Bawolff (Brian Wolff)
Security

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (221 w, 2 d)
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Fri, Jan 18

Bawolff added a comment to T7309: Localize captcha images.

FYI: My current opinion on this is we should drop the wordlist thing. I think most of the time the combining two words results in a string that is not recognizable as a word, and it probably helps computers more than humans.

Fri, Jan 18, 5:34 PM · Patch-For-Review, I18n, ConfirmEdit (CAPTCHA extension)
Bawolff added a comment to T214152: Security review for Extension:ExternalGuidance.

Just wondering, is there a reason for the doing the new SiteMapper stuff, instead of using core's WikiMap (and related) class? (I haven't looked at WikiMap in a while, so the answer might just be that WikiMap really sucks)

Fri, Jan 18, 5:27 PM · Security-Team-Reviews, Security, ExternalGuidance

Wed, Jan 16

Bawolff merged T26274: Allow Sanitizer to process tbody into T5156: Request not to filter <tbody> and </tbody> codes.
Wed, Jan 16, 9:39 PM · MediaWiki-Parser
Bawolff merged task T26274: Allow Sanitizer to process tbody into T5156: Request not to filter <tbody> and </tbody> codes.
Wed, Jan 16, 9:39 PM · MediaWiki-Parser
Bawolff added a comment to T213351: Timeboxed investigation into browser fingerprinting for anti-abuse report to WMF Board.

This Google doc (accessible to all WMF staff) has all our project notes to date (again, we just started) and I've added a summary of your comments. I will publish an update on our cross-department program's Meta page about blocking tools.

Wed, Jan 16, 7:26 AM · Anti-Harassment (Bet — ב)
Bawolff added a comment to T213875: Explore alternatives to browser fingerprinting for anti-abuse efforts.

I think any conversation that starts from a place of "Lets stop all abuse" is not going to go anywhere. There's lots of different types of abuse on the wiki, involving different methods, motives and sophistication. Solutions are not going to be one size fits all and it will probably be a poor solution if it doesn't start from a place of usecases.

Wed, Jan 16, 6:49 AM · MediaWiki-User-management, Anti-Harassment

Tue, Jan 15

Bawolff added a comment to T213763: Session failure warning message ('sessionfailure') still gives bad advice.

That said, probably couldn't hurt to mention cookies as a possibility in that error message.

Tue, Jan 15, 4:29 PM · MediaWiki-Interface
Bawolff added a comment to T213763: Session failure warning message ('sessionfailure') still gives bad advice.

So looking at the code (I assume we are talking about login here):

Tue, Jan 15, 4:25 PM · MediaWiki-Interface
Bawolff added a comment to T155087: Security review for NamespaceRelations.

Inaccurate rationale for closure.

Tue, Jan 15, 3:37 PM · Security-Team-Reviews
Bawolff added a member for Security: Dsharpe.
Tue, Jan 15, 5:42 AM

Mon, Jan 14

Bawolff updated the task description for T213742: Onboarding David Sharpe to Security Team as Information Security Analyst.
Mon, Jan 14, 5:43 PM · Security-Team
Bawolff updated the task description for T213742: Onboarding David Sharpe to Security Team as Information Security Analyst.
Mon, Jan 14, 5:41 PM · Security-Team
Bawolff created T213742: Onboarding David Sharpe to Security Team as Information Security Analyst.
Mon, Jan 14, 5:40 PM · Security-Team

Sat, Jan 12

Bawolff added a comment to T21322: Hide bots from Logs.

If it is difficult to change the scheme, then I think it is quite possible to create a DB (something like MediaWiki:Admin-bots) with users which we can to hide.

Sat, Jan 12, 3:42 PM · MediaWiki-User-management, Community-Wishlist-Survey-2015, MediaWiki-Logging

Fri, Jan 11

Bawolff added a comment to T213501: SVG validation fails for files with embedded raster images over ~200KB.

In my defense, look at the default values in old versions of the official docs: https://web.archive.org/web/20151002085202/https://secure.php.net/manual/en/function.file-get-contents.php

Fri, Jan 11, 12:16 AM · MW-1.33-notes (1.33.0-wmf.13; 2019-01-15), Patch-For-Review, Multimedia, Commons, MediaWiki-File-management

Thu, Jan 10

Bawolff added a comment to T213282: JSDuck at doc.wikimedia.org loads fonts from google.

I guess worst case scenario, we could add a post-processing step

Thu, Jan 10, 3:02 PM · Upstream, Privacy, MediaWiki-Documentation
Bawolff added a comment to T213351: Timeboxed investigation into browser fingerprinting for anti-abuse report to WMF Board.

I'm not sure which malicious actors we're worried about here - The primary questions seem almost certainly ethical & technical (does the mechanism actually work, what is the false positive rate, what is the false negative rate, etc).

Thu, Jan 10, 1:21 AM · Anti-Harassment (Bet — ב)

Wed, Jan 9

Bawolff added a comment to T177765: Security review of mediawiki-services-chromium-render.

Reading Infrastructure is about to take over the service, and one thing I'd like to get a clearer picture on (asking here as I'm sure this came up during the security review) is what level of network isolation the service is working at. Let's say an attacker can put malicious content into the wiki page, and Chromium executes that while rendering the page, and that causes it to send a bunch of requests. Will those requests be routed through Varnish etc. as if they came from the internet? What happens with e.g. .wmnet URLs?

Wed, Jan 9, 8:04 PM · Core Platform Team Backlog (Watching / External), Services (watching), Security-Team-Reviews
Bawolff created T213282: JSDuck at doc.wikimedia.org loads fonts from google.
Wed, Jan 9, 1:32 PM · Upstream, Privacy, MediaWiki-Documentation

Tue, Jan 8

Bawolff added a comment to T212911: My account was removed from the Wikimedia Github group.

I personally have no strong feelings about this, as long as there is a clear policy which is documented in a way that allows people on github to understand what assumptions they can make about members of the wikimedia project.

Tue, Jan 8, 6:29 PM · Security
Bawolff added a comment to T213131: New ORES model relies on translatewiki.net API, which is not hosted on WMF production.

@JBennett may have some thoughts on this from security's point of view.

Tue, Jan 8, 6:28 PM · Security, Scoring-platform-team, translatewiki.net, ORES

Mon, Jan 7

Bawolff added a comment to T213044: Potential privacy violations in emails on mailing lists (links posted in emails to external websites which track users).

As an addendum:

Mon, Jan 7, 11:45 PM · Operations, Privacy, Wikimedia-Mailing-lists
Bawolff closed T213044: Potential privacy violations in emails on mailing lists (links posted in emails to external websites which track users) as Declined.

Just set the mailing list to not allow html email. That's really the only fool proof way to get what you're asking for.

Mon, Jan 7, 11:38 PM · Operations, Privacy, Wikimedia-Mailing-lists
Bawolff added a comment to T149424: Security review the Extension:WikipediaExtracts.

@Sophivorus To give further context, to move this forwards, this really needs a champion with deploy access to push it forward. @greg can help you in determining what other requirements beyond security review are needed in order to get this deployed.

Mon, Jan 7, 7:09 PM · MediaWiki-extensions-WikipediaExtracts, Security-Team-Reviews
Bawolff moved T149869: Security review for PageForms from Waiting/Blocked to Awaiting remediation on the Security-Team-Reviews board.
Mon, Jan 7, 6:20 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews
Bawolff moved T149869: Security review for PageForms from Backlog to Waiting/Blocked on the Security-Team-Reviews board.
Mon, Jan 7, 6:20 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews
Bawolff changed the visibility for T149869: Security review for PageForms.
Mon, Jan 7, 5:57 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews
Bawolff added a comment to T149869: Security review for PageForms.

Ok, its Jan 7. Making this public

Mon, Jan 7, 5:57 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews
Bawolff added a comment to T213088: Security Credentialing Efforts .

If you make an existing security task be a child task of a public task, it will only show up when people have rights to view, so it all works out fine.

Mon, Jan 7, 4:38 PM · Security-Team, Epic
Bawolff added a comment to T6845: CAPTCHA doesn't work for blind people.

So the question is why has work not been put aside to fix an issue of recognised high importance that will, 13 years after first being raised, resolve an issue that results in us discriminating against people who are (in many jurisdictions) a legally protected minority?

Mon, Jan 7, 12:52 AM · Security, WCAG-Level-A, Security-Extensions, Design, Accessibility, ConfirmEdit (CAPTCHA extension)

Fri, Jan 4

Bawolff added a comment to T6845: CAPTCHA doesn't work for blind people.

Would giving the user the ability to switch to a math based captcha if they are unable to read the regular captcha be a possible solution?

Fri, Jan 4, 12:56 PM · Security, WCAG-Level-A, Security-Extensions, Design, Accessibility, ConfirmEdit (CAPTCHA extension)
Bawolff added a comment to T212911: My account was removed from the Wikimedia Github group.

Do you think you should still be a member of the wikimedia "organization" on github? What are you using this membership for?

Fri, Jan 4, 12:54 PM · Security
Bawolff updated subscribers of T212621: jalexander should be removed from security@ as his emails are bouncing.
Fri, Jan 4, 12:41 PM · Operations, Security-Team

Thu, Jan 3

Bawolff added a comment to T6845: CAPTCHA doesn't work for blind people.

On a related note, recaptcha isn't just a concern about FOSS, there are also concerns about privacy and security of allowing a third party to run JS on our sites.

Thu, Jan 3, 3:19 PM · Security, WCAG-Level-A, Security-Extensions, Design, Accessibility, ConfirmEdit (CAPTCHA extension)
Bawolff added a comment to T6845: CAPTCHA doesn't work for blind people.

On a related note, given WMF has now started to abandon the old and highly restrictive policy of only ever using free and open source software, alternative CAPTCHA services can now be considered.

Thu, Jan 3, 3:18 PM · Security, WCAG-Level-A, Security-Extensions, Design, Accessibility, ConfirmEdit (CAPTCHA extension)
Bawolff changed the visibility for T212787: Wikidata slack channel token in public config file.
Thu, Jan 3, 2:36 PM · Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Wikidata, Security

Wed, Jan 2

Bawolff created T212794: jenkins vulnerability checker is hitting ratelimits.
Wed, Jan 2, 5:18 PM · Continuous-Integration-Infrastructure, Security-Team
Bawolff added a project to T212787: Wikidata slack channel token in public config file: Wikidata.
Wed, Jan 2, 3:34 PM · Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Wikidata, Security
Bawolff created T212787: Wikidata slack channel token in public config file.
Wed, Jan 2, 3:32 PM · Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Wikidata, Security
Bawolff added a comment to T212781: Strategy for how to change the "cu_changes" DB schema.

So one big table holding the data for all the wikis is probably not a good idea as you'd be creating just a big massive table.

Wed, Jan 2, 3:25 PM · User-Rxy, Schema-change, DBA, Epic, Anti-Harassment, Trust-and-Safety, Stewards-and-global-tools, CheckUser

Sat, Dec 29

Bawolff updated subscribers of T212430: Exception from ResourceLoaderULSModule (ext.uls.languagenames) on frr.wikipedia.org "JSON serialization of config data failed.".
Sat, Dec 29, 3:04 PM · MediaWiki-extensions-CLDR, MW-1.33-notes (1.33.0-wmf.12; 2019-01-08), Wikimedia-production-error
Bawolff added a comment to T212430: Exception from ResourceLoaderULSModule (ext.uls.languagenames) on frr.wikipedia.org "JSON serialization of config data failed.".

I suspect its caused by a7cbc776ba7

Sat, Dec 29, 3:04 PM · MediaWiki-extensions-CLDR, MW-1.33-notes (1.33.0-wmf.12; 2019-01-08), Wikimedia-production-error
Bawolff renamed T212667: Create mitigations for account creation spam attack [public task] from Emergency measure: Set wgAccountCreationThrottle => 2 to Create mitigations for account creation spam attack [public task].
Sat, Dec 29, 2:04 PM · Security-Team, Patch-For-Review, Wikimedia-Site-requests
Bawolff added a project to T212667: Create mitigations for account creation spam attack [public task]: Security-Team.
Sat, Dec 29, 2:03 PM · Security-Team, Patch-For-Review, Wikimedia-Site-requests

Fri, Dec 28

Bawolff added a comment to T212667: Create mitigations for account creation spam attack [public task].

Mentioned in SAL (#wikimedia-operations) [2018-12-28T15:28:05Z] <bawolff@deploy1001> Synchronized private/PrivateSettings.php: Attempt to adjust captcha settings for T212667 (duration: 00m 46s)

Fri, Dec 28, 3:29 PM · Security-Team, Patch-For-Review, Wikimedia-Site-requests
Bawolff added a comment to T212599: MediaWiki logo does not show in PHPVersionCheck.php on Windows installations.

Ah, according to php docs: https://secure.php.net/manual/en/function.dirname.php it sounds like dirname( '/' ); will maybe output \ on windows, so that's probably where its coming from.

Fri, Dec 28, 11:08 AM · Patch-For-Review, MediaWiki-Installer
Bawolff added a comment to T212599: MediaWiki logo does not show in PHPVersionCheck.php on Windows installations.

Hmm, maybe this is from line 37 of index.php:

Fri, Dec 28, 11:04 AM · Patch-For-Review, MediaWiki-Installer
Bawolff added a comment to T212599: MediaWiki logo does not show in PHPVersionCheck.php on Windows installations.

$scriptPath is supposed to be the path for a URL. So / would be correct even on windows.

Fri, Dec 28, 12:10 AM · Patch-For-Review, MediaWiki-Installer

Thu, Dec 27

Bawolff added a comment to T212654: Consider deprecating Project:Support_desk in favor of Wikimedia Developer Support.

Sorry for being negative, but...

Thu, Dec 27, 11:03 PM · Developer-Advocacy, Discourse
Bawolff closed T212650: Please update the interwiki cache as Resolved.
Thu, Dec 27, 3:22 PM · Wikimedia-Site-requests

Wed, Dec 26

Bawolff created T212621: jalexander should be removed from security@ as his emails are bouncing.
Wed, Dec 26, 10:14 AM · Operations, Security-Team

Dec 18 2018

Bawolff added a project to T212236: Installer doesn't handle connection error in SHOW ENGINES gracefully: good first bug.
Dec 18 2018, 5:08 PM · good first bug, MediaWiki-Installer
Bawolff created T212236: Installer doesn't handle connection error in SHOW ENGINES gracefully.
Dec 18 2018, 5:07 PM · good first bug, MediaWiki-Installer

Dec 16 2018

Bawolff updated subscribers of T211849: A particular edit not showing on watchlist.

Note, there was some relatively recent changes to the schema for change tags - T185355

Dec 16 2018, 1:39 AM · MediaWiki-Recent-changes, User-Ladsgroup, Regression, Growth-Team, MediaWiki-Watchlist

Dec 15 2018

Bawolff added a comment to T211550: Password length check should count unicode characters.

In the context of Unicode discussions “characters” is an ill-advised term because some code points—such as U+FFFE—are explicitly defined as “non-characters” .

Also, what about passwords which are not valid UTF-8 strings? Will something containing \300 or \301 be rejected on this ground?

Dec 15 2018, 9:15 PM · MediaWiki-User-login-and-signup

Dec 13 2018

Bawolff updated subscribers of T205482: CodeReview extension: Code stewardship review.
Dec 13 2018, 8:19 PM · MediaWiki-extensions-CodeReview, Code-Stewardship-Reviews
Bawolff added a comment to T205482: CodeReview extension: Code stewardship review.

Why not just archive it?

Dec 13 2018, 8:18 PM · MediaWiki-extensions-CodeReview, Code-Stewardship-Reviews
Bawolff added a comment to T149869: Security review for PageForms.

So this has now been marked as secret for 22 months. I appreciate that some of the lesser issues still aren't fixed, but security tasks are intended to only be kept secret for a limited amount of time to allow for fixes to be applied. Tasks like these are not supposed to be kept confidential indefinitely.

Dec 13 2018, 7:49 AM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews

Dec 12 2018

Bawolff closed T210920: Fix incorrect <link> & <guid> fields for RSS feed for watchlist as Resolved.
Dec 12 2018, 6:55 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Google-Code-in-2018, MediaWiki-API, MediaWiki-Watchlist, Growth-Team

Dec 11 2018

Bawolff added a comment to T210920: Fix incorrect <link> & <guid> fields for RSS feed for watchlist.

Sorry, for the confusion of the instructions. The bug is only present for certain log types, such as: newusers, renameuser, block, rights, gblblock, globalauth, massmessage.

Dec 11 2018, 4:35 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Google-Code-in-2018, MediaWiki-API, MediaWiki-Watchlist, Growth-Team

Dec 10 2018

Bawolff changed the visibility for T209585: Special:CheckUserLog is accessible while a user with checkuser-log right is blocked.
Dec 10 2018, 10:46 AM · CheckUser, Security
Bawolff added a comment to T211550: Password length check should count unicode characters.

The internet also claims grapheme_strlen is a thing - https://secure.php.net/manual/en/function.grapheme-strlen.php but it didn't seem to work when i tested locally...

Dec 10 2018, 10:06 AM · MediaWiki-User-login-and-signup
Bawolff added a comment to T211550: Password length check should count unicode characters.

using mb_strlen instead of strlen would probably get us 60% of the way to something reasonable.

Dec 10 2018, 9:59 AM · MediaWiki-User-login-and-signup
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

I tell you what I find truly infuriating about this implementation

  1. A solution to a problem at enWP became everyone's solution whether they had the problem or not;
  2. There is nothing new about the problem, it has been known like "forever", however due to the problem at enWP, everyone got the solution and got it immediately;
  3. Because the solution fits for enWP, and their circumstance, it was imposed upon everyone without consideration whether it was the right solution for those wikis, but don't worry about it, we will fix that later.
Dec 10 2018, 8:36 AM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests

Dec 8 2018

Bawolff closed T210923: Make $wgCountCategorizedImagesAsUsed change the description message of Special:Unusedfiles as Resolved.
Dec 8 2018, 10:25 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, MediaWiki-Special-pages, Google-Code-in-2018

Dec 6 2018

Bawolff added a comment to T205378: Enable ESNI support on Wikimedia servers.

@Krenair @Bawolff @jcrespo Wondering if we can enable QUIC support on our server clusters instead? I've heard that the github Googlehosts is providing the QUIC access to Google HK.

Dec 6 2018, 8:30 AM · Upstream, HTTPS, Traffic, Operations
Bawolff added a comment to T204615: Generate new Captcha word list for prod.

Hmm, http://www.123seminarsonly.com/Seminar-Reports/008/47584359-captcha.pdf has some advice about eliminating characters that look alike (e.g. 1 and l)

Dec 6 2018, 8:24 AM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)

Dec 5 2018

Bawolff added a comment to T204615: Generate new Captcha word list for prod.

I kind of think maybe we should just go with random letters. I don't think the combining two words thing helps users very much since usually they are weird enough words its not identifyable as a word. But it does probably help attackers quite a bit.

Dec 5 2018, 11:23 PM · Security, Wikimedia-General-or-Unknown, ConfirmEdit (CAPTCHA extension)
Bawolff added a comment to T197501: Make users without 2FA setup not have checkuser right regardless of their groups.

It was pointed out to me that this might not be the best idea, because if an attacker compromises an account that has temporarily removed 2FA, the attacker can just enroll into 2FA to get back access.

Dec 5 2018, 10:31 PM · Stewards-and-global-tools, MediaWiki-Authentication-and-authorization, CheckUser, MediaWiki-extensions-OATHAuth
Bawolff created T211175: api list=deletedrevs errors when drlimit given a float value.
Dec 5 2018, 7:25 AM · MediaWiki-API
Bawolff created T211174: list=contenttranslationtrend sometimes uses invalid query.
Dec 5 2018, 5:57 AM · ContentTranslation

Dec 4 2018

RandomDSdevel awarded T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker) a Barnstar token.
Dec 4 2018, 2:48 AM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests
Bawolff added a comment to T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.

CheckUsers have unlogged access to IP addresses via the AbuseFilter API

Dec 4 2018, 12:04 AM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security

Dec 3 2018

Bawolff changed the visibility for T210791: The origin param in the Action API exposes intranet installs to any web page.
Dec 3 2018, 7:09 PM · MediaWiki-API, Security
Bawolff updated subscribers of T210937: API query for userprops not working on group0 wikis (maybe because comment migration read-new).
Dec 3 2018, 7:27 AM · Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Regression, MediaWiki-API
Bawolff renamed T210937: API query for userprops not working on group0 wikis (maybe because comment migration read-new) from API query for userprops not working on testwiki or officewiki or mediawikiwiki to API query for userprops not working on testwiki or officewiki or mediawikiwiki (maybe because comment migration read-new).
Dec 3 2018, 7:26 AM · Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Regression, MediaWiki-API
Bawolff updated subscribers of T210937: API query for userprops not working on group0 wikis (maybe because comment migration read-new).

So the code (ApiQueryBase::showHiddenUsersAddBlockInfo) was introduced in 27c61fb1, but its probably just showing up now since comment migration was set to read new on group 0 on nov 29 (T166733)

Dec 3 2018, 7:25 AM · Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Regression, MediaWiki-API
Bawolff added a comment to T210937: API query for userprops not working on group0 wikis (maybe because comment migration read-new).

Ok, so its doing the query

SELECT  user_id,user_name,user_real_name,user_email,user_touched,user_token,user_email_authenticated,user_email_token,user_email_token_expires,user_registration,user_editcount,user_actor.actor_id,ipb_deleted,ipb_id,ipb_expiry,ipb_timestamp,ipb_by,ipb_by_text,NULL AS `ipb_by_actor`,comment_ipb_reason.comment_text AS `ipb_reason_text`,comment_ipb_reason.comment_data AS `ipb_reason_data`,comment_ipb_reason.comment_id AS `ipb_reason_cid` 
FROM `user`
LEFT JOIN `actor` `user_actor` ON ((user_actor.actor_user = user_id))
LEFT JOIN `ipblocks` ON ((ipb_user=user_id) AND (ipb_expiry > '20181203070920'))
JOIN `comment` `comment_ipb_reason` ON ((comment_ipb_reason.comment_id = ipb_reason_id)) 
WHERE user_name = 'Quiddity'  ;
Dec 3 2018, 7:23 AM · Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Regression, MediaWiki-API
Bawolff updated subscribers of T210937: API query for userprops not working on group0 wikis (maybe because comment migration read-new).
Dec 3 2018, 6:36 AM · Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Regression, MediaWiki-API
Bawolff added a comment to T210937: API query for userprops not working on group0 wikis (maybe because comment migration read-new).

It seems like minimal reproducible test case is: https://test.wikipedia.org/w/api.php?format=jsonfm&formatversion=2&action=query&list=users&usprop=blockinfo&ususers=Quiddity

Dec 3 2018, 6:35 AM · Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Regression, MediaWiki-API

Dec 1 2018

Bawolff moved T210923: Make $wgCountCategorizedImagesAsUsed change the description message of Special:Unusedfiles from Proposed tasks to Imported in GCI Site on the Google-Code-in-2018 board.

imported https://codein.withgoogle.com/tasks/5193222952321024/

Dec 1 2018, 3:55 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, MediaWiki-Special-pages, Google-Code-in-2018
Bawolff updated the task description for T210923: Make $wgCountCategorizedImagesAsUsed change the description message of Special:Unusedfiles.
Dec 1 2018, 3:53 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, MediaWiki-Special-pages, Google-Code-in-2018
Bawolff created T210923: Make $wgCountCategorizedImagesAsUsed change the description message of Special:Unusedfiles.
Dec 1 2018, 3:52 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, MediaWiki-Special-pages, Google-Code-in-2018
Bawolff added a comment to T210920: Fix incorrect <link> & <guid> fields for RSS feed for watchlist.

Imported https://codein.withgoogle.com/tasks/6561852751347712/

Dec 1 2018, 3:25 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Google-Code-in-2018, MediaWiki-API, Growth-Team, MediaWiki-Watchlist
Bawolff created T210920: Fix incorrect <link> & <guid> fields for RSS feed for watchlist.
Dec 1 2018, 3:15 PM · MW-1.33-notes (1.33.0-wmf.9; 2018-12-18), Patch-For-Review, Google-Code-in-2018, MediaWiki-API, Growth-Team, MediaWiki-Watchlist
Bawolff added a comment to T210909: Introduce secure mode to MediaWiki.

Disable custom JavaScript. We probably can't get away with disabling all of it, since some workflows involving sensitive functionality make heavy use of user scripts, e.g. steward or checkuser tools, but we should at least limit user-contributed scripts to the least insecure types, such as gadgets; and prevent the loading of user scripts belonging to different users, and scripts from another domain.

Dec 1 2018, 6:22 AM · MediaWiki-Authentication-and-authorization, Security

Nov 30 2018

Bawolff added a comment to T210791: The origin param in the Action API exposes intranet installs to any web page.
I didn't think it was, but after a long (albeit, heated) discussion it seems like that is exactly the threat model of the same-origin policy. At least for credential-less cross-origin requests, but the browser will not send credentials cross-origin, so it is a matter of intranet sites.
Nov 30 2018, 2:23 PM · MediaWiki-API, Security
Bawolff added a comment to T210791: The origin param in the Action API exposes intranet installs to any web page.

On one hand, I kind of feel like its a browser issue - Should they really allow globally routed internet apps make requests to private IP space intranet app. But that's probably kind of impossible.

That's the purpose of the same-origin policy. Our software is providing an exception to that policy.

Nov 30 2018, 5:00 AM · MediaWiki-API, Security
Bawolff added a comment to T210790: Action API should default to origin=* on Wikimedia Wikis.

Note previous discussion on T62835 - perhaps it was unnecessarily paranoid.

Nov 30 2018, 12:29 AM · MediaWiki-API
Bawolff added a comment to T210791: The origin param in the Action API exposes intranet installs to any web page.

On one hand, I kind of feel like its a browser issue - Should they really allow globally routed internet apps make requests to private IP space intranet app. But that's probably kind of impossible.

Nov 30 2018, 12:13 AM · MediaWiki-API, Security

Nov 28 2018

Bawolff added a comment to T210634: Scribunto test “LuaStandalone: SecurityTests[1]: CVE-2014-5461” failing in Wikibase CI builds.

The gci task is already accepted - we cant force the student to do more work (we can of course ask nicely)

Nov 28 2018, 9:08 PM · Patch-For-Review, Continuous-Integration-Config, MediaWiki-extensions-Scribunto, Wikidata

Nov 27 2018

Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

On the subject of rate limits: i guess it could make sense if they only applied when blocking a user with the ability to block other accounts. I still think the block user who blocked you is a better mitigation

Nov 27 2018, 10:30 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

Fwiw: on the subject of unblockself rights - even if all admins have that the attacker could still just immediatly (via an automated script) reblock anyone who unblocks themselves as soon as they do so, before they can block attacker. Sure eventually a defender could write a script to win the race condition, but it would probably take longer to do that then just fetch a steward. So i dont think removing unblockself significantly increases the risk of an attacker blocking all other admins.

Nov 27 2018, 10:28 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

There's discussion on enwiki about also having a rate limit on blocking users. Seems like a reasonable enough idea, but we'd want it high, as we really only want it in cases of truly malicious users.

Please, please, please do not do this globally without a meta RfC or some form of other discussion. (and should require every wiki’s community to be notified, or for it to be handled on a wiki-by-wiki basis)

I am strongly opposed to this, and I’m sure many others are as well who are not watching this ticket.

Nov 27 2018, 8:09 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests
D3r1ck01 awarded T209775: Nominate Alangi Derick for +2 on mediawiki/* a Love token.
Nov 27 2018, 7:05 PM · Repository-Ownership-Requests
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

There's discussion on enwiki about also having a rate limit on blocking users. Seems like a reasonable enough idea, but we'd want it high, as we really only want it in cases of truly malicious users.

Nov 27 2018, 6:59 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

Why was this done globally instead of just to enwiki as requested? No other project requested this as far as I'm aware. To remove unblockself from all wikis, especially smaller ones where there are only one or two admins, raises a bunch of problems. It would be better if the devs only did this on the projects that requested it instead of extending the massive paranoia to every single project.

Nov 27 2018, 4:21 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).
 In T150826#4775305, @Tgr wrote:

[...]

    Allow blocked admins to block the user who blocked them (but not others). That removes first-mover advantage on small wikis - in case of >serious trouble the admins will lock each other out and things will mostly be at a standstill until stewards come and clean things up.
Nov 27 2018, 4:14 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests

Nov 26 2018

Bawolff added a comment to T210329: CheckUsers have unlogged access to IP addresses via the AbuseFilter API.

This patch doesn't seem to apply cleanly

patching file includes/api/ApiQueryAbuseLog.php
Hunk #1 FAILED at 56.
Hunk #2 FAILED at 66.
Hunk #3 FAILED at 95.
Hunk #4 FAILED at 190.
Hunk #5 FAILED at 283.
5 out of 5 hunks FAILED -- saving rejects to file includes/api/ApiQueryAbuseLog.php.rej
Nov 26 2018, 11:59 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), Patch-For-Review, Privacy, AbuseFilter, Security
Bawolff added a comment to T150826: Remove unblockself right on wikimedia wikis (but allow blocked admins to block their blocker).

If you have 2 honest admins, they can just unblock each other.

Nov 26 2018, 8:06 PM · MW-1.33-notes (1.33.0-wmf.8; 2018-12-11), MediaWiki-User-management, User-notice, Community-consensus-needed, Wikimedia-Site-requests