Page MenuHomePhabricator

Bawolff (Brian Wolff)
SecurityAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (230 w, 8 h)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Yesterday

Bawolff changed the visibility for T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.
Fri, Mar 22, 1:08 AM · cloud-services-team (Kanban), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OAuth, Security

Thu, Mar 21

Mill <mill@mail.com> committed rERSE6637779a6ae0: %26jbaaaaaaaaaaa (authored by Bawolff).
%26jbaaaaaaaaaaa
Thu, Mar 21, 12:37 AM

Wed, Mar 20

Bawolff added a subtask for T206676: 1.33.0-wmf.22 deployment blockers: T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22.
Wed, Mar 20, 10:48 PM · Release-Engineering-Team (Kanban), User-zeljkofilipin, Release, Train Deployments
Bawolff added a parent task for T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22: T206676: 1.33.0-wmf.22 deployment blockers.
Wed, Mar 20, 10:48 PM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), MediaWiki-General-or-Unknown, Regression
Bawolff created T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22.
Wed, Mar 20, 10:46 PM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), MediaWiki-General-or-Unknown, Regression
Bawolff updated subscribers of T217883: Use the "Timeless" skin by default on frwiktionary.

So this is a bit of a grey area of if this change is within the realm of things that a community can request. The foundation may feel it wants a consistent feel to all the projects that it hosts.

Wed, Mar 20, 9:54 PM · Wikimedia-Site-requests
Bawolff added a comment to T218721: Have CI run seccheck tests.

FYI, these tests should already be run via CI (as part of composer tests)

Wed, Mar 20, 1:43 PM · Patch-For-Review, phan-taint-check-plugin, Continuous-Integration-Config

Mon, Mar 18

Bawolff added a comment to T207344: Phan-taint-check-plugin not available for PHP > 7.0.

yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.

Mon, Mar 18, 2:38 PM · phan-taint-check-plugin
Bawolff added a comment to T218568: Allow CORS from query.wikidata.org to production wikis.

Reading https://meta.wikimedia.org/w/api.php?action=help&modules=shortenurl - doesn't seem to require a CSRF token, so I'm not sure that CORS is needed here? (more specifically, you can use the generic origin=* I think).

Mon, Mar 18, 2:01 PM · Security, Wikimedia-Site-requests, Discovery, Wikidata-Query-Service, Wikidata

Fri, Mar 15

Aklapper empowered Bawolff as an administrator.
Fri, Mar 15, 5:27 PM
Bawolff created T218383: Remove @dap (Darian Patrick) as github admin.
Fri, Mar 15, 3:51 AM · Security-Team, GitHub-Mirrors

Wed, Mar 13

Bawolff added a comment to T218135: +2 in mediawiki/* for WMDE engineers.

I'm not sure how to say this without coming off as a dick, so I'm just going to go ahead: Jeroen De Dauw already has 2 failed requests for +2 in mediawiki/core 1 2. Admittedly this was a long time ago, but the last time he did anything non-trivial in MW core was in 2013. I feel like this is sort of a backdoor around previous community consensus.

Wed, Mar 13, 1:09 AM · MediaWiki-Gerrit-Group-Requests
Bawolff added a comment to T216295: RFC: Update to Gerrit privilege policy .

I think this should be explicitly announced on wikitech-l, and not just buried in a techcom update

Wed, Mar 13, 12:42 AM · TechCom-RFC (TechCom-Approved), Developer-Advocacy

Tue, Mar 12

Bawolff closed T215048: Security review for the WikimediaEditorTasks extension as Resolved.

Overall: Looks good - Extension passes security review. There are a couple very small things though I would like to see changed.

Tue, Mar 12, 10:55 AM · Wikipedia-Android-App-Backlog, Security-Team-Review-Active, WikimediaEditorTasks, Reading-Infrastructure-Team-Backlog
Bawolff closed T215048: Security review for the WikimediaEditorTasks extension, a subtask of T212795: Build infrastructure to track counts of qualifying edits for the Suggested Edits feature, as Resolved.
Tue, Mar 12, 10:55 AM · WikimediaEditorTasks, Wikipedia-Android-App-Backlog, Reading-Infrastructure-Team-Backlog (Kanban)

Fri, Mar 8

Aklapper awarded T217917: Phabricator admin rights for bawolff a Like token.
Fri, Mar 8, 9:27 PM · Phabricator
MarcoAurelio awarded T217917: Phabricator admin rights for bawolff a Like token.
Fri, Mar 8, 8:49 PM · Phabricator
D3r1ck01 awarded T217917: Phabricator admin rights for bawolff a Like token.
Fri, Mar 8, 7:50 PM · Phabricator
Bawolff created T217917: Phabricator admin rights for bawolff.
Fri, Mar 8, 7:49 PM · Phabricator
Bawolff added a comment to T217860: Allow Abandon rights on Gerrit for WMFOffice.

This sounds like a bad idea. Administrators probably shouldn't normally be able to do that, without someone literally going into MySQL etc.

Fri, Mar 8, 1:37 AM · Trust-and-Safety, Security-Team

Thu, Mar 7

Bawolff added a comment to T217860: Allow Abandon rights on Gerrit for WMFOffice.

Ok, I tried to make a more restrictive group called VandalFighters, which i added WMFOffice to (And removed WMFOffice from Administrators). It has the ability to abandon patches, delete patches (Note there is no undo, so be careful with the delete button), mark patches -2, flush caches, and adjust accounts (in particular mark an account "inactive" which is like block).

Thu, Mar 7, 9:49 PM · Trust-and-Safety, Security-Team
Bawolff closed T217860: Allow Abandon rights on Gerrit for WMFOffice as Resolved.

Done. User is now in Administrator group

Thu, Mar 7, 7:56 PM · Trust-and-Safety, Security-Team
Bawolff added a comment to T217361: Security Issue Access Request for steward election.

Following users have been resigned or did not pass annual confirmation: @MBisanz, @Mentifisto, and @MF-Warburg. I've removed them from acl*stewards but if they are in Security, please process them.

Thu, Mar 7, 4:54 AM · Security-Team, User-revi, Stewards-and-global-tools, Security

Tue, Mar 5

Bawolff created P8163 checkuser stats for loginwiki feb.
Tue, Mar 5, 10:15 PM
Bawolff added a project to T217713: Checkuser throws exception if looking up user with invalid name: CheckUser.
Tue, Mar 5, 10:07 PM · Patch-For-Review, Wikimedia-production-error, CheckUser
Bawolff created T217713: Checkuser throws exception if looking up user with invalid name.
Tue, Mar 5, 10:06 PM · Patch-For-Review, Wikimedia-production-error, CheckUser
Bawolff closed T216311: Security review GraphQL as Declined.

Sorry, but we're not going to review this unless there is definite interest in using production.

Tue, Mar 5, 6:17 PM · MediaWiki-extensions-GraphQL, Security-Team-Reviews
Bawolff closed T216311: Security review GraphQL, a subtask of T216870: Deploy GraphQL to Beta, as Declined.
Tue, Mar 5, 6:17 PM · MediaWiki-extensions-GraphQL, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
Bawolff added a comment to T28508: Content Security Policy (CSP).

API returns warnings about Unrecognized parameters at Wikimedia Commons.

{"warnings":{"main":{"*":"Unrecognized parameters: {\"csp-report\":{\"blocked-uri\":\"https://tools_wmflabs_org/convert/svg2png_php\",\"document-uri\":\"https://commons_wikimedia_org/w/index_php?title, withJS."}},"cspreport":"success"}

The warning message indicates the title and withJS parameters are unknown?

Tue, Mar 5, 3:00 PM · Front-end-Standards-Group, Security, Security-Team, WorkType-NewFunctionality, MediaWiki-General-or-Unknown

Mon, Mar 4

Bawolff updated the task description for T217361: Security Issue Access Request for steward election.
Mon, Mar 4, 1:04 AM · Security-Team, User-revi, Stewards-and-global-tools, Security
Bawolff added a member for Security: Base.
Mon, Mar 4, 1:01 AM
Bawolff added a member for Security: Wim_b.
Mon, Mar 4, 1:00 AM
Bawolff added a comment to T217423: SocialProfile Database Error.

It appears it's now giving me a new error.

[574140f4f18921f47a1b9566] /w/index.php?title=User:Therofl98 InvalidArgumentException from line 336 of /var/www/html/wiki/w/includes/CommentStore.php: $row does not contain fields needed for comment rc_comment

Backtrace:

#0 /var/www/html/wiki/w/includes/CommentStore.php(413): CommentStore->getCommentInternal(NULL, string, array, boolean)
#1 /var/www/html/wiki/w/extensions/SocialProfile/UserActivity/includes/UserActivity.php(140): CommentStore->getComment(string, stdClass)
#2 /var/www/html/wiki/w/extensions/SocialProfile/UserActivity/includes/UserActivity.php(1011): UserActivity->setEdits()
#3 /var/www/html/wiki/w/extensions/SocialProfile/UserProfile/includes/UserProfilePage.php(1330): UserActivity->getActivityList()
#4 /var/www/html/wiki/w/extensions/SocialProfile/UserProfile/includes/UserProfilePage.php(151): UserProfilePage->getActivity()
#5 /var/www/html/wiki/w/includes/actions/ViewAction.php(68): UserProfilePage->view()
#6 /var/www/html/wiki/w/includes/MediaWiki.php(501): ViewAction->show()
#7 /var/www/html/wiki/w/includes/MediaWiki.php(294): MediaWiki->performAction(UserProfilePage, Title)
#8 /var/www/html/wiki/w/includes/MediaWiki.php(867): MediaWiki->performRequest()
#9 /var/www/html/wiki/w/includes/MediaWiki.php(517): MediaWiki->main()
#10 /var/www/html/wiki/w/index.php(42): MediaWiki->run()
#11 {main}

I've already run the update.php file to update the database.

Mon, Mar 4, 12:52 AM · Social-Tools, SocialProfile

Fri, Feb 22

Bawolff closed T203228: Review and deploy Blackout extension as Declined.

I'm going to call this declined for now, but feel free to reopen if/when there is more consensus on doing this.

Fri, Feb 22, 3:25 PM · MediaWiki-extensions-Other, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
Bawolff added a comment to T215046: RfC: Use Github login for mediawiki.org.

I have not encountered anyone who has told me that our account creation process or requiring an account is preventing them from participating.

(In FY2017-2018 @srishakatux sent out four survey to all new developers in a quarter who put a changeset into Wikimedia Gerrit. https://www.mediawiki.org/wiki/New_Developers/Quarterly#Summary_of_key_findings states that "New developers continue to struggle with the code contribution process" but I do not know if we had explicit "Why did I have to set up a separate account in times of OAuth" replies; maybe Srishti knows.)

Fri, Feb 22, 3:21 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors
Bawolff added a comment to T216790: Requesting temporary lift of IP cap on 2019-02-22.

Creating account on another wiki is also limited. :-(

Fri, Feb 22, 3:15 AM · Chinese-Sites, Wikimedia Taiwan, Wikimedia-Site-requests
Bawolff added a comment to T216755: Lua should give better error message when trying to use LuaStandalone on ARM.

The examples at https://en.wikipedia.org/wiki/Uname suggest i686 is somewhat common

Fri, Feb 22, 12:17 AM · Documentation, MediaWiki-extensions-Scribunto

Thu, Feb 21

Bawolff added a comment to T216755: Lua should give better error message when trying to use LuaStandalone on ARM.

Note: I didn't encounter this myself. Report was from irc. There was also a second report at https://www.mediawiki.org/wiki/Topic:Sqeu40egi1wa49a9 . Given there were two separate reports, I assumed it wasn't the one guy doing something weird (That would be my initial assumption for such an odd error message) but the general error condition that happens when running on wrong architecture.

Thu, Feb 21, 9:57 PM · Documentation, MediaWiki-extensions-Scribunto
Bawolff moved T216653: Use data attributes instead of unsafe-inline var definitions within Quarry template files from MediaWiki/Security Team/To triage to External (Non-WMF) Issues on the Security board.

I should emphasize of course, that quarry has a very low risk profile, so its really not worth worrying too much (As much as I love better security for security's sake). Worse case scenario (that i can think of) is someone uses an XSS in quarry as part of a phising scheme, or someone tries to make queries with naughy content under someone else's name. Neither are particularly high impact threats.

Thu, Feb 21, 9:03 PM · Security, Quarry
Bawolff added a comment to T211881: graphoid: Code stewardship request.

P.S. @Bawolff I might be wrong, but I think at the time of first Graphoid version, pageprops were always in sync with the canonical view, until a bit later when some things moved to jobque.

Thu, Feb 21, 8:45 PM · Core Platform Team Backlog (Watching / External), Services (watching), Release-Engineering-Team (Kanban), Operations, Code-Stewardship-Reviews, Graphoid
Bawolff created T216755: Lua should give better error message when trying to use LuaStandalone on ARM.
Thu, Feb 21, 7:15 PM · Documentation, MediaWiki-extensions-Scribunto
Bawolff awarded T216682: Switch WMF production to Argon2 password hashes a Love token.
Thu, Feb 21, 6:18 PM · Security-Team, PHP 7.3 support, PHP 7.2 support, MediaWiki-User-login-and-signup
Bawolff edited projects for T216682: Switch WMF production to Argon2 password hashes, added: Security-Team; removed Security.
Thu, Feb 21, 6:11 PM · Security-Team, PHP 7.3 support, PHP 7.2 support, MediaWiki-User-login-and-signup
Bawolff added a comment to T216682: Switch WMF production to Argon2 password hashes.

Argon2 is a new-generation key derivation algorithm that was designed to resist side-channel (i variants) and GPU brute force (d variants), unlike our current PBKDF2. Now that we have Argon2 support in core, we should talk about protecting our users with it.

Thu, Feb 21, 6:11 PM · Security-Team, PHP 7.3 support, PHP 7.2 support, MediaWiki-User-login-and-signup
Bawolff reopened Restricted Task, a subtask of T133821: Content purges are unreliable, as Open.
Thu, Feb 21, 4:30 PM · Traffic, Operations
Bawolff added a watcher for Code-Stewardship-Reviews: Bawolff.
Thu, Feb 21, 4:14 PM
Bawolff added a comment to T211881: graphoid: Code stewardship request.

The graphoid service fetches the graph from the mediawiki API using essentially mediawiki pages as a data store. However to identify the required graph it requires knowing the identity of the graph which is essentially the hash of the graph.

Thu, Feb 21, 4:14 PM · Core Platform Team Backlog (Watching / External), Services (watching), Release-Engineering-Team (Kanban), Operations, Code-Stewardship-Reviews, Graphoid

Feb 20 2019

Bawolff added a comment to T203158: uca-tr collation lists "I" as "ı" in category pages on trwiki.

So at first glance, it looks like (IcuCollation.php line 397):

// Primary collision (two characters with the same sort position).
// Keep whichever one sorts first in the main collator.
$comp = $this->mainCollator->compare( $letter, $letterMap[$key] );

Has the comparison reversed, since lowercase comes before uppercase.

Feb 20 2019, 4:50 PM · MW-1.33-notes (1.33.0-wmf.19; 2019-02-26), Patch-For-Review, MediaWiki-Categories, Turkish-Sites, Wikimedia-Site-requests
Bawolff added a comment to T203158: uca-tr collation lists "I" as "ı" in category pages on trwiki.

So at first glance, it looks like (IcuCollation.php line 397):

Feb 20 2019, 4:31 PM · MW-1.33-notes (1.33.0-wmf.19; 2019-02-26), Patch-For-Review, MediaWiki-Categories, Turkish-Sites, Wikimedia-Site-requests
Bawolff added a comment to T203158: uca-tr collation lists "I" as "ı" in category pages on trwiki.

Just to make sure I understand correctly (Since I don't speak Turkish).

Feb 20 2019, 3:18 PM · MW-1.33-notes (1.33.0-wmf.19; 2019-02-26), Patch-For-Review, MediaWiki-Categories, Turkish-Sites, Wikimedia-Site-requests
Bawolff triaged T216607: Restarting systemd-journald breaks ircecho service as Unbreak Now! priority.
Feb 20 2019, 12:03 PM · Operations, IRCecho
Bawolff created T216607: Restarting systemd-journald breaks ircecho service.
Feb 20 2019, 12:02 PM · Operations, IRCecho

Feb 19 2019

Bawolff added a comment to T216311: Security review GraphQL.

Is the end goal to deploy in wikimedia production eventually?

Feb 19 2019, 7:56 PM · MediaWiki-extensions-GraphQL, Security-Team-Reviews
Bawolff added a comment to T216311: Security review GraphQL.

Hi David,

Feb 19 2019, 7:39 PM · MediaWiki-extensions-GraphQL, Security-Team-Reviews
Bawolff edited projects for T216419: Security review - Wikibase Termbox Front End, added: Security-Team-Reviews; removed Security.
Feb 19 2019, 6:09 PM · Security-Team-Review-Active
Bawolff added a comment to T215217: deployment-prep: Code stewardship request.

Deployment-prep, also known as the beta cluster, is a Cloud VPS project originally created by technical volunteers {{cn}}

Feb 19 2019, 5:26 PM · Beta-Cluster-Infrastructure, Code-Stewardship-Reviews
Bawolff created T216496: read only message for master DB down misleading.
Feb 19 2019, 11:52 AM · Beta-Cluster-Infrastructure, MediaWiki-Documentation, MediaWiki-Database
Bawolff added a comment to T122924: Merge Extension:Theme into core.

So summarizing a discussion I had with @Isarra on irc [I am not a skin expert. I may have misunderstood some of the finer points here. If I make mistakes or say something stupid here, that's my bad]:

Feb 19 2019, 11:49 AM · TechCom-RFC, Patch-For-Review, Technical-Debt, Theme, Front-end-Standards-Group, MediaWiki-Interface
Bawolff renamed T216484: Database locked on beta.wmflabs.org sites (deployment-db03 down?) from Database locked on beta.wmflabs.org sites to Database locked on beta.wmflabs.org sites (deployment-db03 down?).
Feb 19 2019, 10:30 AM · Beta-Cluster-Infrastructure
Bawolff added a comment to T216484: Database locked on beta.wmflabs.org sites (deployment-db03 down?).

Arguably, the read only error message for this situation could probably be improved.

Feb 19 2019, 10:30 AM · Beta-Cluster-Infrastructure
Bawolff added a comment to T216484: Database locked on beta.wmflabs.org sites (deployment-db03 down?).

After doing some poking, looks like the master db (deployment-db03) might be down.

Feb 19 2019, 10:29 AM · Beta-Cluster-Infrastructure
Bawolff added a project to T216486: We are not even getting security releases any longer?: Security-Team.

For e1160113 & ae2938b765 - They were backported but didn't trigger a security release, because they were considered a hardening patch, and not a vulnerability fix. The thing they fix is not a security vulnerability per-se but only preventing the user from doing a behaviour that's a bad idea.

Feb 19 2019, 10:17 AM · Security-Team, MW-1.27-release
Bawolff closed T216417: phpcs at jenkins is ignoring .phpcs.xml file and only checking files modified in the commit as Resolved.

Thanks.

Feb 19 2019, 9:21 AM · Patch-For-Review, Continuous-Integration-Config
Bawolff added a comment to T216417: phpcs at jenkins is ignoring .phpcs.xml file and only checking files modified in the commit.

The reason the change started failing is the patch got rebased without taking in account that mediawiki/mediawiki-codesniffer has meanwhile been upgraded in the branch.

Feb 19 2019, 8:54 AM · Patch-For-Review, Continuous-Integration-Config

Feb 18 2019

Bawolff created T216417: phpcs at jenkins is ignoring .phpcs.xml file and only checking files modified in the commit.
Feb 18 2019, 3:22 PM · Patch-For-Review, Continuous-Integration-Config
Bawolff added a comment to T216347: Changing globally locked message across Wikimedia wikis.

I kind of feel like it would be nice to include the log message from the account lock in this message, but that's kind of complex to do.

Feb 18 2019, 12:09 PM · MW-1.33-notes (1.33.0-wmf.18; 2019-02-19), User-MarcoAurelio, WikimediaMessages
Bawolff added a subtask for T133821: Content purges are unreliable: Unknown Object (Task).
Feb 18 2019, 11:57 AM · Operations, Traffic
Bawolff added a comment to T212911: My account was removed from the Wikimedia Github group.

@Aklapper As far as I understand, the ultimate authority on who should have access to which of our repos is the CTO. Relevant angles on the issue can probably be provided by community engagement, legal, and HR. No idea what the best venue for discussion is, sorry...

Feb 18 2019, 11:31 AM · Security
Bawolff added a comment to T216344: Hide account creation/autocreation times.

Note, this bug partially overlaps with a secret bug T184012

Feb 18 2019, 11:23 AM · Privacy, MediaWiki-User-management, MediaWiki-Logging, MediaWiki-User-login-and-signup

Feb 17 2019

Bawolff added a comment to T216362: [Extension:ZeroBanner] Use plaintextParams() instead of rawParams().

Be aware, this extension is probably going to be removed from Wikimedia production soon (T187716) and then presumably archived as nobody else uses it or would reasonably want to use it.

Feb 17 2019, 5:40 PM · ZeroBanner
Bawolff renamed T216357: phan-taint-check false positive due to propagating EXEC_ESCAPED from method call from phan-taint-check false positive with foreach and func call [JsonContent.php] to phan-taint-check false positive due to propagating EXEC_ESCAPED from method call.
Feb 17 2019, 5:36 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff updated the task description for T216357: phan-taint-check false positive due to propagating EXEC_ESCAPED from method call.
Feb 17 2019, 4:05 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff created T216357: phan-taint-check false positive due to propagating EXEC_ESCAPED from method call.
Feb 17 2019, 2:32 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff moved T201219: Enable phan-taint-check-plugin on all Wikimedia-deployed repositories where it is currently passing from Other codebases to Wikimedia deployed on the phan-taint-check-plugin board.
Feb 17 2019, 12:29 PM · MW-1.32-notes (WMF-deploy-2018-08-21 (1.32.0-wmf.18)), Patch-For-Review, Wikimedia-General-or-Unknown, Continuous-Integration-Config, phan-taint-check-plugin
Bawolff moved T201219: Enable phan-taint-check-plugin on all Wikimedia-deployed repositories where it is currently passing from Backlog to Other codebases on the phan-taint-check-plugin board.
Feb 17 2019, 12:29 PM · MW-1.32-notes (WMF-deploy-2018-08-21 (1.32.0-wmf.18)), Patch-For-Review, Wikimedia-General-or-Unknown, Continuous-Integration-Config, phan-taint-check-plugin
Bawolff moved T203630: Configure CI to run phan-taint-check-plugin for MediaWiki core from Backlog to MediaWiki core on the phan-taint-check-plugin board.
Feb 17 2019, 12:28 PM · Patch-For-Review, Continuous-Integration-Config, MediaWiki-Core-Testing, phan-taint-check-plugin
Bawolff moved T204911: make phan-taint-check handle array_map from Backlog to Plugin itself on the phan-taint-check-plugin board.
Feb 17 2019, 12:18 PM · phan-taint-check-plugin
Bawolff moved T207344: Phan-taint-check-plugin not available for PHP > 7.0 from Backlog to Known limitations on the phan-taint-check-plugin board.
Feb 17 2019, 12:18 PM · phan-taint-check-plugin
Bawolff moved T216254: taint-check does not checks undeclared class properties from Backlog to Plugin itself on the phan-taint-check-plugin board.
Feb 17 2019, 12:18 PM · phan-taint-check-plugin
Bawolff edited projects for T207835: False positive PhanUndeclaredVariable in try-catch, added: Continuous-Integration-Config; removed phan-taint-check-plugin.

rm tag phan-taint-check tag - That tag is only for the XSS detector part of phan

Feb 17 2019, 12:16 PM · Continuous-Integration-Config
Bawolff moved T216348: Suppress or fix non-double escape phan-taint-check warnings for MW core from Backlog to MediaWiki core on the phan-taint-check-plugin board.
Feb 17 2019, 10:42 AM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), Patch-For-Review, Security-Team, MediaWiki-Core-Testing, phan-taint-check-plugin
Bawolff created T216348: Suppress or fix non-double escape phan-taint-check warnings for MW core.
Feb 17 2019, 10:09 AM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), Patch-For-Review, Security-Team, MediaWiki-Core-Testing, phan-taint-check-plugin
Bawolff added a comment to T207344: Phan-taint-check-plugin not available for PHP > 7.0.

It currently has a hard dependency on php7.0

Feb 17 2019, 10:04 AM · phan-taint-check-plugin
Bawolff added a comment to T215981: Create maybe-public tag.

Personally, I think all tasks not explicitly marked private, should be "maybe-public", and it is primarily the responsibility of the bug closer to make security bugs public (yeah I know, lots of bugs get missed)

Feb 17 2019, 9:36 AM · Project-Admins, Security-Team
Bawolff added a comment to T215046: RfC: Use Github login for mediawiki.org.
Standard threat analysis involves an estimation of likelihood, value to the attacker, and potential damage. A major company abusing their identity API to gain access under a false identity to a Wikimedia account would be massively unethical, a PR catastrophe for them, and almost certainly illegal in the US under the CFAA. It would be of no value whatsoever to the external provider or for an employee there abusing their authority. The damage for us would be minimal, some annoying vandalism maybe. I continue to see this as a complete non-issue.
Feb 17 2019, 9:34 AM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors

Feb 15 2019

Bawolff added a comment to T215046: RfC: Use Github login for mediawiki.org.

A few of us (Reedy, Btongminh, myself, and others..) actually use this to have old SVN commits associated with our GitHub profiles. (I wonder what GitHub does if multiple accounts do this, maybe oldest wins?)

Feb 15 2019, 3:08 PM · User-Tgr, Privacy, Security, TechCom-RFC, Wikimedia-General-or-Unknown, GitHub-Mirrors

Feb 11 2019

Bawolff added a comment to T153994: Migrate MediaWiki extensions away from UtfNormal in MediaWiki core to external UtfNormal library.

This is offtopic. Please file a separate bug.

Feb 11 2019, 1:59 PM · Patch-For-Review, Google-Code-In-2016, utfnormal, good first bug, Technical-Debt
Bawolff added a comment to T210709: Throttling isn't counted at all for filters using it.

I deleted the key.

Feb 11 2019, 12:05 PM · Core Platform Team Backlog (Watching / External), Core Platform Team (Security, stability, performance and scalability (TEC1)), MediaWiki-Cache, Wikimedia-production-error, AbuseFilter

Feb 5 2019

Bawolff added a comment to T215115: Inline styles for patch-coverage HTML artefact blocked by CSP on integration.wikimedia.org.

We had CSP issues on T155794 (declined). Jenkins LTS 1.625.3 introduced the CSP, the documentation being at https://wiki.jenkins.io/display/JENKINS/Configuring+Content+Security+Policy . According to that documentation the default rule is:

sandbox; default-src 'none'; img-src 'self'; style-src 'self';

This rule set results in the following:

No JavaScript allowed at all
No plugins (object/embed) allowed
No inline CSS, or CSS from other sites allowed
No images from other sites allowed
No frames allowed
No web fonts allowed
No XHR/AJAX allowed
etc.

If we want to adjust it, we need to pass a system property when starting Jenkins (that is done via puppet configuration):

java -Dhudson.model.DirectoryBrowserSupport.CSP= -jar jenkins.war

But I cant tell about the security implications if we change the rules.

Feb 5 2019, 11:00 AM · Release-Engineering-Team (Backlog), Jenkins, phpunit-patch-coverage, Continuous-Integration-Infrastructure

Feb 4 2019

Bawolff added a comment to T215115: Inline styles for patch-coverage HTML artefact blocked by CSP on integration.wikimedia.org.

Which url is this? AFAIK we haven't enabled CSP on doc.wikimedia.org yet (T213223).

Feb 4 2019, 1:01 AM · Release-Engineering-Team (Backlog), Jenkins, phpunit-patch-coverage, Continuous-Integration-Infrastructure

Jan 30 2019

Bawolff added a comment to T180858: CentralAuth API list=globalallusers should capitalize the first letter.

Perhaps the real solution should be to rename all these users so that they actually start with an uppercase letter like they should.

Jan 30 2019, 11:05 PM · InteractionTimeline, Patch-For-Review, MediaWiki-API, MediaWiki-extensions-CentralAuth
Bawolff added a comment to T180858: CentralAuth API list=globalallusers should capitalize the first letter.

So are all these from wiktionary back when lowercase first letter usernames were allowed? If not, where are these coming from (Just curious)

Jan 30 2019, 11:04 PM · InteractionTimeline, Patch-For-Review, MediaWiki-API, MediaWiki-extensions-CentralAuth
Bawolff created T214986: 2FA QR code doesn't show up on mobilefrontend.
Jan 30 2019, 8:35 PM · Mobile, MediaWiki-extensions-OATHAuth
Bawolff added a comment to T213763: Session failure warning message ('sessionfailure') still gives bad advice.

So i figured out the cause.

Jan 30 2019, 7:03 PM · Patch-For-Review, MediaWiki-Interface
Bawolff added a comment to T27707: Allow "html" in exif tags.

As the file extension is restricted to a whitelist, the MIME type beyond the control of the attacker and invalid file signatures are also rejected, we must.. find a way around that I guess?

Usually in this scenario, its assumed file ext is .jpg, and the normal unix mime detection stuff would detect it as JPEG. But IE7 would in theory still treat as html (I think).

Actually no, the article Ghouston linked explains:

With the common GIF, JPEG and PNG formats, the browser ignores the result of MIME sniffing, as long as the filename extension, Content-Type and signature, all indicate the same type. Only if the results are inconsistent will Internet Explorer handle the file as the type identified by MIME sniffing.

So we really need to follow the Zany Scheme to exploit this. The scheme is a joke, but not inaccurate.

Jan 30 2019, 8:22 AM · Patch-For-Review, Security, Multimedia, MediaWiki-Uploading
Bawolff added a watcher for video2commons: Bawolff.
Jan 30 2019, 8:08 AM
Bawolff closed T214875: Server side upload for Koavf as Resolved.

Imported as https://commons.wikimedia.org/wiki/File:116th_United_States_Congress_House_Floor-2019-01-03.webm

Jan 30 2019, 8:06 AM · video2commons, Commons, Wikimedia-Site-requests
Bawolff added a comment to T27707: Allow "html" in exif tags.

As the file extension is restricted to a whitelist, the MIME type beyond the control of the attacker and invalid file signatures are also rejected, we must.. find a way around that I guess?

Jan 30 2019, 8:01 AM · Patch-For-Review, Security, Multimedia, MediaWiki-Uploading

Jan 29 2019

Bawolff changed the visibility for T214821: Reference previews use target=_blank without rel=noopener.
Jan 29 2019, 6:13 AM · Page-Previews, Reference Previews, Security
Bawolff added a comment to T27707: Allow "html" in exif tags.

The other thing to consider is IE7 on vista is old. AFAICT its been out of support at least since 2016. There are probably other security vulnerabilities its subject to (Some googling is suggestive that CVE-2018-8653 might be an example, but its really unclear)

Jan 29 2019, 1:09 AM · Patch-For-Review, Security, Multimedia, MediaWiki-Uploading