Bawolff (Brian Wolff)
Security

User Details

User Since
Oct 25 2014, 1:53 AM (163 w, 4 d)
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff

I work on the MediaWiki Security Team.

Recent Activity

Today

Bawolff added a comment to T182812: Forward security@tools.wmflabs.org to security@wikimedia.org.

I just tried security@wikipedia.org and it does not appear that email forwards to security@wikimedia.org so we should do that too.

Wed, Dec 13, 6:46 PM · Toolforge, Security, Mail, Operations
Bawolff added a comment to T182812: Forward security@tools.wmflabs.org to security@wikimedia.org.

I just tried security@wikipedia.org and it does not appear that email forwards to security@wikimedia.org so we should do that too.

Wed, Dec 13, 6:42 PM · Toolforge, Security, Mail, Operations
Bawolff changed the visibility for T164948: DoS attack vector in the WikibaseQualityConstraints extension.
Wed, Dec 13, 6:27 PM · Vuln-DoS, Wikidata-Former-Sprint-Board, WMF-Server-Backports, Wikibase-Quality-Constraints, Wikidata, Security
Bawolff removed a project from T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items: Security.
Wed, Dec 13, 6:22 PM · Patch-For-Review, Wikidata
Bawolff added a comment to T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items.

Ah, but plaintext parameters are, like raw parameters, processed after the message is parsed, so {{PLURAL:$3|claim|claims}} no longer works :/

Wed, Dec 13, 6:22 PM · Patch-For-Review, Wikidata
Bawolff renamed phan-taint-check-plugin from MediaWiki-SecurityCheckPlugin to phan-taint-check-plugin.
Wed, Dec 13, 5:41 PM
Bawolff added a watcher for phan-taint-check-plugin: Bawolff.
Wed, Dec 13, 5:39 PM
Bawolff added a comment to T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items.

Possible fix:

diff --git a/lib/includes/Formatters/AutoCommentFormatter.php b/lib/includes/Formatters/AutoCommentFormatter.php
index 0c77d8762..b57ab5580 100644
--- a/lib/includes/Formatters/AutoCommentFormatter.php
+++ b/lib/includes/Formatters/AutoCommentFormatter.php
@@ -100,7 +100,7 @@ public function formatAutoComment( $auto ) {
 		}
 
 		// render the autocomment
-		$auto = $msg->params( $args )->parse();
+		$auto = $msg->plaintextParams( $args )->parse();
 		return $auto;
 	}

But I have no idea if this breaks something else – it’s possible that some of the message parameters should be interpreted as Wikitext. (As far as I can tell, AutoCommentFormatter itself has no idea what the parameters mean – it just extracts the partial message key and the parameters from the edit summary and combines them. So it’s also possible that the escaping should happen before writing the username to the edit summary.)

@Bawolff if you think this is unlikely to be an XSS, perhaps you can make the task public and let the rest of the Wikidata team have a look? (I agree, FWIW, I just thought “better safe than sorry”.)

Wed, Dec 13, 5:29 PM · Patch-For-Review, Wikidata
Bawolff changed the visibility for T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items.
Wed, Dec 13, 5:22 PM · Patch-For-Review, Wikidata
Bawolff added a comment to T182800: Username beginning with asterisk renders as list in “restore”/“undo” edit summaries of Wikibase items.

Its unlikely this is an XSS.

Wed, Dec 13, 5:12 PM · Patch-For-Review, Wikidata

Yesterday

Bawolff moved T182689: Replace manual IN query with select wrapper in maintenance/storage/checkStorage.php [blob_id] from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Tue, Dec 12, 2:56 PM · Easy, Google-Code-in-2017
Bawolff created T182689: Replace manual IN query with select wrapper in maintenance/storage/checkStorage.php [blob_id].
Tue, Dec 12, 2:44 PM · Easy, Google-Code-in-2017
Bawolff closed T182208: Replace manual IN query with select wrapper in maintenance/storage/checkStorage.php as Resolved.
Tue, Dec 12, 2:35 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Google-Code-in-2017, Easy

Mon, Dec 11

Bawolff added a comment to T167400: Disable serving unpatrolled new files to Wikipedia Zero users.

So yes, this sounds sane to me (With the caveat, I haven't looked at the multimedia code in a while). Some comments:

Mon, Dec 11, 9:45 PM · User-Tgr, Traffic, Operations, media-storage, Commons, Multimedia, Zero
Bawolff added a comment to T179363: Remove tocnumbers from TOC layout in print mode as they display incorrectly with numbers > 10 and their usefulness is debatable.

Ok, so when I do wikitext

`
==A==
==B==
==C==
==D==
===D1===
====D11===
===D2===
Mon, Dec 11, 7:57 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Unplanned-Sprint-Work, Readers-Web-Kanban-Board, Patch-For-Review, Google-Code-in-2017, Vector, Readers-Web-Backlog
Bawolff added a comment to T40860: security@mediawiki.org : Create a public key and publish it on the public key servers.

Speaking just for myself and not the team. I think such a thing makes sense. Not exactly what I'd call a high priority concern, but some reporters like being paranoid, and we should do everything we can to make people feel comfortable reporting security issues to us.

Mon, Dec 11, 4:59 PM · Security-Team, WorkType-NewFunctionality, Operations, Wikimedia-General-or-Unknown
Bawolff awarded T178690: Better organization for ops grafana dashboards a Love token.
Mon, Dec 11, 4:46 PM · monitoring, Operations
Bawolff created T182599: Make jenkins run security-check-plugin non-voting.
Mon, Dec 11, 3:59 PM · Continuous-Integration-Config, phan-taint-check-plugin, Security-Team
Bawolff closed T182398: Special:Undelete contains egregious white space after OOUI update as Resolved.
Mon, Dec 11, 2:51 PM · MW-1.31-release-notes (WMF-deploy-2017-12-05 (1.31.0-wmf.11)), Patch-For-Review, MediaWiki-Special-pages, Regression
Bawolff added a comment to T182214: Get securityCheckPlugin on packagist.

Ok, lets call it mediawiki/phan-taint-check-plugin. (Although after this, I'd like to just stick to the name)

Mon, Dec 11, 1:57 PM · phan-taint-check-plugin, Security-Team

Sun, Dec 10

Bawolff changed the visibility for T87332: Using language conversion syntax in external links bypasses proper external link registration.
Sun, Dec 10, 4:07 PM · Parsoid, Security-Team, Security, MediaWiki-Language-converter
Bawolff closed T87332: Using language conversion syntax in external links bypasses proper external link registration as Resolved.
Sun, Dec 10, 4:07 PM · Parsoid, Security-Team, Security, MediaWiki-Language-converter
Bawolff added a comment to T87332: Using language conversion syntax in external links bypasses proper external link registration.

Fixed as part of T119158

Sun, Dec 10, 4:07 PM · Parsoid, Security-Team, Security, MediaWiki-Language-converter
Bawolff closed T89134: Removing inline CSS/JS from MediaWiki as Declined.

From my perspective, I don't believe that inline styles should be banned as part of CSP. The security benefits (Which are very low. Mostly around preventing data-exfriltration) are not worth the user inconvienance.

Sun, Dec 10, 4:05 PM · Accessibility, Community-Liaisons, MediaWiki-General-or-Unknown, Epic, Technical-Debt, Security
Bawolff closed T165455: Go from "E" to "A+" on Securityheaders.io as Declined.

Inserting headers just because some website says so is silly - they should be investigated individually on their merits. Most of these have other bugs, the main one to investigate is X-XSS-Protection which i filed as T182535.

Sun, Dec 10, 3:51 PM · Wikimedia-General-or-Unknown, Security
Bawolff triaged T182535: Investigate maybe setting X-XSS-Protection header as Normal priority.
Sun, Dec 10, 3:50 PM · Wikimedia-General-or-Unknown, Security
Bawolff moved T146055: Improve privilege separation for phabricator's config files and mysql credentials from Backlog to Operational issues on the Security board.
Sun, Dec 10, 3:46 PM · DBA, Phabricator, Security
Bawolff added a comment to T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.

As an aside, T141670 is also basically about this issue.

Sun, Dec 10, 3:32 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff added a comment to T141670: Templates are parsed in AbuseLog.

Making public, I don't see any way to exploit this

Sun, Dec 10, 3:32 PM · AbuseFilter, Security
Bawolff updated the task description for T141670: Templates are parsed in AbuseLog.
Sun, Dec 10, 3:32 PM · AbuseFilter, Security
Bawolff added a comment to T36257: XSS vulnerability scanner false positives.

@dpatrick, @Bawolff: Would a "scan-safe" configuration parameter that disables some formats and changes the behavior of others be useful? Or would it just cause more trouble since scanners would be running against different output from what is actually used by real MediaWiki installations and people who file bogus bugs after using broken scanners wouldn't use the "scan-safe" option anyway?

Sun, Dec 10, 2:40 PM · Vuln-XSS, Security, MediaWiki-API
Bawolff added a project to T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history): Vuln-Infoleak.
Sun, Dec 10, 2:32 PM · Vuln-Infoleak, WorkType-NewFunctionality, Security, MediaWiki-General-or-Unknown
Bawolff renamed T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history) from $wgWhitelistRead leaks username data to $wgWhitelistRead leaks username data (Because it allows viewing ?action=history).
Sun, Dec 10, 2:29 PM · Vuln-Infoleak, WorkType-NewFunctionality, Security, MediaWiki-General-or-Unknown
Bawolff moved T175072: Creating a sub-task of a security issue (via "Edit related tasks" menu) does not automatically protect the task as Security from Backlog to Other WMF team on the Security board.
Sun, Dec 10, 11:41 AM · Upstream, Phabricator (Upstream), Security
Bawolff created T182524: Create video screencasts to accompany doc pages on mw.org.
Sun, Dec 10, 10:45 AM · Google-Code-in-2017, Documentation

Sat, Dec 9

Bawolff updated the task description for T182448: Make securitycheckplugin detect double escaping.
Sat, Dec 9, 3:52 PM · Google-Code-in-2017, phan-taint-check-plugin, Security-Team
Bawolff moved T182448: Make securitycheckplugin detect double escaping from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.

Imported in gci as https://codein.withgoogle.com/dashboard/tasks/4879638591438848/

Sat, Dec 9, 3:51 PM · Google-Code-in-2017, phan-taint-check-plugin, Security-Team
Bawolff added a project to T182448: Make securitycheckplugin detect double escaping: Google-Code-in-2017.
Sat, Dec 9, 3:19 PM · Google-Code-in-2017, phan-taint-check-plugin, Security-Team
Bawolff updated the task description for T182448: Make securitycheckplugin detect double escaping.
Sat, Dec 9, 3:19 PM · Google-Code-in-2017, phan-taint-check-plugin, Security-Team
Bawolff updated the task description for T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.
Sat, Dec 9, 2:48 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff updated the task description for T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.
Sat, Dec 9, 2:47 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff added a comment to T166978: ReferenceError: getElementsByClassName is not defined at Function.Bawolff.Ticker.init.

There's a list at https://meta.wikimedia.org/w/index.php?title=Special%3AGlobalUsers&username=&group=global-interface-editor&limit=50

Sat, Dec 9, 2:18 PM · Need-volunteer, Wikimedia-General-or-Unknown
Bawolff added a comment to T166978: ReferenceError: getElementsByClassName is not defined at Function.Bawolff.Ticker.init.

It was broken by 0beaa51bb1030 - i fixed the enwikinews one https://en.wikinews.org/w/index.php?title=MediaWiki%3ATicker2.js&type=revision&diff=4369358&oldid=2804555 . Local admins, or some global editinterface person could fix the other one's if they so desire :)

Sat, Dec 9, 2:09 PM · Need-volunteer, Wikimedia-General-or-Unknown
Bawolff added a comment to T121186: Implement results of enwiki Security review RfC.

Regular audits will take some work to get setup

Sat, Dec 9, 1:59 PM · Security-Team, Wikimedia-Site-requests
Bawolff closed T182444: Make GlobalUsersPager properly support gender as Resolved.
Sat, Dec 9, 12:29 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, Wikimedia-log-errors, MediaWiki-extensions-CentralAuth, Technical-Debt, Google-Code-in-2017, I18n
Bawolff closed T97869: Review access to security tasks as Resolved.

Well it may make sense to reaudit the list, this bug is really old so if we were to do that, we would probably have to start from scratch anyways

Sat, Dec 9, 12:05 PM · Security-Team
Bawolff added a comment to T182214: Get securityCheckPlugin on packagist.

SecurityCheckPlugin is a super uninspired name, so im totally fine naming it something else. Naming things is hard :)

Sat, Dec 9, 11:55 AM · phan-taint-check-plugin, Security-Team
Bawolff updated the task description for T182448: Make securitycheckplugin detect double escaping.
Sat, Dec 9, 3:12 AM · Google-Code-in-2017, phan-taint-check-plugin, Security-Team
Bawolff added a comment to T181660: Experiment using phan for static analysis.

Can we implement a way to suppress false positives, e.g. @codingStandardsLineIgnore ? (using a different tag or something). Assuming the false positive rate is reasonable, I think something like this should definitely be voting after a bit of tuning and testing.

Sat, Dec 9, 2:14 AM · phan-taint-check-plugin, Security-Team
Bawolff added a project to T181660: Experiment using phan for static analysis: phan-taint-check-plugin.
Sat, Dec 9, 2:10 AM · phan-taint-check-plugin, Security-Team
Bawolff added a comment to T182426: OOUI MultilineTextInputWidget textboxes are grey in Monobook (Apex) but not in Vector (WikimediaUI theme).

Also, the revert commit message mentions a completely different reason and I don't unterstand why it was accepted without clearer communication about what is meant to break (max-width)?

Sat, Dec 9, 1:35 AM · OOjs-UI (OOjs-UI-0.25.0)

Fri, Dec 8

Bawolff closed T182210: Remove references to deleted $this->debug in installer as Resolved.
Fri, Dec 8, 11:36 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-Installer, Google-Code-in-2017, Easy
Bawolff added a comment to T182469: Update composer.json.

Its your computer. The plugin only supports exactly php 7.0 (not php7.1). And it needs the ast extension which you may have to install separately.

Fri, Dec 8, 11:20 PM · User-MarcoAurelio, Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T182426: OOUI MultilineTextInputWidget textboxes are grey in Monobook (Apex) but not in Vector (WikimediaUI theme).

Note, that vito made the original complaint, so he might be a better person to ask for acceptance criteria.

Fri, Dec 8, 11:04 PM · OOjs-UI (OOjs-UI-0.25.0)
Bawolff added a comment to T182453: Create project for SecurityCheckPlugin.

Hmm, I don't know if its entirely a CI thing, because its a project in itself, and not exclusively for WMF CI.

Fri, Dec 8, 8:47 PM · Project-Admins, User-MarcoAurelio
Bawolff closed T182209: [Clonable] Cast block start to int in maintenance SQL as Resolved.
Fri, Dec 8, 8:36 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-Maintenance-scripts, Google-Code-in-2017, Easy
Bawolff added a comment to T181257: Lack of freeform external access to MediaWiki data is a limitation.

Allowing arbitrary complex queries does not seem appropriate as a mediawiki core interface. Most people won't want their site potentially DOSed.

Fri, Dec 8, 8:01 PM · TechCom-RfC
Bawolff committed rMTPS955f7bffb713: Add GPL license headers (authored by Bawolff).
Add GPL license headers
Fri, Dec 8, 7:09 PM
Bawolff removed a project from T182426: OOUI MultilineTextInputWidget textboxes are grey in Monobook (Apex) but not in Vector (WikimediaUI theme): Patch-For-Review.

-patch for review tag as that change isn't for this bug.

Fri, Dec 8, 6:15 PM · OOjs-UI (OOjs-UI-0.25.0)
Bawolff added a comment to T182398: Special:Undelete contains egregious white space after OOUI update.

Status update for the Wikipedians: We will go back to the old textbox on Monday.

Fri, Dec 8, 5:41 PM · MW-1.31-release-notes (WMF-deploy-2017-12-05 (1.31.0-wmf.11)), Patch-For-Review, MediaWiki-Special-pages, Regression
Bawolff created T182448: Make securitycheckplugin detect double escaping.
Fri, Dec 8, 5:07 PM · Google-Code-in-2017, phan-taint-check-plugin, Security-Team
Bawolff closed T180159: As a hardening measure, MW's various comment based strip markers (e.g. <!--LINK 0:0-->) should include quotes to avoid being included in attributes as Resolved.
Fri, Dec 8, 4:44 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, Google-Code-in-2017, MediaWiki-Parser, Security
Bawolff merged T182445: Getting the "userName" to use in the UserGroupMembership::getLink() into T182444: Make GlobalUsersPager properly support gender.
Fri, Dec 8, 4:11 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, Wikimedia-log-errors, MediaWiki-extensions-CentralAuth, Technical-Debt, Google-Code-in-2017, I18n
Bawolff merged task T182445: Getting the "userName" to use in the UserGroupMembership::getLink() into T182444: Make GlobalUsersPager properly support gender.
Fri, Dec 8, 4:11 PM
Bawolff created T182444: Make GlobalUsersPager properly support gender.
Fri, Dec 8, 4:10 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, Wikimedia-log-errors, MediaWiki-extensions-CentralAuth, Technical-Debt, Google-Code-in-2017, I18n
Bawolff created T182429: OOUI drop downs do not change selection on an arrow keypress unlike native browser widget.
Fri, Dec 8, 2:35 PM · OOjs-UI
Bawolff renamed T182426: OOUI MultilineTextInputWidget textboxes are grey in Monobook (Apex) but not in Vector (WikimediaUI theme) from OOUI readyOnly textboxes are grey in Monobook but not in vector to OOUI MultilineTextInputWidget textboxes are grey in Monobook but not in vector.
Fri, Dec 8, 2:22 PM · OOjs-UI (OOjs-UI-0.25.0)
Bawolff created T182426: OOUI MultilineTextInputWidget textboxes are grey in Monobook (Apex) but not in Vector (WikimediaUI theme).
Fri, Dec 8, 2:22 PM · OOjs-UI (OOjs-UI-0.25.0)
Bawolff added a comment to T182398: Special:Undelete contains egregious white space after OOUI update.

@Albert221 just as a note; this is NOT your fault. Regressions are always possible and we should have caught this in review. As a GCI student you are not responsible for fixing it, but you are welcome to work on it if you want to.

Fri, Dec 8, 12:42 PM · MW-1.31-release-notes (WMF-deploy-2017-12-05 (1.31.0-wmf.11)), Patch-For-Review, MediaWiki-Special-pages, Regression
Bawolff added a comment to T182398: Special:Undelete contains egregious white space after OOUI update.

Did anyone bother to test this? This is borderline unusable. Screen size is 1920x1080.

Fri, Dec 8, 12:10 PM · MW-1.31-release-notes (WMF-deploy-2017-12-05 (1.31.0-wmf.11)), Patch-For-Review, MediaWiki-Special-pages, Regression

Thu, Dec 7

Bawolff added a comment to T181503: Add proper category collation for the Northern Sami Wikipedia.

@jhsoby-WMNO: That's correct. Even though MediaWiki now supports collation for Northern Sami, the Wikimedia production servers don't. The steps for that to happen are:

  • Get it added into ICU library (done)
  • Wait for a new version of the PHP intl extension that has the new ICU code in it
  • Upgrade PHP on the Wikimedia production servers Unfortunately, the last two steps may take several years.

    In the meantime, I would recommend switching to uca-default-u-kn. Right now it is still defaulting to uppercase.
Thu, Dec 7, 10:07 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), WMNO-Northern-Sami, Wikimedia-maintenance-script-run, Patch-For-Review, Wikimedia-Site-requests
Bawolff added a comment to T181738: Google Code-in 2017: Collect Feedback and Lessons Learned.

Input on deciding who are the winners:
At the end of GCI, admins need to decide on the Top 5 out of the 10 students who worked on the most tasks. This requires feedback from mentors. We ask mentors to please take notes if students go beyond expectations, went an extra mile, helped each other, etc., but maybe we should already do that in a centralized non-public place shared with all mentors while the contest is running? (GoogleDocs sigh, or is there some better way?)

Thu, Dec 7, 2:04 PM · Google-Code-in-2017, Developer-Relations (Jan-Mar-2018)
Bawolff added a comment to T182264: IE content analyzer is executed on non-first chunks during chunk uploading, preventing legitimate uploads.

Maybe its time we had a discussion about IEContentAnalzyer. IE6 is very rarely used now a days. You cant even connect to wikimedia sites with it without a proxy (due to lack of TLS1.0).

Thu, Dec 7, 1:53 PM · Multimedia, MediaWiki-Uploading, Commons
Bawolff added a comment to T181738: Google Code-in 2017: Collect Feedback and Lessons Learned.

Dedicated communication channel for GCI Wikimedia students?

In the "new mentors" Hangout session on 20171201 the "dedicated/focused [IRC] channel like #wikimedia-gci" vs "general noisy channel where other devs are" was also mentioned - there are pros and cons for both. (We currently mention #wikimedia-dev in our GCI org profile, in most of our (not GCI-only) docs for new devs, and in the GCI beginner task to get onto IRC.

Thu, Dec 7, 12:39 PM · Google-Code-in-2017, Developer-Relations (Jan-Mar-2018)
Bawolff updated the task description for T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.
Thu, Dec 7, 11:56 AM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff added a comment to T181660: Experiment using phan for static analysis.

Ill probably send out a wikitech-l email on monday encouraging people to test and give feedback.

Thu, Dec 7, 10:53 AM · phan-taint-check-plugin, Security-Team
Bawolff closed T182214: Get securityCheckPlugin on packagist as Resolved.

This is done now. https://packagist.org/packages/wikimedia/security-check-plugin

Thu, Dec 7, 2:32 AM · phan-taint-check-plugin, Security-Team
Bawolff closed T182214: Get securityCheckPlugin on packagist, a subtask of T181660: Experiment using phan for static analysis, as Resolved.
Thu, Dec 7, 2:32 AM · phan-taint-check-plugin, Security-Team
Bawolff added a comment to T182198: Retrieve showing a "skin" property in "user_properties" table on DB replicas.

variant is sort of like a sublanguage. Its only used in certain languages such as serbian or chinese, usually when there are multiple writing systems (e.g. latin vs cyrillic for serbian, traditional vs simple for chinese).

Thu, Dec 7, 1:15 AM · Security, Data-Services

Wed, Dec 6

Bawolff updated the task description for T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.
Wed, Dec 6, 7:05 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff updated the task description for T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.
Wed, Dec 6, 7:02 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff moved T182208: Replace manual IN query with select wrapper in maintenance/storage/checkStorage.php from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Wed, Dec 6, 6:55 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Google-Code-in-2017, Easy
Bawolff moved T182209: [Clonable] Cast block start to int in maintenance SQL from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Wed, Dec 6, 6:55 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-Maintenance-scripts, Google-Code-in-2017, Easy
Bawolff moved T182210: Remove references to deleted $this->debug in installer from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Wed, Dec 6, 6:55 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-Installer, Google-Code-in-2017, Easy
Bawolff moved T182212: Convert includes/Feed.php to Mustache templates from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Wed, Dec 6, 6:54 PM · Patch-For-Review, MediaWiki-General-or-Unknown, Google-Code-in-2017, Easy
Bawolff moved T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable from Proposed tasks to Imported in GCI Site on the Google-Code-in-2017 board.
Wed, Dec 6, 6:54 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff added a comment to T182198: Retrieve showing a "skin" property in "user_properties" table on DB replicas.

While skin is not super sensitive, it is still something that MW keeps secret, and hence something I don't think we should show.

Wed, Dec 6, 6:43 PM · Security, Data-Services
Bawolff triaged T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable as Low priority.
Wed, Dec 6, 6:29 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff awarded T182002: +2 for WMDE-Fisch in mediawiki/* a Like token.
Wed, Dec 6, 6:04 PM · User-Addshore, Repository-Ownership-Requests
Bawolff created T182214: Get securityCheckPlugin on packagist.
Wed, Dec 6, 5:18 PM · phan-taint-check-plugin, Security-Team
Bawolff created T182213: [Clonable] replace wfMessage()->rawParams() with wfMessage()->plaintextParams() where applicable.
Wed, Dec 6, 4:59 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-General-or-Unknown, MediaWiki-extensions-General, Google-Code-in-2017, Easy, Security
Bawolff created T182212: Convert includes/Feed.php to Mustache templates.
Wed, Dec 6, 4:57 PM · Patch-For-Review, MediaWiki-General-or-Unknown, Google-Code-in-2017, Easy
Bawolff created T182210: Remove references to deleted $this->debug in installer.
Wed, Dec 6, 4:52 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-Installer, Google-Code-in-2017, Easy
Bawolff created T182209: [Clonable] Cast block start to int in maintenance SQL.
Wed, Dec 6, 4:47 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, MediaWiki-Maintenance-scripts, Google-Code-in-2017, Easy
Bawolff created T182208: Replace manual IN query with select wrapper in maintenance/storage/checkStorage.php.
Wed, Dec 6, 4:42 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Google-Code-in-2017, Easy
Bawolff added a project to T180159: As a hardening measure, MW's various comment based strip markers (e.g. <!--LINK 0:0-->) should include quotes to avoid being included in attributes: Google-Code-in-2017.
Wed, Dec 6, 4:30 PM · MW-1.31-release-notes (WMF-deploy-2017-12-12 (1.31.0-wmf.12)), Patch-For-Review, Google-Code-in-2017, MediaWiki-Parser, Security
Bawolff committed rMTPS47b2571f4be1: Update composer.json (authored by Bawolff).
Update composer.json
Wed, Dec 6, 4:16 PM
Bawolff committed rMTPS2ac98e59f708: Support installing via composer. (authored by Bawolff).
Support installing via composer.
Wed, Dec 6, 4:16 PM
Bawolff committed rMTPS36190451e0a9: Update README (authored by Bawolff).
Update README
Wed, Dec 6, 4:16 PM
Bawolff committed rMTPS8979041189ac: Move plugin entry points to root directory (authored by Bawolff).
Move plugin entry points to root directory
Wed, Dec 6, 4:16 PM