Page MenuHomePhabricator

Bawolff (Brian Wolff)
SecurityAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (273 w, 6 d)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Tue, Jan 21

Bawolff awarded T243288: Retire the Tor relay a Heartbreak token.
Tue, Jan 21, 7:28 PM · Tor, Operations

Mon, Jan 20

Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

Note: My patch is now much more complete and awaiting feedback :)

Mon, Jan 20, 10:43 AM · Core Platform Team, Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security

Wed, Jan 15

Bawolff added a comment to T242661: Use _host- prefixed cookies for session cookies.

I think the {wikiid}session are the ones to really focus on. At first glance i dont see meaningful attacks for the others (although i have no idea what PHP_ENGINE is, or why metawikisession would be set on enwiki). Although i suppose applying it to other cookies can't hurt, and better to be secure by default.

Wed, Jan 15, 10:49 PM · Security-Team, MediaWiki-Authentication-and-authorization, Security

Tue, Jan 14

Bawolff added a comment to T240884: Standalone service to evaluate user-provided regular expressions.

I think the main question to answer is "does it make sense to create a safe regex evaluation service?".
I think in a void the answer is "no". It could make sense to create a small C++ program wrapping the main re2 functionality and shell out to it from php.
On the other hand, we have to consider the wikimedia infrastructure for this and there are two counterpoints to be made:

  • Is this a service we can only expect MediaWiki to call? If not, that's a point in favour of creating a separate service
  • Shelling out for us works well by using a combination of firejail and cgroups creation that won't work well in the future with cgroups v2 and containerization
  • Performance might not be extremely relevant

Now on the last point: this proposal seems to worry a lot about performance, but I see no performance requirement spelled out. Without more context, both the choice of shelling out vs and RPC service, and the proposal to use gRPC for said service seem to me like premature optimizations.
So my questions are:

  • What is the 95th percentile of latency in validating all the constraint on an item when editing it?
  • What is the average, median and max number of regexes we need to validate per item?

Without answering those questions, we would just make choices by principle, while I think we should have a more pragmatic approach.

Tue, Jan 14, 8:23 PM · User-Addshore, TechCom-RFC, Wikidata

Mon, Jan 13

Bawolff created T242661: Use _host- prefixed cookies for session cookies.
Mon, Jan 13, 7:43 PM · Security-Team, MediaWiki-Authentication-and-authorization, Security

Sat, Jan 11

Bawolff added a comment to T242520: Allow Cloud mailing list to be indexed .

Note that the archives do replace @ signs with "at" for whatever good that does. Personally I think ease of finding answers to old questions outweighs spam concerns. The type of spammers that mass crawl the internet, probably also just subscribe to all public mailing lists and don't respect robots.txt

Sat, Jan 11, 11:11 PM · User-RhinosF1, Patch-For-Review, Operations, Wikimedia-Mailing-lists
Bawolff added a comment to T5537: SVGs fail to render silently if they contain an <image /> element.

That sounds like its working as it should (?)

Sat, Jan 11, 6:55 PM · Thumbor, Wikimedia-SVG-rendering

Thu, Jan 9

Bawolff added a comment to T176312: Don’t check format constraint via SPARQL (safely evaluating user-provided regular expressions).

Just as an aside, the dirt simple solution here would be to shell out to grep -p (or even just to php fed just the preg_match call) and rely on limit.sh to prevent undue resourse usage.

Thu, Jan 9, 5:18 AM · TechCom-RFC, Wikibase-Quality-Constraints, Wikibase-Quality, Wikidata

Wed, Jan 8

Bawolff added a comment to T237408: Flagged review bugs at Russian Wikinews: template/file change notification don't disappear when needed.

Hmm, $wgFlaggedRevsHandleIncludes looks to be 2 for ruwikinews, and Комментарии (ns 102) is not in $wgFlaggedNamespaces. Reading the docs:

"2 - (FR_INCLUDES_STABLE)",
"  For each template/file, check if a version of it was used when the page was reviewed and if the template/file itself has a stable version; use the newest those versions",
"NOTE: We may have templates that do not have stable version. Also, given situational inclusion of templates (e.g. parser functions selecting template X or Y based on date) there may also be no \"review time version\" revision ID for a template used on a page. In such cases, we select the current (unreviewed) revision. Likewise for files."
Wed, Jan 8, 10:54 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), MediaWiki-extensions-FlaggedRevs

Tue, Jan 7

Bawolff added a watcher for Security Readiness Reviews: Bawolff.
Tue, Jan 7, 7:26 PM

Fri, Jan 3

Bawolff created P10025 execute lua in mw context from commandline.
Fri, Jan 3, 3:49 AM

Thu, Jan 2

Bawolff awarded T167064: telnet gateway broken (unable to fetch articles) a Heartbreak token.
Thu, Jan 2, 4:57 AM · VPS-Projects

Sun, Dec 29

Bawolff added a watcher for deprecated-security-team-reviews: Bawolff.
Sun, Dec 29, 11:03 PM
Bawolff updated subscribers of T241437: Restore descriptions in opensearch API.

It would be nice if this breaking change were announced on the list like previous breaking changes, with a several month transition period so at least we can provide a seamless transition to our users.

Sun, Dec 29, 10:52 PM · MediaWiki-Search, Discovery-Search
Bawolff closed T240108: Make DynamicPageList_(wikimedia) use page images as the image in gallery mode for pages that are not in the File namespace as Resolved.
Sun, Dec 29, 6:31 PM · MW-1.35-notes (1.35.0-wmf.14; 2020-01-07), DynamicPageList (Wikimedia), Google-Code-in-2019

Sat, Dec 28

Bawolff renamed T241516: Query tab of $wgDebugToolbar is broken when $wgDebugLogFile is false from Query tab of $wgDebugToolbar is broken to Query tab of $wgDebugToolbar is broken when $wgDebugLogFile is false.
Sat, Dec 28, 7:38 PM · Wikimedia-Rdbms, MediaWiki-Debug-Logger
Bawolff reopened T241516: Query tab of $wgDebugToolbar is broken when $wgDebugLogFile is false as "Open".

Ok, I get it, the query tab of $wgDebugToolbar only shows up if $wgDebugLogFile is set to something

Sat, Dec 28, 7:38 PM · Wikimedia-Rdbms, MediaWiki-Debug-Logger
Bawolff closed T241516: Query tab of $wgDebugToolbar is broken when $wgDebugLogFile is false as Invalid.

I don't get it, I changed nothing but this randomly started working :S. Oh well, sorry for the spam

Sat, Dec 28, 7:36 PM · Wikimedia-Rdbms, MediaWiki-Debug-Logger
Bawolff added a comment to T241516: Query tab of $wgDebugToolbar is broken when $wgDebugLogFile is false.

It should be noted that queries also no longer show up in the $wgDebugLogFile file, which I usually use as a catch-all for all debugging channels.

Sat, Dec 28, 7:33 PM · Wikimedia-Rdbms, MediaWiki-Debug-Logger
Bawolff created T241516: Query tab of $wgDebugToolbar is broken when $wgDebugLogFile is false.
Sat, Dec 28, 7:29 PM · Wikimedia-Rdbms, MediaWiki-Debug-Logger

Fri, Dec 27

Bawolff added a comment to T156847: Core should be aware of the domain it is running on and render mobile domains where necessary.

Just to clarify this task - we are only talking about "official" domains, we are not talking about blindly accepting what is in the host header, right?

Fri, Dec 27, 10:16 PM · Core Platform Team, Developer-Wishlist (2017), MediaWiki-General

Wed, Dec 25

Bawolff added a comment to T158604: Investigate usefulness of SameSite cookies for logged-in accounts.

How does SameSite=lax work with credentialed CORS requests? That's the only issue i could possibly see with

Wed, Dec 25, 11:38 PM · Security-Team, Security, Operations, Traffic, MediaWiki-Authentication-and-authorization
Bawolff awarded T158604: Investigate usefulness of SameSite cookies for logged-in accounts a Love token.
Wed, Dec 25, 11:23 PM · Security-Team, Security, Operations, Traffic, MediaWiki-Authentication-and-authorization

Dec 24 2019

Bawolff added a comment to T240455: Large TIFF files do not pass file verification (related to version of image magick installed).

Maybe it's just that Debian has adjusted the memory limit policies between versions ?
We should compare the memory and disk limits in /etc/ImageMagick-6/policy.xml

Dec 24 2019, 9:47 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler

Dec 23 2019

Bawolff added a comment to T234907: RFC: Where to implement Desktop Improvements project.

I just wanted to highlight that we need to take precautions while working on the Vector skin. Some popular 3rd party skins/extensions depend heavily on Vector. For example Hydra developed/used by Gamepedia has HydraSkin, and the SkinHydra class extends SkinVector ( source code: https://gitlab.com/hydrawiki/skins/hydra/blob/master/SkinHydra.php ), therefore any bigger changes to SkinVector might break their sites.
It looks like at least one 3rd party is reusing Vector skin for their custom solutions. Therefore we can expect that many other 3rd parties do the same.

Dec 23 2019, 4:30 PM · TechCom-RFC (TechCom-Approved), Readers-Web-Backlog (Kanbanana-2019-20-Q3), Desktop Improvements
Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

Question: Why is this being done in a separate table rather than as a user preference (even if it is set using a dedicated special page instead of via preferences)? I.e., why not have the new special page, after ensuring authentication, etc. save a preference?

Dec 23 2019, 10:51 AM · Core Platform Team, Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security
Bawolff awarded T76245: Create ability to trivially spin up MediaWiki instance of a particular patch/diff a Mountain of Wealth token.
Dec 23 2019, 3:42 AM · Developer Productivity, MediaWiki-Vagrant, Labs-Vagrant, MediaWiki-General

Dec 21 2019

Roy17 awarded T71311: Swift outage caused a bunch of moved files to be "inconsistent" and "missing" a Burninate token.
Dec 21 2019, 5:33 PM · SRE-swift-storage, Commons, Wikisource

Dec 18 2019

Bawolff added a comment to T240951: Abusefilter throttle did not work at dewiki.

As a side note, it's vital to investigate soon and quickly, because if the logs get garbage collected, we'll have no way to understand what went wrong.

Dec 18 2019, 2:47 PM · User-Daimona, AbuseFilter

Dec 17 2019

Bawolff added a comment to T240956: User defined CSS does not work on the page "Special:Preferences".

This is intentional. It can be controlled by $wgAllowSiteCSSOnRestrictedPages

Dec 17 2019, 3:14 PM · MediaWiki-Special-pages
Bawolff added a comment to T240951: Abusefilter throttle did not work at dewiki.

Just writing this down for reference as it was annoying to figure out, I think the memcached key in question is dewiki:abusefilter:throttle:290:user,page:ce12284db0992734fd982f4a3ddd1f5f2b5c5408 (aka dewiki:abusefilter:throttle:290:user,page:sha1( "404212:Wikipedia Diskussion:Schiedsgericht/Anfragen/Diskussionskomplexim Umfeld \"Anetta Kahane\"" ) )

Dec 17 2019, 3:02 PM · User-Daimona, AbuseFilter

Dec 16 2019

Bawolff closed T240623: $wgCategoryTreeMaxDepth broken (Incorrect merge method used in extension.json) as Resolved.
Dec 16 2019, 11:57 PM · MW-1.35-notes (1.35.0-wmf.11; 2019-12-17), Google-Code-in-2019, MediaWiki-extensions-CategoryTree
Bawolff renamed T240455: Large TIFF files do not pass file verification (related to version of image magick installed) from Large TIFF files do not pass file verification to Large TIFF files do not pass file verification (related to version of image magick installed).
Dec 16 2019, 4:25 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler
Bawolff added a project to T240455: Large TIFF files do not pass file verification (related to version of image magick installed): Operations.

I can also confirm if i compile from (source Version: ImageMagick 7.0.9-8 Q16 x86_64 2019-12-16) that identify works properly on this tiff file.

Dec 16 2019, 4:25 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler
Bawolff added a comment to T240455: Large TIFF files do not pass file verification (related to version of image magick installed).

Hmm, I'm using the version from debian buster

Version: ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
Copyright: © 1999-2019 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC Modules OpenMP 
Delegates (built-in): bzlib djvu fftw fontconfig freetype heic jbig jng jp2 jpeg lcms lqr ltdl lzma openexr pangocairo png tiff webp wmf x xml zlib
Dec 16 2019, 3:51 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler
Bawolff added a comment to T185664: Code stewardship review: FlaggedRevs.

The task specifies that there are no security bugs - T234736 is a security bug I filed in October

Dec 16 2019, 12:21 AM · Release-Engineering-Team (Code Health), MediaWiki-extensions-FlaggedRevs, Code-Stewardship-Reviews

Dec 15 2019

Bawolff added a comment to T209572: Feature Policy Reporting origin trial.

CSP is moving to using the reports-to header. At some point it might make sense to make our CSP reporting use this style of report-to with the varnishkafka beacon instead of the current solution involving the api module.

Dec 15 2019, 6:02 PM · MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), Security-Team, Performance-Team
Bawolff added a comment to T240775: Support PHP 7.4 preload.

What I see as the biggest "blocker" for this to be used on wmf infrastructure, would be the fact, that you can not preload separate files which define the same class names or functions (as they would conflict obviously). So, using multiple different versions of MediaWiki within the same scope of a single php-fpm is not possible if you want to preload all versions. You would either need to decide if you want to preload only one version of MediaWiki or neither of them. I think that's kind of impossible to decide and, at the same time, get any benefit of preloading at all?

Dec 15 2019, 12:30 PM · TechCom-RFC
Bawolff added a comment to T240775: Support PHP 7.4 preload.

Based on the description here, it sounds pretty impossible to use this with hetdeploy, so is this about third parties only?

Dec 15 2019, 4:42 AM · TechCom-RFC

Dec 13 2019

Bawolff added a comment to T208186: UploadWizard: Unknown error: "$1"..

If nothing else, the message used should be switched from apierror-unknownerror to apierror-unknownerror-nocode, although actually useful error would be nice.

Dec 13 2019, 7:03 PM · Commons, Multimedia, UploadWizard
Bawolff added a comment to T240455: Large TIFF files do not pass file verification (related to version of image magick installed).

btw, for reference, at least locally, the command that is timing out is:

Dec 13 2019, 5:42 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler
Bawolff added a comment to T240455: Large TIFF files do not pass file verification (related to version of image magick installed).

As a small experiment I used ImageMagick to remove the alpha channel

convert norrie.tiff -alpha off output.tiff

on the example file. Uploading using the wizard gave

Unknown error: "$1".

So I'm not sure that preprocessing the batch with something like ImageMagick is an easy fix.

Dec 13 2019, 4:35 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler
Bawolff closed T203733: Replace usage of ParserOutputHook in Extension:NoCat with OutputPageParserOutput hook as Resolved.

Looks good.

Dec 13 2019, 12:53 AM · Google-Code-in-2019, MediaWiki-extensions-Other
Bawolff moved T240623: $wgCategoryTreeMaxDepth broken (Incorrect merge method used in extension.json) from Proposed tasks to Imported in GCI Site on the Google-Code-in-2019 board.
Dec 13 2019, 12:52 AM · MW-1.35-notes (1.35.0-wmf.11; 2019-12-17), Google-Code-in-2019, MediaWiki-extensions-CategoryTree
Bawolff renamed T240623: $wgCategoryTreeMaxDepth broken (Incorrect merge method used in extension.json) from $wgCategoryTreeMaxDepth broken (Something wrong with how extension registration merges values?) to $wgCategoryTreeMaxDepth broken (Incorrect merge method used in extension.json).
Dec 13 2019, 12:51 AM · MW-1.35-notes (1.35.0-wmf.11; 2019-12-17), Google-Code-in-2019, MediaWiki-extensions-CategoryTree
Bawolff added a project to T240623: $wgCategoryTreeMaxDepth broken (Incorrect merge method used in extension.json): Google-Code-in-2019.
Dec 13 2019, 12:47 AM · MW-1.35-notes (1.35.0-wmf.11; 2019-12-17), Google-Code-in-2019, MediaWiki-extensions-CategoryTree

Dec 12 2019

Bawolff created T240623: $wgCategoryTreeMaxDepth broken (Incorrect merge method used in extension.json).
Dec 12 2019, 9:10 PM · MW-1.35-notes (1.35.0-wmf.11; 2019-12-17), Google-Code-in-2019, MediaWiki-extensions-CategoryTree
Bawolff added a comment to T240565: Expose own IP address in API.

To me this seems a bit like the wrong approach. Shouldnt the you are blocked api response comtain all the relavent info about the block, including ip if that is relavent. It seems a bit fragile to require the client to know that for this type of block, users ip is relavent info.

Dec 12 2019, 3:41 PM · Patch-For-Review, User-Michael, Privacy, MediaWiki-API, Core Platform Team

Dec 11 2019

Bawolff added a comment to T240455: Large TIFF files do not pass file verification (related to version of image magick installed).
identify-im6.q16: cache resources exhausted `Anna Norrie, rollporträtt - SMV - NN054.tif’ @ error/cache.c/OpenPixelCache/4083.
Dec 11 2019, 2:52 PM · WMSE-Bug-Reporting-and-Translation-2019, Operations, Patch-For-Review, Multimedia, Commons, MediaWiki-extensions-PagedTiffHandler

Dec 10 2019

Bawolff awarded T240307: Hook container with strong types and DI a Like token.
Dec 10 2019, 5:28 AM · TechCom-RFC (TechCom-Approved), User-Daniel, Core Platform Team
Bawolff added a comment to T240258: Make WatchTranslations use identity-only email-allowed token.

I mean, email addresses are probably the most provate info we store, so the message seems fair to me. Maybe it should say something like e.g. email address & whatever else is included.

Dec 10 2019, 5:05 AM · User-Urbanecm, Privacy, WatchTranslations

Dec 9 2019

Bawolff added a comment to T199688: Decide if H141 ("Add security tag when Security flag is set to Software security bug") is needed or not.

Fwiw its really convinent to me to have a tag that are security protected bugs are tagged with. It doesnt have to be named security but having a tag is nice.

Dec 9 2019, 5:44 PM · Security-Team, Phabricator, Security
Bawolff closed T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?, a subtask of T220475: XTools' ArticleInfo gadget will be blocked by CSP, as Declined.
Dec 9 2019, 4:16 PM · XTools
Bawolff closed T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy? as Declined.

The plan is to have a preference, where users can adjust their CSP header (T208188). We will not be adding wmflabs.org to the allow list by default though but users will be able to opt into it.

Dec 9 2019, 4:16 PM · Cloud-Services, Privacy, Security, Wikimedia-Site-requests
Bawolff closed T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?, a subtask of T223776: Create Wikidata autocomplete gadget for external entities , as Declined.
Dec 9 2019, 4:16 PM · Wikidata, Wikidata-Gadgets, Wikimedia-Hackathon-2019
Bawolff closed T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?, a subtask of T227162: Selecting "Good Pictures" button in Commons categories does not do anything (due to HTTP 502 error on http://fastcci1.wmflabs.org), as Declined.
Dec 9 2019, 4:16 PM · VPS-Projects, Commons
Bawolff updated the task description for T240108: Make DynamicPageList_(wikimedia) use page images as the image in gallery mode for pages that are not in the File namespace.
Dec 9 2019, 3:59 PM · MW-1.35-notes (1.35.0-wmf.14; 2020-01-07), DynamicPageList (Wikimedia), Google-Code-in-2019
Bawolff updated the task description for T240108: Make DynamicPageList_(wikimedia) use page images as the image in gallery mode for pages that are not in the File namespace.
Dec 9 2019, 3:55 PM · MW-1.35-notes (1.35.0-wmf.14; 2020-01-07), DynamicPageList (Wikimedia), Google-Code-in-2019
Bawolff moved T240108: Make DynamicPageList_(wikimedia) use page images as the image in gallery mode for pages that are not in the File namespace from Proposed tasks to Information needed on the Google-Code-in-2019 board.
Dec 9 2019, 3:31 PM · MW-1.35-notes (1.35.0-wmf.14; 2020-01-07), DynamicPageList (Wikimedia), Google-Code-in-2019
Bawolff added a comment to T223010: Replace usages of Linker::link().

What is the different to T149346?

Dec 9 2019, 3:20 PM · Google-Code-in-2019, Technical-Debt, MediaWiki-extensions-General, MediaWiki-General
Bawolff moved T203733: Replace usage of ParserOutputHook in Extension:NoCat with OutputPageParserOutput hook from Missing mentors to Imported in GCI Site on the Google-Code-in-2019 board.
Dec 9 2019, 3:11 PM · Google-Code-in-2019, MediaWiki-extensions-Other
Bawolff renamed T203733: Replace usage of ParserOutputHook in Extension:NoCat with OutputPageParserOutput hook from Extension:NoCat isn't setting up ParserOutputHook properly to Replace usage of ParserOutputHook in Extension:NoCat with OutputPageParserOutput hook.
Dec 9 2019, 3:08 PM · Google-Code-in-2019, MediaWiki-extensions-Other
Bawolff added a comment to T203733: Replace usage of ParserOutputHook in Extension:NoCat with OutputPageParserOutput hook.

Guess i can mentor this for GCI

Dec 9 2019, 2:24 PM · Google-Code-in-2019, MediaWiki-extensions-Other
Bawolff added a comment to T231518: Add *.wmflabs.org to w.wiki shortener.

I guess the biggest risk here is phising potential, whether directly or via an open redirect?

Dec 9 2019, 7:58 AM · Wikimedia-Site-requests, Security-Team, MediaWiki-extensions-UrlShortener

Dec 8 2019

Bawolff added a comment to T231518: Add *.wmflabs.org to w.wiki shortener.

Also what happens if a tool gets whitelisted and then fails to keep up high standards? Do we break all the links?

Dec 8 2019, 3:33 PM · Wikimedia-Site-requests, Security-Team, MediaWiki-extensions-UrlShortener
Bawolff created T240108: Make DynamicPageList_(wikimedia) use page images as the image in gallery mode for pages that are not in the File namespace.
Dec 8 2019, 3:15 PM · MW-1.35-notes (1.35.0-wmf.14; 2020-01-07), DynamicPageList (Wikimedia), Google-Code-in-2019
Bawolff added a comment to T155029: MediaWiki.org: Generate infoboxes from extension.json in git.

Assuming that https://www.mediawiki.org/wiki/Module:ExtensionJson is kept updated by bot, I can update the template to extract data from there. At https://www.mediawiki.org/wiki/Module:Extension/sandbox I'm rewriting the current template display in lua, which eventually will control the entire infobox rather than just providing specific pieces of data.

Dec 8 2019, 2:16 PM · User-DannyS712, Tool-extjsonuploader, User-Tgr, MediaWiki-Stakeholders-Group, Developer-Wishlist (2017), MediaWiki-Documentation, Documentation
Bawolff moved T240103: Generate list of missing functions on Extension:Scribunto/Lua_reference_manual from Proposed tasks to Imported in GCI Site on the Google-Code-in-2019 board.
Dec 8 2019, 1:39 PM · Documentation, Google-Code-in-2019
Bawolff created T240103: Generate list of missing functions on Extension:Scribunto/Lua_reference_manual.
Dec 8 2019, 1:35 PM · Documentation, Google-Code-in-2019
Bawolff added a comment to T237873: Deprecate and remove extension database updating globals.

I've tried using DeprecatedGlobal, but that class is not suitable for globals using non-objects; for arrays, it'll result in a PHP warning: Cannot use object of type DeprecatedGlobal as array. I'm not sure what else could serve a clear deprecation warning. You could add a check to DatabaseUpdater::getOldGlobalUpdates that checks if any of the globals is something else than [], but that doesn't tell you what extension caused that warning.

Dec 8 2019, 12:43 PM · MW-1.35-notes (1.35.0-wmf.10; 2019-12-10), Patch-For-Review, MediaWiki-General, Technical-Debt
Bawolff added a comment to T237873: Deprecate and remove extension database updating globals.

Well, my reasoning was that with T223939: Type-hint all onLoadExtensionSchemaUpdate hook handler $updater parameter with DatabaseUpdater type (which would result in prohibiting passing null; therefore making the backwards compatibility fallback an un-executable branch of code), any of the known extensions use it as backwards compatibility only, its effective obsolescence in 1.17 and the fact that some globals lack documentation, we're effectively dealing with dead code here. I think we'd be hardpressed to find anything relying on these globals that is still compatible with MediaWiki 1.35.

Dec 8 2019, 8:50 AM · MW-1.35-notes (1.35.0-wmf.10; 2019-12-10), Patch-For-Review, MediaWiki-General, Technical-Debt

Dec 6 2019

Bawolff added a project to T218308: Add gerrit.wikimedia.org to the Phabricator CSP: ContentSecurityPolicy.
Dec 6 2019, 11:49 PM · ContentSecurityPolicy, Traffic, Security-Team, Operations, Phabricator, Gerrit

Dec 5 2019

Bawolff added a comment to T237873: Deprecate and remove extension database updating globals.

Why no deprecation? Doesnt seem like there is an urgent need to remove or that its blocking anything. Even if code search says no results this was still a very directly public api, there could be extensions elsewhere using it that would benefit from deprecation warnings.

Dec 5 2019, 4:19 PM · MW-1.35-notes (1.35.0-wmf.10; 2019-12-10), Patch-For-Review, MediaWiki-General, Technical-Debt

Dec 4 2019

Bawolff added a comment to T239778: Security review of banner with FB and Twitter share buttons.

I'm not the person doing the review, but I did notice there is an XSS in this banner: https://en.wikipedia.org/w/index.php?title=Talk:RandomPageThatDoesntexist&action=submit&section=new&preloadtitle=%3Cdiv%20class%3Dfrb%3E%3Cspan%20class%3D%22%25AVERAGE%25%22%20data-foo%3D%22%26lt%3Bscript%26gt%3Balert(%27XSS%20on%3A%20%27%20%2B%20document.domain)%26lt%3B%2Fscript%26gt%3B%22%3E%3C%2Fspan%3E%3C%2Fdiv%3E&nosummary=true&banner=scervantes_B1920_0701_enWW_dsk_p1_lg_template_share_inbanner&force=1&preview%00=yes

Dec 4 2019, 11:05 PM · Security Readiness Reviews, Privacy Engineering, MediaWiki-extensions-CentralNotice, Privacy, Fundraising-Backlog
Bawolff updated the task description for T239077: Define policy aspects of CSP on wiki.
Dec 4 2019, 9:37 PM · Privacy Engineering, Documentation, Privacy, Security-Team, ContentSecurityPolicy

Dec 2 2019

Bawolff awarded T235329: When adding depict statements on Commons, include more information in the edit summary a Mountain of Wealth token.
Dec 2 2019, 9:24 AM · StructuredDataOnCommons, Commons
Bawolff added a comment to T191978: Devise a process for finding and fixing filters that will be affected by changes in AbuseFilter.

Filters are stored in externalstorage, right? It would be very difficult to do that in a single query. But a maintenance script to find all that match a certain regex is certainly do-able (To find them, as said above, autofix is hard). If someone writes a maintenance script, then anyone with shell access can run it (e.g. make a request with Wikimedia-Site-requests ). I imagine, for who can see the answer, it would be anyone who in principle would have the rights to see the answer on wiki (I guess that means stewards?) and people who have signed developer related ndas.

Dec 2 2019, 9:02 AM · AbuseFilter
Bawolff added a comment to T238618: Adopt a CSP policy for query.wikidata.org.

So I guess the next question is, where to set the CSP headers. My guess would be in sub cluster_fe_deliver of text-frontend.inc.vcl.erb, but I'm really not sure if that is the correct place.

Dec 2 2019, 4:40 AM · Wikidata Query UI, Wikidata, ContentSecurityPolicy
Bawolff added a hashtag to ContentSecurityPolicy: #content-security-policy.
Dec 2 2019, 3:37 AM
Bawolff added a comment to T239562: Allow filtering spam blacklist log entries by URL.

Filtering per namespace, specifically the User namespace, may be helpful as well. This would allow us to identify userpage spambots. Should a separate issue be opened for "Allow filtering spam blacklist log entries by namespace", or should this issue be renamed to "Allow filtering spam blacklist log entries by URL and namespace"?

Dec 2 2019, 3:33 AM · SpamBlacklist

Nov 29 2019

Bawolff awarded T187617: Add security.txt to Wikimedia sites? a Love token.
Nov 29 2019, 9:55 AM · Security-Team, Documentation, Wikimedia-General-or-Unknown, Security

Nov 28 2019

Bawolff added a comment to T210959: Make tools-static fontcdn/ and cdnjs/ redact UA.

Modern edge, chrome, safari and firefox all support woff2, so that's probably why it gives the same results for both firefox and safari UAs . I imagine you'll get different results for opera mini, IE11 and maybe older safari.

Nov 28 2019, 5:29 AM · cloud-services-team (Kanban), Toolforge, Privacy

Nov 27 2019

Bawolff added a comment to T238651: Discussion re. `Trusted-Contributors` Gerrit group.

At the time i was kind of thinking of trusted contribs, as being kind of like autoconfirmed but for gerrit

Nov 27 2019, 8:50 PM · TechCom, Gerrit-Privilege-Requests

Nov 25 2019

Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.
CREATE TABLE /*_*/csp_sources (
	csp_user unsigned int NOT NULL,
	csp_url VARBINARY(255) NOT NULL, /* not csp_domain ; per Daniel's comment */
	csp_timestamp BINARY(14) NOT NULL
);

Not sure if it was discussed above, but from a security/privacy perspective, it probably makes sense to redact csp_url (or whatever it ends up being) from dumps, etc. so as not to expose those specific resources to potential attackers. In fact, it might make sense to go even further and redact the entire table since I'm not sure how much informational value it has other than to potential attackers.

Nov 25 2019, 8:51 PM · Core Platform Team, Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security
Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

An additional concern - ideally, a malicious script looking to either exfiltrate data [To be clear, fully preventing exfiltration is basically impossible, and out of scope. CSP will prevent the obvious methods though] or receive instructions from an external source, should not be able to simply adjust the allow list. Otherwise there wouldn't be much point to having a whitelist. To that end, I would strongly like that adding an entry to the allow list requires the user to re-authenticate, similar to changing an email. This is one of my main motivations for proposing a separate table, instead of just adding a preference.

Nov 25 2019, 11:47 AM · Core Platform Team, Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security
Bawolff added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

Localhost URLs should be added to the CSP. Not being able to load javascript from a local server would severely impede development of user scripts and gadgets. Thanks.

Nov 25 2019, 11:42 AM · ContentSecurityPolicy, Core Platform Team Legacy (Watching / External), TechCom-RFC (TechCom-Approved), Patch-For-Review, Epic, Security-Team
Bawolff triaged T239069: Give MW a .htaccess in the images directory to mirror Wikimedia's CSP settings as Low priority.
Nov 25 2019, 11:40 AM · Patch-For-Review, ContentSecurityPolicy
Bawolff added a comment to T239077: Define policy aspects of CSP on wiki.

When is it acceptable to load external scripts (Current de-facto: same as above, although I'd like to change it)

Nov 25 2019, 11:34 AM · Privacy Engineering, Documentation, Privacy, Security-Team, ContentSecurityPolicy
Bawolff moved T239078: Deploy CSP policy in enforce mode for MW to logged out users from Backlog to MediaWiki on the ContentSecurityPolicy board.
Nov 25 2019, 10:20 AM · ContentSecurityPolicy
Bawolff moved T239077: Define policy aspects of CSP on wiki from Backlog to MediaWiki on the ContentSecurityPolicy board.
Nov 25 2019, 10:20 AM · Privacy Engineering, Documentation, Privacy, Security-Team, ContentSecurityPolicy
Bawolff created T239078: Deploy CSP policy in enforce mode for MW to logged out users.
Nov 25 2019, 10:19 AM · ContentSecurityPolicy
Bawolff created T239077: Define policy aspects of CSP on wiki.
Nov 25 2019, 10:17 AM · Privacy Engineering, Documentation, Privacy, Security-Team, ContentSecurityPolicy
Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

Regarding UI for populating the table, the options seem to be:

Nov 25 2019, 10:07 AM · Core Platform Team, Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security
Bawolff added a comment to T208188: RFC: Partial opt-out method for Content security policy.

@Bawolff I see no one have commented here in the last weeks. CSP is enabled for ~3 months and there are important privacy concerns with current situation (T207900#4846582).
Would you mind closing the RFC and breaking this to tasks based on what was agreed here?

Nov 25 2019, 9:55 AM · Core Platform Team, Patch-For-Review, ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security
Bawolff moved T239069: Give MW a .htaccess in the images directory to mirror Wikimedia's CSP settings from Backlog to MediaWiki on the ContentSecurityPolicy board.
Nov 25 2019, 9:52 AM · Patch-For-Review, ContentSecurityPolicy
Bawolff created T239069: Give MW a .htaccess in the images directory to mirror Wikimedia's CSP settings.
Nov 25 2019, 9:48 AM · Patch-For-Review, ContentSecurityPolicy
Bawolff moved T239068: Set CSP to enforce across all of upload.wikimedia.org from Backlog to upload.wikimedia.org on the ContentSecurityPolicy board.
Nov 25 2019, 9:46 AM · ContentSecurityPolicy
Bawolff moved T239066: Engage with users about enforced CSP policy on upload.wikimedia.org from Backlog to upload.wikimedia.org on the ContentSecurityPolicy board.
Nov 25 2019, 9:46 AM · ContentSecurityPolicy
Bawolff moved T239065: Have final CSP policy for upload.wikimedia.org be in report-only mode for all projects from Backlog to upload.wikimedia.org on the ContentSecurityPolicy board.
Nov 25 2019, 9:46 AM · ContentSecurityPolicy
Bawolff created T239068: Set CSP to enforce across all of upload.wikimedia.org.
Nov 25 2019, 9:46 AM · ContentSecurityPolicy