Page MenuHomePhabricator

Bawolff (Brian Wolff)
SecurityAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (263 w, 4 d)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Yesterday

Bawolff added a comment to T218724: MassMessage to email should show section header, not bot username.

Its probably technically easier to do it for all (although probably politically harder)

Tue, Nov 12, 10:02 PM · Growth-Team, Notifications, MassMessage
Bawolff updated subscribers of T238150: patch-drop-ct_tag.sql causes duplicate entries for key change_tag_rc_tag_id.

Related to task T91535

Tue, Nov 12, 9:02 PM · MediaWiki-Installer
Bawolff added a comment to T218724: MassMessage to email should show section header, not bot username.

So digging further into the code, I can confirm, that mass message bot messages get classified as unknown-unsigned-addition (probably because the fake sig that involves interwiki links) which don't send the header. Its unclear to me if that's generally something that should change for all unsigned-addition's or if we should special case it for mass message. Like if someone adds a section, why does it matter if they sign their edit or not?

Tue, Nov 12, 8:58 PM · Growth-Team, Notifications, MassMessage
Bawolff added a comment to T218724: MassMessage to email should show section header, not bot username.

So testing locally, it looks like it only includes the section header in the email alert if it detects a signature.

Tue, Nov 12, 7:55 PM · Growth-Team, Notifications, MassMessage
mmodell awarded T238132: Change username a Like token.
Tue, Nov 12, 7:38 PM · Phabricator
Bawolff added a comment to T229646: Flow handled <pre> tags incorrectly (does not assume <nowiki> with normal parser does).

Oh, issue was that the <pre> tag wasn't closed, and i didn't notice. My bad. Behaviour is still weird, but its the same weirdness between MW core parser and flow, so not a bug.

Tue, Nov 12, 7:23 PM · Growth-Team, StructuredDiscussions
Bawolff added a comment to T229646: Flow handled <pre> tags incorrectly (does not assume <nowiki> with normal parser does).

Sorry, i missed the notice about the earlier ping.

Tue, Nov 12, 7:20 PM · Growth-Team, StructuredDiscussions
Bawolff closed T238132: Change username as Resolved.

Well, I've never done a user rename on phab before, but there's a button labelled rename user, and it seemed to work, so hopefully that's all that needs to be done.

Tue, Nov 12, 7:10 PM · Phabricator
Bawolff renamed DutchTina from DutchTom to DutchTina.
Tue, Nov 12, 7:09 PM

Mon, Nov 11

Bawolff added a comment to T237852: System Adminstrator avoids CSRF attacks on MediaWiki REST API.

@Bawolff see https://www.oauth.com/oauth2-servers/single-page-apps/ for how OAuth 2 can be accomplished without a server or an app secret. Effectively it relies on HTTPS (and the server) giving the client id and secret to only the registered app domain (via a redirect). In this way, unless the app gives away the client secret (or the client does) requests from that client id and secret are known to come only from that application. I'm not sure if this can be accomplished with OAuth 1.0 as it does not require HTTPS (afaik).

Mon, Nov 11, 3:40 PM · Security-Team, Story, Core Platform Team Workboards (User Stories), MediaWiki-REST-API, CPT Initiatives (Core REST API in PHP)
Bawolff added a comment to T237503: Add capabality for attachments in Special:EmailUser.

The easier way must not exclude other ways w/o at least one trial.

Mon, Nov 11, 5:28 AM · MediaWiki-Email
Bawolff removed a project from T237830: Add right "abusefilter-log-private" to rollbackers at ptwiki: WMF-Legal.

My bad, you are correct. I did confuse myself

Mon, Nov 11, 4:49 AM · Wikimedia-Site-requests
Bawolff added a comment to T237830: Add right "abusefilter-log-private" to rollbackers at ptwiki.

This gives ip addresses - checkuser essentially. I think legal needs to approve this

I think you're confusing this with abusefilter-privatedetails and abusefilter-privatedetails-log - this right is just for viewing private filters (see, eg, T175684: Please create the Edit filter helper user group on en.wp). The only potential legal concern that I see is what I speculate about in T230320

Mon, Nov 11, 4:47 AM · Wikimedia-Site-requests
Bawolff added a project to T237830: Add right "abusefilter-log-private" to rollbackers at ptwiki: WMF-Legal.
Mon, Nov 11, 12:31 AM · Wikimedia-Site-requests
Bawolff added a comment to T237830: Add right "abusefilter-log-private" to rollbackers at ptwiki.

This gives ip addresses - checkuser essentially. I think legal needs to approve this

Mon, Nov 11, 12:30 AM · Wikimedia-Site-requests

Sun, Nov 10

Bawolff added a comment to T105064: Allow other website visibility of commons file usage.

Moving files breaks hotlinking 

Sun, Nov 10, 7:42 PM · WMF-Legal, Community-consensus-needed, Privacy, Commons
Bawolff added a comment to T237852: System Adminstrator avoids CSRF attacks on MediaWiki REST API.

So the current API mostly works under the assumption that authenticated CORS requests come from trusted (i.e. WMF operated) websites only. To use cookie authentication w/CSRF tokens for other websites is probably possible in theory, but would involve a much more complicated flow. I don't really think we should do that unless we have to.

Sun, Nov 10, 4:39 PM · Security-Team, Story, Core Platform Team Workboards (User Stories), MediaWiki-REST-API, CPT Initiatives (Core REST API in PHP)
Bawolff added a comment to T237852: System Adminstrator avoids CSRF attacks on MediaWiki REST API.

I added this ticket so we have one place to hash out issues on CSRF tokens. BY FAR, my preference is to support only OAuth authorization and enable CORS.

Sun, Nov 10, 1:48 PM · Security-Team, Story, Core Platform Team Workboards (User Stories), MediaWiki-REST-API, CPT Initiatives (Core REST API in PHP)

Fri, Nov 8

Bawolff added a comment to T234450: Some Special:Contributions requests cause "Error: 0" from database or WMFTimeoutException.

I think it would be interesting to try adding a per-user concurrency limit of say 2, enforced with PoolCounter. I don't think PoolCounter has been used in that way before, but I think it should work.

Fri, Nov 8, 1:31 PM · User-notice, Core Platform Team Workboards (Clinic Duty Team), Vuln-DoS, Security, Performance Issue, MediaWiki-Special-pages, Wikimedia-production-error

Thu, Nov 7

Bawolff awarded T237503: Add capabality for attachments in Special:EmailUser a Dislike token.
Thu, Nov 7, 4:00 AM · MediaWiki-Email
Bawolff added a comment to T237503: Add capabality for attachments in Special:EmailUser.

I would be concerned about the increased potential for phising and viruses/other malicious attachments.

Thu, Nov 7, 4:00 AM · MediaWiki-Email

Wed, Nov 6

Bawolff added a comment to T68447: Allow providing a (manual) list of titles to delete on [[Special:Nuke]].

PPS. Fixing this phab would also obviate the need for the tasks blocked on T145966. I think we can safely conclude that Extension:DeleteBatch will never be adapted to get by @Bawolff's watchful eye; but maybe there is some synergy in making Extension:DynamicPageList and Extension:Nuke talk to each other?

Wed, Nov 6, 2:56 PM · MediaWiki-extensions-Nuke
Bawolff added a comment to T237408: Flagged review bugs at Russian Wikinews: template/file change notification don't disappear when needed.

Change 548951 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/extensions/FlaggedRevs@master] Fix cache invalidation in stableVersionIsSynced()
https://gerrit.wikimedia.org/r/548951

Wed, Nov 6, 4:56 AM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T237408: Flagged review bugs at Russian Wikinews: template/file change notification don't disappear when needed.

For what it's worth, I do intend to look into this.

Wed, Nov 6, 3:31 AM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), MediaWiki-extensions-FlaggedRevs

Mon, Nov 4

Bawolff added a comment to T236636: Add bawolff to either NDA or WMF ldap group.

Ah sorry, I just logged in this morning to have an un-submitted post here. I had written 'Ok, wmf it is! @Bawolff I've added you (again) into the wmf LDAP group. Please confirm that you now can access what you need.'

Mon, Nov 4, 9:09 PM · Operations, LDAP-Access-Requests
Bawolff added a comment to T187752: Make hard limit of 5000 query results into a config variable.

Is the 500 limit on special:contribs even meant to be permenent or just temporary stop gap?

Mon, Nov 4, 12:15 AM · MediaWiki-Page-History, Patch-For-Review, MediaWiki-Special-pages, MediaWiki-Configuration

Sun, Nov 3

Bawolff added a project to T208188: Proposal for partial opt-out method for Content security policy: ContentSecurityPolicy.
Sun, Nov 3, 10:13 AM · ContentSecurityPolicy, TechCom-RFC, TechCom, Security-Team, Security
Bawolff added a project to T117618: Add restrictive CSP to upload.wikimedia.org: ContentSecurityPolicy.
Sun, Nov 3, 10:12 AM · ContentSecurityPolicy, Patch-For-Review, Wikimedia-General-or-Unknown, Traffic, Operations, Security-Team
Bawolff added a project to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki: ContentSecurityPolicy.
Sun, Nov 3, 10:12 AM · ContentSecurityPolicy, Core Platform Team Legacy (Watching / External), TechCom-RFC (TechCom-Approved), Patch-For-Review, Epic, Security-Team
Bawolff added a project to T28508: Content Security Policy (CSP): ContentSecurityPolicy.
Sun, Nov 3, 10:11 AM · ContentSecurityPolicy, Front-end-Standards-Group, Security, Security-Team, WorkType-NewFunctionality, MediaWiki-General
Bawolff closed T237181: Request for project for ContentSecurityPolicy as Resolved.

Didn't realize i could do this myself. https://phabricator.wikimedia.org/project/view/4365/ done now

Sun, Nov 3, 10:08 AM · Project-Admins
Bawolff created ContentSecurityPolicy.
Sun, Nov 3, 10:08 AM
Bawolff added a member for acl*Project-Admins: Bawolff.
Sun, Nov 3, 10:07 AM
Bawolff created T237181: Request for project for ContentSecurityPolicy.
Sun, Nov 3, 9:58 AM · Project-Admins
Bawolff added a comment to T117618: Add restrictive CSP to upload.wikimedia.org.

A small number of browsers seem to want android-webview-video-poster: as a source when viewing videos, but the number of reports are small enough its not clear if we should include it.

Sun, Nov 3, 9:46 AM · ContentSecurityPolicy, Patch-For-Review, Wikimedia-General-or-Unknown, Traffic, Operations, Security-Team

Fri, Nov 1

Bawolff closed T236636: Add bawolff to either NDA or WMF ldap group as Resolved.

I can confirm I can access logstash now, so I'm going to close this task as resolved.

Fri, Nov 1, 9:21 AM · Operations, LDAP-Access-Requests

Tue, Oct 29

Bawolff added a comment to T234907: RFC: Where to implement Desktop Improvements project.

I don't think we want to be in a situation where have to maintain more skins, especially no more skins with significant user bases. The amount of support we need to give each skin is proportional to the number of people using it. Accordingly monobook gets very little attention, but this is mostly accepted by the community. If we end up in a situation where VectorNew is the default for new users, but because it diverged too quickly, most of the experienced community is still using VectorClassic for gadget support or comfort, then this will translate into an increased developer burden.
I think the only way to avoid this would be to make small incremental changes to Vector, with appropriate deprecation/breaking change notices, so that the ecosystem can keep up (aka proposal 2).

Tue, Oct 29, 11:45 PM · Readers-Web-Backlog (Kanbanana-2019-20-Q2), Desktop Improvements, TechCom-RFC
Bawolff added a comment to T214743: Code editor violates Content Security Policy directive ("blob:" with specific wp subdomain).

Interesting. I guess I naively would have assumed workers follow the usually JS loading, where it can execute cross domain but can't read.

Tue, Oct 29, 5:01 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), CodeEditor
Bawolff added a comment to T236636: Add bawolff to either NDA or WMF ldap group.

Ah, sorry @Bawolff, I missed that you were no longer staff. Can you update your Phab and MW profile pages accordingly?
I think we don't yet have a volunteer NDA on file for you. We'll need that before we can add you do the 'nda' LDAP group. Ping @RStallman-legalteam.

Tue, Oct 29, 4:40 PM · Operations, LDAP-Access-Requests
Bawolff added a comment to T236723: PageImagesTest::testGivenNonExistingPageOnBeforePageDisplayDoesNotAddMeta: Call to a member function response() on null.

Looks like it was caused by 67ea4f5 . When mocking OutputPage without disabling the constructor you'll need to also mock calls to getConfig and getRequest methods.

Tue, Oct 29, 12:18 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), Readers-Web-Backlog, Page-Previews, Growth-Team, ci-test-error, PageImages

Mon, Oct 28

Bawolff added a comment to T236444: Actor migration seems to have broken deleteDefaultMessages.php, and by extension the update process for really old wikis.

"MediaWiki default" is listed in $wgReservedUsernames, so User::isUsableName() considers it non-usable, so the actor migration allows it to be created with a null actor_user (and without a corresponding row in user). Which is also why the installer isn't needing to create it in the first place.

Mon, Oct 28, 4:06 PM · MW-1.35-notes (1.35.0-wmf.5; 2019-11-05), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-Maintenance-scripts, MediaWiki-User-management, MediaWiki-Installer
Bawolff added a comment to T211881: graphoid: Code stewardship request.

@Yair_rand agreed the relatively larger JS component size is not ideal. We'll need to compensate with deferred/lazy loading. As for the comparison of the different media types, also agreed on the notion that there's a qualitative difference between static rasters of graphs that wouldn't have follow-on interactivity and plays of video/audio - this is more to note that JS as a requirement for some non-wikitext content is somewhat normal. Video and 3D have a raster, too, it's just that the stuff is intended to be played to enrich the experience. It's certainly a tradeoff around maintenance cost versus the benefits of inbuilt static rendering.

Mon, Oct 28, 4:40 AM · Release-Engineering-Team-TODO (201908), Release-Engineering-Team (Code Health), Core Platform Team Legacy (Watching / External), Services (watching), Operations, Code-Stewardship-Reviews, Graphoid
Bawolff added a comment to T230811: Add appropriate security headers to MachineVision.

Note: OutputPage will automatically add CSP headers to special pages if configured, so you don't have to do anything on your special page to opt in to CSP headers (e.g. As an example, you can see that CSP headers are sent on https://en.wikipedia.org/wiki/Special:BlankPage )

Mon, Oct 28, 4:16 AM · MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Patch-For-Review, Product-Infrastructure-Team-Backlog (Kanban), Machine vision
Bawolff added a comment to T236508: Videos from YouTube don't embed correctly in Space posts.

On a closer look in another Discourse instance hosted elsewhere, the onebox generated with a YouTube URL does serve an image directly from YouTube servers. Then I guess this might conflict with the privacy policy.
Looking at the configuration of discuss-space and discourse-mediawiki, we don't see anything impeding these YouTube URLs to render as onebox, therefore I believe that the Cloud VPS is enforcing the privacy policy somehow.
Anyway, it is late now. I'll double check tomorrow and discuss with my Space team colleagues. Thank you for your quick response.

Mon, Oct 28, 1:36 AM · Privacy, Space (Oct-Dec-2019), Discourse
Bawolff added a comment to T236639: $wgDebugRedirects no longer outputs the target redirect (as of 4f11b6145).

Note: It may be a totally valid solution to just get rid of teh $wgDebugRedirects feature.

Mon, Oct 28, 1:31 AM · MediaWiki-General
Bawolff created T236639: $wgDebugRedirects no longer outputs the target redirect (as of 4f11b6145).
Mon, Oct 28, 1:30 AM · MediaWiki-General

Sun, Oct 27

Bawolff created T236636: Add bawolff to either NDA or WMF ldap group.
Sun, Oct 27, 11:14 PM · Operations, LDAP-Access-Requests
Bawolff added a comment to T236188: Content Security Policy JS error.

@Andyrom75: It is still unclear to me how to reproduce a problem, and what the exact problem is here. I go to https://it.wikivoyage.org/wiki/Template:MappaDinamica and I don't see such output in the Developer Tools in Firefox. What are exact steps to reproduce, the expected outcome, and the actual outcome? Thanks.

Sun, Oct 27, 10:47 PM · Privacy, Security

Sat, Oct 26

Bawolff added a comment to T236508: Videos from YouTube don't embed correctly in Space posts.

I want to add that YouTube is not a random third party website in this case.

Sat, Oct 26, 7:40 AM · Privacy, Space (Oct-Dec-2019), Discourse

Fri, Oct 25

Bawolff added a comment to T236508: Videos from YouTube don't embed correctly in Space posts.

Pasting a YouTube link on its own line in a Space post (or a Discourse-MediaWiki post) does not embed the video as it should by default.

@elappen-WMF: I don't understand why it should. Embedding external content from random third-party websites without any additional required user interaction will violate the Privacy Policy, so I think this task should be declined.

Fri, Oct 25, 8:08 PM · Privacy, Space (Oct-Dec-2019), Discourse
Bawolff added a project to T236188: Content Security Policy JS error: Privacy.

Yep its just a warning so far, and things will change before the warning becomes more serious. However, it should be noted, that MediaWiki:Gadget-MapFrame.js might borderline be in violation of the privacy policy since its loading resources from toolforge without opt-in from the user (Not really clear though, as it is loading in an iframe. Rules around usage of labs in production are very ambiguous in practice).

Fri, Oct 25, 4:19 AM · Privacy, Security
Bawolff added a comment to T236444: Actor migration seems to have broken deleteDefaultMessages.php, and by extension the update process for really old wikis.

I regularly run deleteEqualMessages.php in production, but haven't in a few weeks recently. Do you expect that script to be affected as well?

Fri, Oct 25, 2:32 AM · MW-1.35-notes (1.35.0-wmf.5; 2019-11-05), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-Maintenance-scripts, MediaWiki-User-management, MediaWiki-Installer

Thu, Oct 24

Bawolff updated the task description for T236444: Actor migration seems to have broken deleteDefaultMessages.php, and by extension the update process for really old wikis.
Thu, Oct 24, 11:19 PM · MW-1.35-notes (1.35.0-wmf.5; 2019-11-05), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-Maintenance-scripts, MediaWiki-User-management, MediaWiki-Installer
Bawolff created T236444: Actor migration seems to have broken deleteDefaultMessages.php, and by extension the update process for really old wikis.
Thu, Oct 24, 11:08 PM · MW-1.35-notes (1.35.0-wmf.5; 2019-11-05), Core Platform Team Workboards (Clinic Duty Team), MediaWiki-Maintenance-scripts, MediaWiki-User-management, MediaWiki-Installer
Bawolff created T236442: cleanupUsersWithNoId.php fails Unknown column 'ar_user'.
Thu, Oct 24, 11:04 PM · MediaWiki-Maintenance-scripts, MediaWiki-User-management
Bawolff added a comment to T235575: Allow CentralAuth to be used with SQLite.

I feel like sql.php meets the requirements of this feature request

Thu, Oct 24, 12:33 PM · SQLite, MediaWiki-extensions-CentralAuth
Bawolff added a comment to T235575: Allow CentralAuth to be used with SQLite.

I feel like sql.php meets the requirements of this feature request

Thu, Oct 24, 12:28 PM · SQLite, MediaWiki-extensions-CentralAuth
Bawolff added a comment to T234192: Automatic upload comments by Upload Wizard are unhelpful, make them more informative.

@Bawolff What would it take to move this forward?

Thu, Oct 24, 7:55 AM · UploadWizard, Commons

Thu, Oct 17

Bawolff committed rEPIC8ba328340171: Fix to work with MediaWiki 1.34 (authored by Bawolff).
Fix to work with MediaWiki 1.34
Thu, Oct 17, 4:12 AM
Bawolff closed T235602: PageInCat extension: Call to undefined method ParserOptions::setEditSection() as Resolved.
Thu, Oct 17, 2:25 AM · MediaWiki-extensions-Other
Bawolff added a comment to T235602: PageInCat extension: Call to undefined method ParserOptions::setEditSection().

Hmm, looks like it was removed in 2a806d04290da7

Thu, Oct 17, 2:01 AM · MediaWiki-extensions-Other

Wed, Oct 16

Bawolff created T235588: PageViewInfo should include media counts on ?action=info for stuff in File namespace.
Wed, Oct 16, 3:09 AM · PageViewInfo
Bawolff added a comment to T234192: Automatic upload comments by Upload Wizard are unhelpful, make them more informative.

One minor thing to note, that sometimes this description is used to run stats on how popular different upload methods are. However, that would be a silly reason to keep it the way it is. I've always been kind of annoyed by the lack of descriptive description.

Wed, Oct 16, 3:05 AM · UploadWizard, Commons
Bawolff added a comment to T235400: discourse-mediawiki.wmflabs.org links to normal Wikimedia privacy policy, which is probably wrong one (?).

To address the choice in privacy policy specifically: both https://discuss-space.wmflabs.org/privacy and https://discourse-mediawiki.wmflabs.org/privacy link directly to the Wikimedia Foundation Non-wiki privacy policy (https://wikimediafoundation.org/privacy-policy/). Legal reached out to us during the launch of Space and advised that the privacy policy link there. No task was created as the change was implemented immediately. After double checking with Legal about Discourse MediaWiki, the change was also made there, resolving a task that had been written prior to Space.

Wed, Oct 16, 1:54 AM · Space, Discourse, WMF-Legal, Privacy
Bawolff added a comment to T235458: Make pipermail show RTL emails better by emitting dir=auto.

Looking at puppet, it looks like we already have some customization in modules/mailman/files/templates/* - so at first glance, I assume we could just add an article.html. Unfortunately, it looks like we can't modify the <pre> tag as that's added outside the template (And CSS has no direction:auto attribute). In theory we could add a U+2068 FIRST-STRONG ISOLATE, but I think a better approach would be to just add a new surrounding div.

Wed, Oct 16, 1:23 AM · Patch-For-Review, I18n, Operations, Wikimedia-Mailing-lists, RTL

Tue, Oct 15

Bawolff created T235458: Make pipermail show RTL emails better by emitting dir=auto.
Tue, Oct 15, 2:35 AM · Patch-For-Review, I18n, Operations, Wikimedia-Mailing-lists, RTL

Mon, Oct 14

Bawolff added a comment to T235401: Emails from discourse-mediawiki.wmflabs.org softfail SPF.

If this is going to be merged in other discourse, i wouldnt worry about it (unless the other discourse has same problem).

Mon, Oct 14, 9:06 PM · Space, Discourse
Bawolff created T235401: Emails from discourse-mediawiki.wmflabs.org softfail SPF.
Mon, Oct 14, 6:20 AM · Space, Discourse
Bawolff created T235400: discourse-mediawiki.wmflabs.org links to normal Wikimedia privacy policy, which is probably wrong one (?).
Mon, Oct 14, 6:15 AM · Space, Discourse, WMF-Legal, Privacy
Bawolff added a comment to T234049: "Error loading data from server: apierror-visualeditor-docserver-http-error: (curl error: 7) Couldn't connect to server.".

Some standard advice for people experiencing this issue might be (not VE/parsoid specific, but for curl error 7 in general):

Mon, Oct 14, 5:10 AM · VisualEditor, Parsoid
Bawolff updated the task description for T234049: "Error loading data from server: apierror-visualeditor-docserver-http-error: (curl error: 7) Couldn't connect to server.".
Mon, Oct 14, 5:02 AM · VisualEditor, Parsoid

Oct 12 2019

Bawolff created T235351: installer should perhaps more immediately test permissions for mysql db.
Oct 12 2019, 9:25 PM · MediaWiki-Installer

Oct 11 2019

Bawolff closed T34012: SQL error while recategorizing files as Declined.

8 years after the fact, whatever this error was has been probably fixed, and if it hasnt there is not enough info to reproduce or do anything about it.

Oct 11 2019, 12:09 AM · TestMe, MediaWiki-Categories

Oct 10 2019

Bawolff closed T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions as Resolved.
Oct 10 2019, 6:29 PM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T169027: Provide iframe sandboxing for rich-media extensions (defense in depth).

It makes sense, yes. Let's assume we have some good applets to learn physics running on python somewhere. What would be the steps to follow up so we can iframe them on any given Wikipedia?

Oct 10 2019, 6:38 AM · Security, Security-General, Technical-Debt, Commons, MediaWiki-File-management, Multimedia
Bawolff added a comment to T169027: Provide iframe sandboxing for rich-media extensions (defense in depth).

Presumably, if the sandbox system mentioned in this task existed, it would just be a matter of having a proxy server between the user and the third-party service.

Oct 10 2019, 6:27 AM · Security, Security-General, Technical-Debt, Commons, MediaWiki-File-management, Multimedia
Bawolff added a comment to T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions.

Should be live now. Please let me know if that fixed the problem

Oct 10 2019, 5:01 AM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T235107: Change tags disclose non-public information about editors.

@MusikAnimal I don't think the potential privacy concern follows to the use cases where an editor uses a custom editing tool to make their edits - in those cases the editor is purposefully asserting the tag with their edits.

Oct 10 2019, 1:17 AM · Wikipedia-Android-App-Backlog, Advanced Mobile Contributions, Android-app-Bugs, iOS-app-Bugs, Wikipedia-iOS-App-Backlog, Mobile, MediaWiki-Change-tagging, Privacy

Oct 9 2019

Bawolff added projects to T235107: Change tags disclose non-public information about editors: Mobile, iOS-app-Bugs.

So to ne clear: this is about the iOS app edit and mobile edit tag?

Oct 9 2019, 7:17 PM · Wikipedia-Android-App-Backlog, Advanced Mobile Contributions, Android-app-Bugs, iOS-app-Bugs, Wikipedia-iOS-App-Backlog, Mobile, MediaWiki-Change-tagging, Privacy
Bawolff added a comment to T235107: Change tags disclose non-public information about editors.

*edit* i was reading the wrong section of the talk page. Please ignore this

Oct 9 2019, 7:11 PM · Wikipedia-Android-App-Backlog, Advanced Mobile Contributions, Android-app-Bugs, iOS-app-Bugs, Wikipedia-iOS-App-Backlog, Mobile, MediaWiki-Change-tagging, Privacy
Bawolff added a comment to T234907: RFC: Where to implement Desktop Improvements project.

The ability to differentiate a Wikimedia site (e.g. Wikipedia) from a third-party site running MediaWiki.

Oct 9 2019, 6:13 AM · Readers-Web-Backlog (Kanbanana-2019-20-Q2), Desktop Improvements, TechCom-RFC

Oct 7 2019

Bawolff updated the task description for T185664: Code stewardship review: FlaggedRevs.
Oct 7 2019, 7:04 AM · Release-Engineering-Team (Code Health), MediaWiki-extensions-FlaggedRevs, Code-Stewardship-Reviews
Bawolff added a comment to T120085: RFC: Serve Main Page of Wikimedia wikis from a consistent URL.

How will this work for projects with a different main page for each language, eg Commons? The main page depends on the user's interface language. Normally, if you're a French-language user and you navigate to https://commons.wikimedia.org/ , you get redirected to https://commons.wikimedia.org/wiki/Accueil . Will https://commons.wikimedia.org/ still show the correct content to each user?

Oct 7 2019, 6:17 AM · CommRel-Specialists-Support, Readers-Web-Backlog (Tracking), MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Fundraising-Backlog, Editing-team, Parsing-Team, User-notice, MW-1.34-notes (1.34.0-wmf.24; 2019-09-24), Core Platform Team, Patch-For-Review, Performance-Team, Operations, Traffic, TechCom-RFC, SEO, Wikimedia-Site-requests
Bawolff renamed T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions from Russian Wikinews has sudden patrolling problem to DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions.
Oct 7 2019, 6:05 AM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions.

Well, I have updates now.
The problem is in DynamicPageList extension. ( {{yes}} template may be ignored now )
DynamicPageList extension directly influences "publication" process.
By default, DynamicPageList showed patrolled articles and didn't show unpatrolled.
When things broke recently, DynamicPageList began to show ALL pages whenever they are patrolled or not.
Patrolling no more controls DynamicPageList on/off. That is the problem.
DynamicPageList should be fixed to SHOW patrolled and IGNORE unpatrolled articles. AS IT WAS.
All local lists, categories, robots, RSS depend on this, that's why it needs to be fixed ASAP.

Oct 7 2019, 5:58 AM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions.

Ok, so not exactly sure if the stablepages=only issue is what is being reported here or not, but that issue appears to be caused by d3259c2b7ca12d / 4eba7cf0f3e4, which (Accidentally I assume) removed the FLAGGED_REVS constant, which dynamic page list was looking for to decide if to enable flagged revs integration

Oct 7 2019, 5:16 AM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff created T234780: Wikipedia Portals git repo listed as MIT licensed, but contains images that are not MIT licensed.
Oct 7 2019, 5:02 AM · Software-Licensing, WMF-Legal, Wikimedia-Portals

Oct 6 2019

Bawolff added projects to T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions: MediaWiki-extensions-FlaggedRevs, DynamicPageList (Wikimedia).

I think what the user is reporting, is that in dynamicPageList extension, the stablepages=only parameter, which should exclude pages not managed by flagged revisions, is no longer working.

Oct 6 2019, 11:13 PM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T234715: DynamicPageList (Wikimedia) no longer integrates properly with flagged revisions.

I still do not see how this problem is related to the patrolling code in the MediaWiki core code base itself if you can trigger that behavior already by writing the name of a template into a wiki page. Hence I'm removing MediaWiki-Patrolling.

Oct 6 2019, 10:55 PM · MW-1.35-notes (1.35.0-wmf.1; 2019-10-08), DynamicPageList (Wikimedia), MediaWiki-extensions-FlaggedRevs
Bawolff added a comment to T208329: Gadget with SPARQL services collides with Content Security Policy?.

Not sure where that error is coming from - SPARQL responses have access-control-allow-origin: *. Maybe it's something in Mediawiki settings?

Oct 6 2019, 9:26 PM · Wikidata, Security-Team, Security

Oct 5 2019

Bawolff added a comment to T120085: RFC: Serve Main Page of Wikimedia wikis from a consistent URL.

Yes, but when you visit the site it will get removed (in the interface). To put it another way, the / is used behind the scenes, but anything the user sees will not use the /.

Oct 5 2019, 9:16 AM · CommRel-Specialists-Support, Readers-Web-Backlog (Tracking), MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Fundraising-Backlog, Editing-team, Parsing-Team, User-notice, MW-1.34-notes (1.34.0-wmf.24; 2019-09-24), Core Platform Team, Patch-For-Review, Performance-Team, Operations, Traffic, TechCom-RFC, SEO, Wikimedia-Site-requests
Bawolff added a comment to T120085: RFC: Serve Main Page of Wikimedia wikis from a consistent URL.

Not really. https://www.wikidata.org/ and https://www.wikidata.org are two different ways of writing the same URL.

Yes, but what is the software actually doing?

Oct 5 2019, 4:53 AM · CommRel-Specialists-Support, Readers-Web-Backlog (Tracking), MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Fundraising-Backlog, Editing-team, Parsing-Team, User-notice, MW-1.34-notes (1.34.0-wmf.24; 2019-09-24), Core Platform Team, Patch-For-Review, Performance-Team, Operations, Traffic, TechCom-RFC, SEO, Wikimedia-Site-requests

Oct 4 2019

Bawolff added a comment to T120085: RFC: Serve Main Page of Wikimedia wikis from a consistent URL.

[...] For example https://www.wikidata.org/wiki/Wikidata:Main_Page would be https://www.wikidata.org instead. You can tell the developers if this would cause problems for your wiki.

@Johan: Technically, given the discussion above, wouldn't it be more accurate to say

would be https://www.wikidata.org/ instead.

with a trailing slash?

Oct 4 2019, 11:35 PM · CommRel-Specialists-Support, Readers-Web-Backlog (Tracking), MW-1.35-notes (1.35.0-wmf.2; 2019-10-15), Fundraising-Backlog, Editing-team, Parsing-Team, User-notice, MW-1.34-notes (1.34.0-wmf.24; 2019-09-24), Core Platform Team, Patch-For-Review, Performance-Team, Operations, Traffic, TechCom-RFC, SEO, Wikimedia-Site-requests
sbassett awarded T204186: mw-config/w/static.php should not serve dotfiles ever [paranoia] a Like token.
Oct 4 2019, 8:47 PM · Performance-Team, Security-Team, Security

Oct 3 2019

Bawolff added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

@Krenair - The actual uploading is handled by urluploader, but UploadWizard has to do a lot of communicating with Flickr's API beforehand for information. Is there some kind of proxy API it should be using for that?

Oct 3 2019, 3:41 AM · ContentSecurityPolicy, Core Platform Team Legacy (Watching / External), TechCom-RFC (TechCom-Approved), Patch-For-Review, Epic, Security-Team

Sep 22 2019

Bawolff added a comment to T233489: CentralAuth and local account creation are not working on beta cluster wikis.

So it looks like we're not properly changing the CSP header to beta.wmflabs.org addresses. That would be bad, except they're listed as Report Only?

Sep 22 2019, 6:44 PM · MediaWiki-extensions-CentralAuth, Beta-Cluster-Infrastructure

Sep 21 2019

Bawolff created T233493: Translate "no translations" RC filter doesn't actually filter all translations.
Sep 21 2019, 8:33 PM · Growth-Team, Edit-Review-Improvements-RC-Page, MediaWiki-extensions-Translate
Bawolff added a comment to Blog Post: Wikipedia's JavaScript initialisation on a budget.

To answer my own question, i did a quick test - Currently its 26751 bytes compressed. Super aggressive gzip (zopfli) could in theory bring that down to 25532 bytes for a saving of 1219 bytes. More sane would be brotli, which could bring down to 23763 bytes for a saving of 2988 bytes.

Sep 21 2019, 6:20 AM
Bawolff added a comment to Blog Post: Wikipedia's JavaScript initialisation on a budget.

Interesting. Thanks for sharing this. I wonder if this is an area that would benefit from more aggressive compression. The data is cached from what i understand so it doesnt have to be compressed on the fly, and getting as much as possible in that initial window seems important

Sep 21 2019, 5:40 AM

Sep 20 2019

Bawolff added a comment to T233386: WikimediaFoundation.org participating in Global Climate Strike.

As an additional check, is the included google analytics also intentional in light of T201022?
[I'm assuming it actually loads, I couldn't figure out how to disable DoNotTrack in my browser to test it]

Sep 20 2019, 4:12 AM · Privacy, Security, wikimediafoundation.org