font-style:normal;">var.</span> aroma</i>
<i>Vachellia aroma <span style="font-style:normal;">var.</span> huarango</i>
<i>Vachellia caven <span style="font-style:normal;">var.</span> caven</i>
<i>Vachellia caven <span style="font-style:normal;">var.</span> dehiscens</i>
<i>Vachellia caven <span style="font-style:normal;">var.</span> microcarpa</i>
<i>Vachellia caven <span style="font-style:normal;">var.</span> stenocarpa</i>
<i>Senegalia polyacantha <span style="font-style:normal;">subsp.</span> campylacantha</i>
List of <i>Footballers<span class="nowrap" style="padding-left:0.1em;">&#39;</span> Wives</i> characters
<i>Banksia laevigata <span style="font-style:normal;">subsp.</span> laevigata</i>
<i>Gaeumannomyces graminis <span style="font-style:normal;">var.</span> avenae</i>
<i>Gaeumannomyces graminis <span style="font-style:normal;">var.</span> graminis</i>
<i>Nectria mammoidea <span style="font-style:normal;">var.</span> rubi</i>
List of <i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>Til Death</i> episodes
<i>Rhododendron minus <span style="font-style:normal;">var.</span> chapmanii</i>
<i>Diaporthe phaseolorum <span style="font-style:normal;">var.</span> phaseolorum</i>
<i>Anadenanthera colubrina <span style="font-style:normal;">var.</span> colubrina</i>
<i>Ulmus wallichiana <span style="font-style:normal;">subsp.</span> xanthoderma</i>
<i>Ulmus wallichiana <span style="font-style:normal;">subsp.</span> wallichiana</i>
<i>Ulmus wallichiana <span style="font-style:normal;">var.</span> tomentosa</i>
<i>Uromyces lineolatus <span style="font-style:normal;">subsp.</span> nearcticus</i>
<i>Uromyces trifolii-repentis <span style="font-style:normal;">var.</span> fallens</i>
<i>Uromyces viciae-fabae <span style="font-style:normal;">var.</span> viciae-fabae</i>
<i>Pythium ultimum <span style="font-style:normal;">var.</span> ultimum</i>
<i>Podosphaera clandestina <span style="font-style:normal;">var.</span> clandestina</i>
<i>Time</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s All-Time 100 Movies
<i>Geotrichum candidum <span style="font-style:normal;">var.</span> citri-aurantii</i>
List of representations of <span class="texhtml mvar" style="font-style:italic;">e</span>
<i>Banksia spinulosa <span style="font-style:normal;">var.</span> collina</i>
<i>Puccinia extensicola <span style="font-style:normal;">var.</span> hieraciata</i>
<i>Diaporthe phaseolorum <span style="font-style:normal;">var.</span> caulivora</i>
<i>Diaporthe phaseolorum <span style="font-style:normal;">var.</span> sojae</i>
<i>Puccinia substriata <span style="font-style:normal;">var.</span> indica</i>
<i>Uromyces proeminens <span style="font-style:normal;">var.</span> poinsettiae</i>
2<span class="texhtml mvar" style="font-style:italic;">π</span> theorem
<i>Mentha longifolia <span style="font-style:normal;">var.</span> asiatica</i>
<i>Ulmus parvifolia</i> 'BSNUPF' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Everclear</span>
<i>Zapoteca portoricensis <span style="font-style:normal;">subsp.</span> portoricensis</i>
Proof that <span class="texhtml mvar" style="font-style:italic;">π</span> is irrational
<i>Ficus popenoei <span style="font-style:normal;">subsp.</span> malacocarpa</i>
<i>Sambucus racemosa <span style="font-style:normal;">subsp.</span> racemosa</i>
<i>Conospermum stoechadis <span style="font-style:normal;">subsp.</span> sclerophyllum</i>
<i>Epipactis helleborine <span style="font-style:normal;">var.</span> youngiana</i>
<i>Banksia spinulosa <span style="font-style:normal;">var.</span> spinulosa</i>
<i>Banksia spinulosa <span style="font-style:normal;">var.</span> cunninghamii</i>
<span class="texhtml mvar" style="font-style:italic;">x̅</span> and s chart
10<span style="position:absolute; top: -9999px">^</span><sup>16</sup> to 1
Liu Hui's <span class="texhtml mvar" style="font-style:italic;">π</span> algorithm
<i>Portland</i><span style="position:absolute; top: -9999px"> (shipwreck)</span>
CSS <i>Alabama</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s New England Expeditionary Raid
CSS <i>Alabama</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s Gulf of Mexico Expeditionary Raid
CSS <i>Alabama</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s South Atlantic Expeditionary Raid
CSS <i>Alabama</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s South African Expeditionary Raid
CSS <i>Alabama</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s Indian Ocean Expeditionary Raid
CSS <i>Alabama</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s South Pacific Expeditionary Raid
<span class="texhtml mvar" style="font-style:italic;">n</span>-body problem
I am the <span style="font-variant:small-caps">Lord</span> thy God
&#928;<sup>0</sup><sub><span style="margin-left:-0.5em">1</span></sub> class
<i>Le Monde</i><span class="nowrap" style="padding-left:0.1em;">&#39;s</span> 100 Books of the Century
<span class="music-symbol" style="font-family: Arial Unicode MS, Lucida Sans Unicode;"><span class="music-flat">&#x266d;</span></span>VII–V<sup>7</sup> cadence
<i>Buddleja crispa</i> 'Huimoon' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Moon Dance</span>
<i>Buddleja davidii</i> 'Adokeep' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Adonis Blue</span>
<i>Buddleja davidii</i> 'Camkeep' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Camberwell Beauty</span>
<i>Buddleja</i> 'Minpap' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Reve de Papillon</span>
<i>Buddleja davidii</i> 'Buddma' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Moonshine</span>
<i>Buddleja davidii</i> 'Mongo' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Nanho Blue</span>
<i>Buddleja davidii</i> 'Monum' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Nanho Purple</span>
<i>Buddleja davidii</i> 'Monite' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Nanho White</span>
<i>Buddleja davidii</i> 'Notbud' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Masquerade</span>
<i>Buddleja davidii</i> 'Courtabud' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Operette</span>
<i>Buddleja davidii</i> 'Peakeep' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Peacock</span>
<i>Buddleja davidii</i> 'Pyrkeep'  = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Purple Emperor</span>
<i>Buddleja davidii</i> 'Thia' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Santana</span>
<i>Buddleja</i> 'Monrell' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Strawberry Lemonade</span>
<i>Buddleja davidii</i> 'Grefoj' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Fourth of July</span>
<i>Buddleja</i> 'Podaras4' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Grande Blueberry Cobbler</span>
<i>Buddleja</i> 'Podaras5' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Grande Peach Cobbler</span>
<i>Buddleja</i> 'Podaras2' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Grande Sweet Marmalade</span>
<i>Buddleja</i> 'Podaras3' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Grande Tangerine Dream</span>
<i>Buddleja</i> 'Podaras1' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Grande Vanilla</span>
<i>Buddleja</i> 'Podaras8' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Petite Blue Heaven</span>
<i>Buddleja</i> 'Podaras16' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Petite Pink</span>
<i>Buddleja</i> 'Podaras15' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Petite Snow White</span>
<i>Buddleja</i> 'Podaras13' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Petite Tutti Fruitti Pink</span>
<i>Buddleja</i> 'Lonplum' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Sugar Plum</span>
<i>Buddleja</i> 'Morning Mist' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Silver Anniversary</span>
<i>Buddleja</i> 'Podaras12' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Flow Lavender</span>
<i>Buddleja</i> 'Podaras10' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Petite Dark Pink</span>
<i>Buddleja</i> 'Podaras14' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Petite Fuchsia</span>
<i>Buddleja</i> 'Podaras11' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Lavender</span>
<i>Buddleja</i> 'Podaras7' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Flow Mauve Pink</span>
<i>Buddleja</i> 'Podaras6' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Peace</span>
<i>Buddleja</i> 'Podaras9' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Flutterby Pink</span>
<span class="smallcaps"><span style="font-variant: small-caps; text-transform: lowercase;">L</span></span>-Norpseudoephedrine
<i>Buddleja</i> 'ILVOargus2' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Argus Velvet</span>
<i>Buddleja</i> 'ILVOargus1' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Argus White</span>
<span style="text-transform:lowercase;">london2012.com</span>
<span style="text-transform:lowercase;">of</span><span> Verona</span>
<i>Buddleja</i> 'Minpap3' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Reve de Papillon Blue</span>
<i>Buddleja</i> 'Minpap2' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Reve de Papillon White</span>
<i>Buddleja davidii</i> 'Tobuivo' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Buzz Ivory</span>
<i>Buddleja davidii</i> 'Tobudpipur' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Buzz Magenta</span>
<i>Buddleja davidii</i> 'Tobudviole' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Buzz Lavender</span>
<i>Buddleja davidii</i> 'Tobuskyblu' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Buzz Sky Blue</span>
<i>NME</i><span class="nowrap" style="padding-left:0.1em;">&#39;s</span> Cool List
<i>Buddleja</i> 'Hinebud 3' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Angel White</span>
<i>Buddleja</i> 'Hinebud 1' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Lavender Veil</span>
<i>Buddleja</i> 'Hinebud 2' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Purple Splendor</span>
Kalai's 3<span style="position: absolute; top: -9999px;">^</span><sup><i>d</i></sup> conjecture
<i>Buddleja davidii</i> 'SMBDPB' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Merry Magic Orchid</span>
<i>Buddleja davidii</i> 'SMBDPL' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Merry Magic Purple</span>
<i>Buddleja davidii</i> 'SMBDVL' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Merry Magic Violet</span>
<i>Buddleja davidii</i> 'Harkstead Indigo' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Buzz Indigo</span>
<i>Buddleja davidii</i> 'Tobudvelve' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Buzz Red</span>
<i>Buddleja davidii</i> 'PIIBD-II' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Funky Fuchsia</span>
<i>Buddleja davidii</i> 'PIIBD-I' = <span class="trade_designation" style="font-variant:small-caps; margin-left: 0.05em;">Groovy Grape</span>
2-Amino-5-formylamino-6-(5-phospho-<span class="smallcaps"><span style="font-variant: small-caps; text-transform: lowercase;">D</span></span>-ribosylamino)pyrimidin-4(3<i>H</i>)-one
Zhao Youqin's <span class="texhtml mvar" style="font-style:italic;">π</span> algorithm
<span class="texhtml mvar" style="font-style:italic;">x̄</span> and R chart
<i>NME</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s The 500 Greatest Albums of All Time
<span class="smallcaps"><span style="font-variant: small-caps; text-transform: lowercase;">L</span></span>-Photo-leucine
<i>The Guardian</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s 100 Best Novels Written in English
<i>FHM</i><span class="nowrap" style="padding-left:0.1em;">&#39;s</span> 100 Sexiest Women (UK)
List of <i>Brunch at Bobby<span class="nowrap" style="padding-left:0.1em;">&#39;</span>s</i> episodes
<i>Rolling Stone</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s 100 Greatest Songwriters of All Time
<i>Radio Times</i><span class="nowrap" style="padding-left:0.1em;">&#39;s</span> Most Powerful People
<i>Cahiers du cinéma</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s Annual Top 10 Lists
<i>Rosa</i> <q style="quotes: &quot;&#39;&quot; &quot;&#39;&quot;;">Graham Thomas</q>
<i>Rolling Stone Argentina</i><span class="nowrap" style="padding-left:0.1em;">&#39;</span>s The 100 Greatest Albums of National Rock
May 25 2020, 5:33 PM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser

May 24 2020

Bawolff added a comment to T215713: Missing dependencies in extension snapshots.

Appears there are two issues:

May 24 2020, 10:10 PM · MW-1.34-release, MW-1.33-release, VPS-project-Extdist, MW-1.32-release, ExtensionDistributor

May 23 2020

Bawolff added a comment to T248583: PollNY: Classic CSRF in Special:CreatePoll & Special:UpdatePoll + API module.

Looks like you are adding an edit token to the forms, and then checking it when processing it, so this should fix the issue.

May 23 2020, 11:04 PM · Social-Tools, PollNY, Security, Security-Team

May 15 2020

Bawolff added a comment to T252853: updateSearchIndex.php sql error not all tables locked.

Also, why exactly was this reported in Phabricator, in addition to https://www.mediawiki.org/wiki/Topic:Vbps68wp2h51ifg6 ?

May 15 2020, 3:46 PM · MediaWiki-Maintenance-system
Bawolff updated the task description for T252853: updateSearchIndex.php sql error not all tables locked.
May 15 2020, 3:42 PM · MediaWiki-Maintenance-system
Bawolff renamed T252853: updateSearchIndex.php sql error not all tables locked from updateSearchIndex.php to updateSearchIndex.php sql error not all tables locked.
May 15 2020, 3:39 PM · MediaWiki-Maintenance-system
Bawolff awarded T252811: Requesting +2 rights for Mediawiki Group for DannyS712 a Like token.
May 15 2020, 12:36 AM · User-DannyS712, MediaWiki-Gerrit-Group-Requests

May 9 2020

Bawolff added a comment to T248440: Extract CSV file from Wikipedia/Commons/MediaWiki Special pages.

For reference, if you wanted to build this into mediawiki, these sort of things are implemented as subclasses of ApiFormatterBase: https://doc.wikimedia.org/mediawiki-core/master/php/classApiFormatBase.html

May 9 2020, 7:21 PM · Wikimedia-Hackathon-2020, MediaWiki-Special-pages
Bawolff added a comment to T248440: Extract CSV file from Wikipedia/Commons/MediaWiki Special pages.

You can click on the links at https://www.mediawiki.org/w/api.php?action=help&modules=query for examples for different types of queries. As an example, here is a list of my contribs: https://www.mediawiki.org/w/api.php?action=query&list=usercontribs&ucuser=Bawolff&format=json&formatversion=2

May 9 2020, 7:01 PM · Wikimedia-Hackathon-2020, MediaWiki-Special-pages
Bawolff added a comment to T252291: RFC: Establish a list of gray/grim Wikimedia sites.

Imo, this proposal is inapropriate to a hackathon/phabricator. Its very literally an extremely contentious community social issue and should be discussed through normal community processes on meta

May 9 2020, 6:26 PM · Community-consensus-needed, Wikimedia-Hackathon-2020
Bawolff added a comment to T248440: Extract CSV file from Wikipedia/Commons/MediaWiki Special pages.

These pages all have json downloads (via api) so i guess is this asking to add csv as an output format for the api?

May 9 2020, 6:20 PM · Wikimedia-Hackathon-2020, MediaWiki-Special-pages

Apr 7 2020

Bawolff added a comment to T249486: Change Content Security Policy on betacommons to allow api.flickr.com.

CSP is still being tested. Its enforced on beta for testing purposes, in prod it only gives warning on browser developer console

Apr 7 2020, 12:08 AM · Security-Team, ContentSecurityPolicy, Wikimedia-Site-requests, Beta-Cluster-Infrastructure

Apr 6 2020

Bawolff added a comment to T249486: Change Content Security Policy on betacommons to allow api.flickr.com.

Note, the flickr thing is part of the uploadwizard extension, not a gadget or anything like that. Most of the other things like that had builtin exceptions, at least in the short term (in the spirit of stabilizing the status quo before changing things)

Apr 6 2020, 4:00 PM · Security-Team, ContentSecurityPolicy, Wikimedia-Site-requests, Beta-Cluster-Infrastructure
Bawolff added a comment to T249513: CSP report-uri is deprecated.

Fwiw, deprecated or not all browsers seem to support it and no browser seems to have plans to remove it

Apr 6 2020, 3:38 PM · Technical-Debt, Security, ContentSecurityPolicy, Front-end-Standards-Group, Security-Team, WorkType-NewFunctionality, MediaWiki-General

Apr 5 2020

Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

In context of the RFC process, the question is whether the proposed technical solution is satisfactory and feasible in the context of current and anticipated future requirements. The problem seems to be that such requirements are unclear, since there is no clarity on what would be acceptable or desirable behavior from the user's perspective, in the short and medium term.

Apr 5 2020, 6:53 PM · Privacy Engineering, Security, Platform Team Workboards (Clinic Duty Team), Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team

Apr 4 2020

Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

Please note, my contract with WMF ended, so I'm not really working on this anymore. The security team will presumably be detailing what the future plans are here. However, I wanted to mention what my thoughts were on this subject at the time when I left.

Apr 4 2020, 8:52 PM · Privacy Engineering, Security, Platform Team Workboards (Clinic Duty Team), Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team
Bawolff added a comment to T249419: RFC: Render data visualizations on the server.

I think the most complex (and underspecified) aspect here, is data invalidation. Which to be fair, the current solution handles by basically pretending its not a problem. However, graphs can include all sorts of additional resources. These resources aren't even recorded, and there is no cache invalidation when they change. What we do here is probably going to depend a lot on if we continue to pretend this problem doesn't exist, or try to address it.

Apr 4 2020, 8:28 PM · covid-19, TechCom-RFC
Bawolff awarded T249419: RFC: Render data visualizations on the server a Love token.
Apr 4 2020, 7:26 PM · covid-19, TechCom-RFC

Mar 30 2020

Bawolff added a comment to T248849: [Sofa] [[MediaWiki:Sofa-desc/qqq]] translation issue.

There is no phab project for Sofa (nor do i think it really makes sense to create one for my hack side project that doesn't even work yet)

Mar 30 2020, 2:17 PM · MediaWiki-extensions-Other, I18n
Bawolff added a comment to T248849: [Sofa] [[MediaWiki:Sofa-desc/qqq]] translation issue.

For reference, its an experimental idea of making an extension similar to DPL/SMW/Cargo (e.g. User defined query capabilities to generate reports), but have the data model be more like CouchDB.

Mar 30 2020, 1:23 PM · MediaWiki-extensions-Other, I18n
Bawolff added a comment to T248849: [Sofa] [[MediaWiki:Sofa-desc/qqq]] translation issue.

I responded on the ticket, but honestly, I would suggest disabling translations for it, until some future time where the extension actually does something. I'm not actively working on it at the moment, so it may be a while (if ever) that it becomes a usable extension.

Mar 30 2020, 1:21 PM · MediaWiki-extensions-Other, I18n
Bawolff added a comment to T248849: [Sofa] [[MediaWiki:Sofa-desc/qqq]] translation issue.

Note, this is like a half-done crazy extension idea. There's probably not much point in translating it at this stage.

Mar 30 2020, 1:14 PM · MediaWiki-extensions-Other, I18n

Mar 29 2020

Bawolff created T248809: review i18n message config-sqlite-parent-unwritable-group in installer.
Mar 29 2020, 11:47 PM · MediaWiki-Installer
Bawolff added a comment to T248808: Add CSP policy to installer.

The policy I'm thinking of: default-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; script-src 'self' 'nonce-VnNsWAXz4PjrGZ0kPP5hGvDa'; img-src 'self' data: i.creativecommons.org licensebuttons.net; frame-src creativecommons.org 'self'; base-uri 'none'

Mar 29 2020, 11:40 PM · Patch-For-Review, ContentSecurityPolicy
Bawolff created T248808: Add CSP policy to installer.
Mar 29 2020, 11:34 PM · Patch-For-Review, ContentSecurityPolicy
Bawolff created T248807: MW installer suggests default return email address of apache@🌻.invalid which seems like a bad suggestion.
Mar 29 2020, 11:26 PM · MediaWiki-Installer
Bawolff added a comment to T248783: graphoid output looks blurry.

No, I think there should be no poor-image in the end at all but a "true"
graph (ie interactive, tooltipable, etc).

Mar 29 2020, 4:19 PM · MediaWiki-extensions-Graph, Graphoid
Bawolff added a comment to T236892: Communicate transition of Graph/Graphoid to client-side only JavaScript feature.

I think we'll need someone with better analytics skills than I have to help look at this, but I've been going over the data in the task link above. As stated there, only about 10 wikis are using most of the graphoid service. The largest that will be impacted, enwiki, is interesting. During the two-week measured frame it got the most hits for graphoid at over 21k requests. However, as @dr0ptp4kt found in T211881#5065149...

There's a grand total of 182 pages bearing <graph> in the source according to that primitive search query (that includes a low level of non-executing documentation).
113 are in User namespace. 39 of those invocations are in Article namespace. 8 are in Wikipedia namespace. 5 of them are in Template namespace; 4 of those 5 templates have just one article associated with them bearing the <graph> tag. The other 17 other usages of the tag are scattered about.

The most important offender likely being https://en.wikipedia.org/wiki/Template:Graph:Street_map_with_marks, which is used in nearly 1.2k articles.

I imagine the situation is like this for the other ten wikis. It'd be very helpful in messaging to know if indeed there are a few templates that are widely propagating <graph>, and if they can be updated or otherwise alerted to this change. It'd be helpful to be more targeted here in the communications so as to not avoid an unnecessary panic when the impact might be small.

Mar 29 2020, 4:11 PM · affects-Kiwix-and-openZIM, CommRel-Specialists-Support (Apr-Jun-2020)
Bawolff added a comment to T243462: Archive the FormPreloadPostCache extension.

Considering @tstarling is a WMF developer, archiving this extension probably should wait until he gives the go-ahead.

Mar 29 2020, 2:04 PM · User-Zoranzoki21, translatewiki.net, MediaWiki-extensions-Other, Wikimedia-GitHub, Repository-Admins, Projects-Cleanup
Bawolff created T248783: graphoid output looks blurry.
Mar 29 2020, 12:40 PM · MediaWiki-extensions-Graph, Graphoid

Mar 28 2020

Bawolff added a comment to T248707: Improve the functionality of maps on COVID 19 Wikipedia articles to better describe the spread.

@Aklapper thanks, I'm sorry if the summary is incorrect, the bullet points are the things that are needed, please feel free to change the summary. I don't know who could answer T248707#6007650 and T248707#6007601 , me and James can't, who could we ask?

Mar 28 2020, 9:55 PM · Design, covid-19
Bawolff added a comment to T248707: Improve the functionality of maps on COVID 19 Wikipedia articles to better describe the spread.

With the exception of the gear thing, its not obvious to me that any of this is not already possible (taking this from the point of view that its a feature request for graph extension, and not a support request. However from context i think its pretty clear its primarily the latter.)

Mar 28 2020, 7:21 PM · Design, covid-19
Bawolff added a comment to T243933: MediaWiki 1.34.0 could not be updated with wikimedia/css-sanitizer: 2.0.1.

So this bug should either be merged into T219832 or maybe marked invalid.

Mar 28 2020, 12:16 PM · MediaWiki-General
Bawolff added a comment to T243933: MediaWiki 1.34.0 could not be updated with wikimedia/css-sanitizer: 2.0.1.

Steps to Reproduce: 
composer require wikimedia/css-sanitizer

Mar 28 2020, 12:11 PM · MediaWiki-General

Mar 26 2020

Bawolff added a comment to T247406: Proposal: InstantCommons improvements.

@Arlolra, are there any caveats here?

T153080 moved the imageinfo requests from the token stream to a post-processing pass. In Parsoid/JS, the network requests got batched there. However, in Parsoid/PHP, it looks like the calls to getDataAccess()->getFileInfo happen in a loop. I'm not sure if passing an array of all the titles we need would result in batched database lookup, but it at least seems helpful for fetching from commons.

Mar 26 2020, 2:55 PM · Google-Summer-of-Code (2020)
Bawolff added a comment to T247733: Very minor XSS in mobile page content service.

Just a side note: I believe escaping the content can solve the security problem but it doesn't look like it has the desired behavior:

We probably need a sanitization library here.

Mar 26 2020, 6:30 AM · Product-Infrastructure-Team-Backlog (Kanban), Vuln-XSS, Page Content Service, Security, Security-Team
Bawolff added a comment to T248294: Separate permission for creating a page with a custom content model.

As an additional use case I literally just ran into - You can only test templatestyles in your user-space (sanitized-css content model) on enwiki if you're an admin, which is a giant pain.

Mar 26 2020, 6:26 AM · Editing-team, Security-Team, MediaWiki-User-management, User-DannyS712
Bawolff awarded T248294: Separate permission for creating a page with a custom content model a Love token.
Mar 26 2020, 6:25 AM · Editing-team, Security-Team, MediaWiki-User-management, User-DannyS712

Mar 24 2020

Bawolff added a comment to T26575: Purge Category and File description pages from HTTP/File cache when members/usage changes via LinkUpdate.

So right now, we're already updating page_touched for these pages, just not clearing them in varnish.

Mar 24 2020, 10:56 PM · Patch-For-Review, Platform Engineering (Icebox), MediaWiki-Cache, MediaWiki-Page-editing
Bawolff awarded T26575: Purge Category and File description pages from HTTP/File cache when members/usage changes via LinkUpdate a Burninate token.
Mar 24 2020, 10:18 PM · Patch-For-Review, Platform Engineering (Icebox), MediaWiki-Cache, MediaWiki-Page-editing

Mar 23 2020

Bawolff closed T246619: MWException not formatted prettily (unlike Exception) class as Resolved.
Mar 23 2020, 8:01 AM · MW-1.35-notes (1.35.0-wmf.25; 2020-03-24), MediaWiki-General
Bawolff added a comment to T244124: Make CSP enforce on beta cluster.

Ok, one additional report in the logs of m.wikidata.beta.wmflabs.org being blocked.

Mar 23 2020, 3:10 AM · Wikimedia-Site-requests, ContentSecurityPolicy
Bawolff added a comment to T248130: Add CSP header to techblog.wikimedia.org to block 3rd party assets.

If you wanted to, you could probably use the prod collector if you want (It just logs to logstash)

Mar 23 2020, 12:29 AM · User-bd808, ContentSecurityPolicy, Technical blog
Bawolff moved T215115: Inline styles for patch-coverage HTML artefact blocked by CSP on integration.wikimedia.org from Backlog to misc services on the ContentSecurityPolicy board.
Mar 23 2020, 12:27 AM · Developer Productivity, ContentSecurityPolicy, Release-Engineering-Team (CI & Testing services), Release-Engineering-Team-TODO, Jenkins, phpunit-patch-coverage, Continuous-Integration-Infrastructure
Bawolff moved T246639: Consider sending restrictive CSP in cases where $wgOut->disable() is called and scripting not needed from Backlog to MediaWiki on the ContentSecurityPolicy board.
Mar 23 2020, 12:27 AM · Patch-For-Review, ContentSecurityPolicy
Bawolff moved T245658: .mp4 build artifacts not viewable due to CSP in Chrome from Backlog to misc services on the ContentSecurityPolicy board.
Mar 23 2020, 12:27 AM · Release-Engineering-Team-TODO (2020-04 to 2020-06 (Q4)), Patch-For-Review, Developer Productivity, ContentSecurityPolicy, Release-Engineering-Team (CI & Testing services), Jenkins, Continuous-Integration-Infrastructure
Bawolff moved T248130: Add CSP header to techblog.wikimedia.org to block 3rd party assets from Backlog to misc services on the ContentSecurityPolicy board.
Mar 23 2020, 12:26 AM · User-bd808, ContentSecurityPolicy, Technical blog
Bawolff added a comment to T248277: Enable FlaggedRevs for NS "MediaWiki" and "File" of ruwikisource.

I nonetheless think we should be very cautious enabling FlaggedRevs in NS_MEDIAWIKI.

Mar 23 2020, 12:25 AM · Russian-Sites, Wikimedia-Site-requests

Mar 22 2020

Bawolff created T248278: Wikibase doesn't respect Kartographer's addExtraCSPSrc.
Mar 22 2020, 11:46 PM · Wikidata-Campsite, ContentSecurityPolicy, Maps (Kartographer), Wikidata, MediaWiki-extensions-WikibaseRepository
Bawolff added a comment to T248277: Enable FlaggedRevs for NS "MediaWiki" and "File" of ruwikisource.

I would be very cautious about enabling FlaggedRevs for NS_MEDIAWIKI.

Mar 22 2020, 11:43 PM · Russian-Sites, Wikimedia-Site-requests
Bawolff closed T248274: Sometimes requests on beta cluster are made to http://eventgate-logging.wmflabs.org without TLS as Resolved.
Mar 22 2020, 11:19 PM · MediaWiki-extensions-WikimediaEvents, Beta-Cluster-Infrastructure
Bawolff edited projects for T248274: Sometimes requests on beta cluster are made to http://eventgate-logging.wmflabs.org without TLS, added: MediaWiki-extensions-WikimediaEvents; removed Sentry.

As pointed out by @Krenair, this is actually WikimediaEvents not Sentry

Mar 22 2020, 11:09 PM · MediaWiki-extensions-WikimediaEvents, Beta-Cluster-Infrastructure
Bawolff added a comment to T244124: Make CSP enforce on beta cluster.

Ok, so looking at the results, it seems like the only thing that is generating reports (that is unexpected) are:

Isn't eventgate some analytics thing? In any case that runs through the usual labs web proxy so should be able to do HTTPS just fine. We probably just need to fix a URL in some config somewhere.

Mar 22 2020, 11:04 PM · Wikimedia-Site-requests, ContentSecurityPolicy
Bawolff created T248274: Sometimes requests on beta cluster are made to http://eventgate-logging.wmflabs.org without TLS.
Mar 22 2020, 11:01 PM · MediaWiki-extensions-WikimediaEvents, Beta-Cluster-Infrastructure
Bawolff added a comment to T208197: ContentTranslation relies on recommendation-api running on Cloud VPS.

Have recommendation api to be included in the whitelist (need to determine how)

Mar 22 2020, 10:57 PM · Language-Team (Language-2020-July-September), MW-1.35-notes (1.35.0-wmf.40; 2020-07-07), ContentSecurityPolicy, Privacy Engineering, Recommendation-API, ContentTranslation
Bawolff added a comment to T244124: Make CSP enforce on beta cluster.

Ok, so looking at the results, it seems like the only thing that is generating reports (that is unexpected) are:

Mar 22 2020, 10:53 PM · Wikimedia-Site-requests, ContentSecurityPolicy
Bawolff awarded T248130: Add CSP header to techblog.wikimedia.org to block 3rd party assets a Love token.
Mar 22 2020, 10:44 PM · User-bd808, ContentSecurityPolicy, Technical blog
Bawolff closed T211539: Beta Cluster cross-wiki login request would be blocked by CSP as Resolved.
Mar 22 2020, 10:40 PM · MW-1.35-notes (1.35.0-wmf.21; 2020-02-25), ContentSecurityPolicy, Performance-Team (Radar), Beta-Cluster-Infrastructure, Beta-Cluster-reproducible, MediaWiki-extensions-CentralAuth, Security-Team

Mar 20 2020

Bawolff created T248209: File selector on Special:Upload should include the accept attribute to limit to supported extensions.
Mar 20 2020, 10:18 PM · MediaWiki-Uploading
Bawolff added a comment to T245658: .mp4 build artifacts not viewable due to CSP in Chrome.

For reference, I don't think there is any risk of the new policy:

  • media-src 'self' allows playing <video> elements to play files from the same domain. On some browsers that implement viewing a media file by generating a fake page with a <video> element on it, this allows viewing the media files directly. There is basically no risk of playing a video file from the same domain. At worst playing video files could be used as a very poor data-exfiltration method by changing cache status and whatnot, which doesn't sound like a credible risk in jenkins, and is reduced by only allowing same domain files.
  • style-src 'unsafe-inline' allows inline style attributes, and <style> tags on pages (helpful for T215115). The potential risk around allowing this is generally two things. First of all in certain situations it can be used to aid in phising. This seems inapllicable to jenkins. Secondly, it can be used as a data exfiltration method (e.g. Setting a background-image based on the value of an attribute. Having an unclosed url() token in a style sheet that eats the closing </style> tag and includes part of the page in the url being fetched, etc). This does not seem like a credible risk in the context of jenkins.
Mar 20 2020, 8:51 PM · Release-Engineering-Team-TODO (2020-04 to 2020-06 (Q4)), Patch-For-Review, Developer Productivity, ContentSecurityPolicy, Release-Engineering-Team (CI & Testing services), Jenkins, Continuous-Integration-Infrastructure
Bawolff added a comment to T245658: .mp4 build artifacts not viewable due to CSP in Chrome.

So i would suggest something like:

Mar 20 2020, 8:41 PM · Release-Engineering-Team-TODO (2020-04 to 2020-06 (Q4)), Patch-For-Review, Developer Productivity, ContentSecurityPolicy, Release-Engineering-Team (CI & Testing services), Jenkins, Continuous-Integration-Infrastructure
Bawolff added a comment to T245658: .mp4 build artifacts not viewable due to CSP in Chrome.

On a similar task, that is apparently due to Jenkins built in defaults T215115#4926869

I don't know the CSP rule that should be injected to allow inline videos. The message seems to indicate media-src is the key, no idea about the value that should be passed.

Mar 20 2020, 8:35 PM · Release-Engineering-Team-TODO (2020-04 to 2020-06 (Q4)), Patch-For-Review, Developer Productivity, ContentSecurityPolicy, Release-Engineering-Team (CI & Testing services), Jenkins, Continuous-Integration-Infrastructure
Bawolff updated subscribers of T248147: Wikimedia\Rdbms\Database::normalizeUpsertKeys called with deprecated parameter style: the unique key array should be a string or array of string arrays generating 2 million warnings in 24 hours.
Mar 20 2020, 6:20 AM · MW-1.35-notes (1.35.0-wmf.30; 2020-04-28), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), AntiSpoof, ProofreadPage, PageCuration, Wikidata, Wikimedia-General-or-Unknown, Growth-Team, Platform Team Workboards (Clinic Duty Team)
Bawolff added a comment to T248147: Wikimedia\Rdbms\Database::normalizeUpsertKeys called with deprecated parameter style: the unique key array should be a string or array of string arrays generating 2 million warnings in 24 hours.

Probably from 13b11a946ea

Mar 20 2020, 6:20 AM · MW-1.35-notes (1.35.0-wmf.30; 2020-04-28), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), AntiSpoof, ProofreadPage, PageCuration, Wikidata, Wikimedia-General-or-Unknown, Growth-Team, Platform Team Workboards (Clinic Duty Team)

Mar 19 2020

Bawolff added a project to T248130: Add CSP header to techblog.wikimedia.org to block 3rd party assets: ContentSecurityPolicy.
Mar 19 2020, 9:01 PM · User-bd808, ContentSecurityPolicy, Technical blog
Bawolff added a comment to T247910: MediaWiki should allow setting tabindex="0" on elements in wikitext.

@cscott thank you!

Mar 19 2020, 6:32 PM · MW-1.35-notes (1.35.0-wmf.25; 2020-03-24), Product-Infrastructure-Team-Backlog, Parsoid, Parsing-Team, Patch-For-Review, Accessibility, MediaWiki-Parser, covid-19
Bawolff added a comment to T247566: Broken section edit links styles on Vector.

So this seems to be affecting group0 wikis and generating complaints. Patch should probably be backported and deployed rather urgently

Mar 19 2020, 7:47 AM · MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Readers-Web-Backlog (Kanbanana-2019-20-Q3), Vector, Desktop Improvements
Bawolff placed T141185: Better error handing for js list editor up for grabs.
Mar 19 2020, 4:32 AM · Technical-Debt, MediaWiki-extensions-CollaborationKit
Bawolff placed T149037: CollaborationList: add visual editing mode up for grabs.
Mar 19 2020, 4:31 AM · MediaWiki-extensions-CollaborationKit
Bawolff placed T149043: CollaborationList: add js tools for managing columns up for grabs.
Mar 19 2020, 4:31 AM · MediaWiki-extensions-CollaborationKit
Bawolff placed T141015: Add support for re-arranging features via drag and drop up for grabs.
Mar 19 2020, 4:31 AM · MediaWiki-extensions-CollaborationKit

Mar 18 2020

Bawolff added a comment to T247747: mobile-apps XSS when using api/rest_v1/page/mobile-html on zh wiki, with id attribute in header.

The web browser was what i was primarily think of, because its in the same domain as wikipedia, so you could use it to take over accounts (on any language since all the projects are connected) [the PoC i made above requires user interaction but you should be able to do it without user interaction beyond loading the page, as < is allowed in id attributes]. Just trick a user into viewing that link, or have your third party attack website open it in iframe/popup/etc

Mar 18 2020, 7:24 PM · Product-Infrastructure-Team-Backlog (Kanban), Vuln-XSS, Page Content Service, Security, Security-Team
Bawolff updated subscribers of T247078: Main pages of several Beta Cluster wikis redirect to other production wikis (MessageCache keyspace is same for all wikis causing conflicts).

@Krinkle 's patch at https://gerrit.wikimedia.org/r/580577 should fix this

Mar 18 2020, 1:56 AM · User-zeljkofilipin, MediaWiki-Cache, Beta-Cluster-Infrastructure
Bawolff added a comment to T247562: Warning: Memcached::setMulti(): failed to set key global:segment:....

This is also causing T247078

Mar 18 2020, 1:56 AM · User-notice, MW-1.35-notes (1.35.0-wmf.24; 2020-03-17), Platform Team Workboards (Clinic Duty Team), MediaWiki-Cache, User-brennen, Wikimedia-production-error
Bawolff added a comment to T247910: MediaWiki should allow setting tabindex="0" on elements in wikitext.

@Volker_E Does only allowing tabindex=0 (but not -1 or positive numbers) in wikitext make sense do you think? Or do you think we should also allow -1?

Mar 18 2020, 12:58 AM · MW-1.35-notes (1.35.0-wmf.25; 2020-03-24), Product-Infrastructure-Team-Backlog, Parsoid, Parsing-Team, Patch-For-Review, Accessibility, MediaWiki-Parser, covid-19

Mar 17 2020

Bawolff added a project to T247910: MediaWiki should allow setting tabindex="0" on elements in wikitext: Accessibility.
Mar 17 2020, 11:19 PM · MW-1.35-notes (1.35.0-wmf.25; 2020-03-24), Product-Infrastructure-Team-Backlog, Parsoid, Parsing-Team, Patch-For-Review, Accessibility, MediaWiki-Parser, covid-19
Bawolff created T247910: MediaWiki should allow setting tabindex="0" on elements in wikitext.
Mar 17 2020, 11:17 PM · MW-1.35-notes (1.35.0-wmf.25; 2020-03-24), Product-Infrastructure-Team-Backlog, Parsoid, Parsing-Team, Patch-For-Review, Accessibility, MediaWiki-Parser, covid-19
Bawolff added a comment to T247702: Format table in coronavirus article.

So one issue here, is that MediaWiki bans the tabindex attribute, which for accessibility reasons is reccomended on scrollable elements.

Mar 17 2020, 11:15 PM · Readers-Web-Backlog (Tracking), Product-Infrastructure-Team-Backlog (Kanban), Patch-For-Review, covid-19, Wikipedia-iOS-App-Backlog, Wikipedia-Android-App-Backlog, Mobile-Content-Service, iOS-app-Bugs, Android-app-Bugs, Reading-Web-Local-Wiki-Issues, MediaWiki-General
Bawolff added a comment to T247702: Format table in coronavirus article.

The prod version of the app has bundled CSS on iOS and legacy upstream CSS on Android.

Mar 17 2020, 10:46 PM · Readers-Web-Backlog (Tracking), Product-Infrastructure-Team-Backlog (Kanban), Patch-For-Review, covid-19, Wikipedia-iOS-App-Backlog, Wikipedia-Android-App-Backlog, Mobile-Content-Service, iOS-app-Bugs, Android-app-Bugs, Reading-Web-Local-Wiki-Issues, MediaWiki-General
Bawolff added a comment to T247703: Help with surfacing coronavirus info in "in the news" on enwiki.

Can we geolocate content on this page?

Mar 17 2020, 8:54 PM · covid-19, Readers-Web-Backlog (Design), Wikimedia-General-or-Unknown
Bawolff renamed T247078: Main pages of several Beta Cluster wikis redirect to other production wikis (MessageCache keyspace is same for all wikis causing conflicts) from Main pages of several Beta Cluster wikis redirect to other production wikis to Main pages of several Beta Cluster wikis redirect to other production wikis (MessageCache keyspace is same for all wikis causing conflicts).
Mar 17 2020, 8:46 PM · User-zeljkofilipin, MediaWiki-Cache, Beta-Cluster-Infrastructure
Bawolff updated subscribers of T247078: Main pages of several Beta Cluster wikis redirect to other production wikis (MessageCache keyspace is same for all wikis causing conflicts).

So it looks like what is happening:

Mar 17 2020, 8:44 PM · User-zeljkofilipin, MediaWiki-Cache, Beta-Cluster-Infrastructure
Bawolff added a comment to T246901: Support full colour 3D models on Wikimedia projects.

@Keegan do you know what kinds of programming skills/languages would be needed to implement this?

Mar 17 2020, 6:50 PM · User-Mrjohncummings, Commons, 3D
Bawolff added a comment to T247702: Format table in coronavirus article.

Rendering and usability is better in the Alpha (with Mobile HTML), 

Is there an api endpoint for production app we can use for quick testing what it looks like there? Mobile-html with its rest endpoint makes for much easier testing

If you are talking about the mobile-sections endpoint used in the Android prod app right now, I made a little demo app which stitches the sections of that together: https://mobile-sections-demo.netlify.com/en/2019%E2%80%9320_coronavirus_pandemic#Epidemiology. Note this doesn't do any of the client-side transformations the app makes. (source code)

Mar 17 2020, 6:47 PM · Readers-Web-Backlog (Tracking), Product-Infrastructure-Team-Backlog (Kanban), Patch-For-Review, covid-19, Wikipedia-iOS-App-Backlog, Wikipedia-Android-App-Backlog, Mobile-Content-Service, iOS-app-Bugs, Android-app-Bugs, Reading-Web-Local-Wiki-Issues, MediaWiki-General
Bawolff added a comment to T247702: Format table in coronavirus article.

doesn't work because of T111565

Mar 17 2020, 6:01 PM · Readers-Web-Backlog (Tracking), Product-Infrastructure-Team-Backlog (Kanban), Patch-For-Review, covid-19, Wikipedia-iOS-App-Backlog, Wikipedia-Android-App-Backlog, Mobile-Content-Service, iOS-app-Bugs, Android-app-Bugs, Reading-Web-Local-Wiki-Issues, MediaWiki-General
Bawolff added a comment to T247702: Format table in coronavirus article.

@Bawolff Thanks, will do. Is there any specific reason to have the outdated handheld in @media screen, handheld? Anything hidden from plain sight?

Mar 17 2020, 5:06 AM · Readers-Web-Backlog (Tracking), Product-Infrastructure-Team-Backlog (Kanban), Patch-For-Review, covid-19, Wikipedia-iOS-App-Backlog, Wikipedia-Android-App-Backlog, Mobile-Content-Service, iOS-app-Bugs, Android-app-Bugs, Reading-Web-Local-Wiki-Issues, MediaWiki-General