I work on the MediaWiki Security Team.
Looking at the code, what you're describing can't really happen. Are you sure you didn't just set $wgSpamRegex to something else in LocalSettings.php, and the problem went away when you added $wgSpamRegex = false; at the end of LocalSettings.php because it overrided the previous code in LocalSettings.php?
Note, the default has been an array since 2008 - 06e3d0e3777
Where SESSION_ID is the users session id. This would create a new mask every time the user's session was generated (i.e. each new device and browser, etc.). This would, of course, break the social contract of what the mask represents, but would be technically trivial to implement as the masks would function identically to the IP masks.
From a Wikipedia anti-vandal perspective, I suspect the hardest sell would be not being able to see patterns related to ranges/ip-distance, at a glance.
Sat, Jul 6
Tue, Jul 2
Tue, Jun 25
So yeah, I guess this counts as passes security review as none of those issues were security related. May need additional security review if the extension changes significantly. Should still get approval from Rel engineering before deploy.
Fri, Jun 21
Main reason its restricted is it used to be autoconfirm but enwiki got mad (if i recall)
Jun 12 2019
May 22 2019
May 17 2019
May 14 2019
May 10 2019
So I guess this isn't quite ready for a security review given previous comment, but some thoughts
This is old enough now to no longer be relevant.
Ah, that's confusing. Thanks.
The threat model here is kind of debatable. Its unclear what security goals we are trying to accomplish with the displaytitle restrictions, and thus I'm unsure (unsure in the sense of actually do not know, not unsure in the sense of disagreeing) if further restrictions on it are justified.
May 9 2019
May 8 2019
wikititle:/// is supposed to prevent query paramters from being used, however it could probably be bypassed if they are percent encoded due to T96274 (e.g. https://en.wikipedia.org/wiki/Main_Page%3faction=history%26curid=2120 is interpreted by our servers incorrectly )
May 7 2019
May 6 2019
I think the main things we want to check:
May 2 2019
Note security did some minor adjustments to the revdel process on tuesday but nothing that should cause this.
Apr 30 2019
Just FYI I tested this on history pages, and the bug is not present on history pages.
Apr 29 2019
My understanding is that the content translation tool is optimized for the use case where the two translations are independent (e.g. between wikis), where E:Translate is optimized for the use case of translating documents where one of the languages are controlling (e.g. Like software translation). Admittedly I don't follow translation stuff very closely, so I may just be mistaken, but assuming that assumption is correct, may I ask what the rationale is for integrating into ContentTranslation over E:Translate is?
Apr 26 2019
For what you are literally asking for: https://tools.wmflabs.org/guc/
Apr 23 2019
so I think we've done everything on our end. See my comment above for my comments on the library - please address those things before using vega 3. Let me know if you have any questions.
Apr 22 2019
Apr 20 2019
https://www.ssllabs.com/ssltest/analyze.html?d=gerrit.wikimedia.org&s=2620%3a0%3a861%3a3%3a208%3a80%3a154%3a85&latest suggests ssl3 is already disabled
Apr 18 2019
Hmm, L and K having a hamming distance of 3 - Could this possibly be a memory error that wasn't detectable by ECC as a 3 bit error?
Apr 16 2019
There is no formal definition, but in practice, it means anything that is maintained by WMF staff
Apr 9 2019
Apr 8 2019
Screenshot. Note that not a single row of the history page shows up. (Note: My font size may be mildly above normal. Some of us like big letters to help our eyes. Notwithstanding that, I would consider this an unreasonable amount of screen real-estate being taken up).
Just fyi, I would describe half as an underexageration. Screenshot incoming
Apr 7 2019
Note, @RhinosF1 is also complaining about this issue in #mediawiki irc about the site https://thelostjewel.com/index.php?title=Special:Log&dir=prev&type=newusers&user=&page=&wpdate=&tagfilter=
Apr 5 2019
Apr 4 2019
Honestly, probably better to use the extension if it still works, uncyclomedia probably doesn't have big enough categories to matter.
Apr 3 2019
Apr 2 2019
Apr 1 2019
(e.g. Checking what percentage of enwiki admins have 2FA enabled).
For reference, the english translation of the error seems to be:
Bad username given Cannot look for contributions without a user or with a user that does not exist.
So reading a bit about client side performance [This is not my area of expertise] - the best thing (all other things being equal) to do is transfer less bytes. But that's easier said then done.
Mar 31 2019
"EventFactory.php" line 144 also seems kind of wrong. Its passing the wiki name to self::getDomain, but the docs for self::getDomain indicate that that parameter is a boolean for whether or not the wiki display name is used, not as a value to pass the wikiid
I think there might be more than one thing going wrong here, but primarily:
So I think we should do some research into how much different CSS footprints affect performance before actually doing anything, but some initial thoughts on CSS in timeless:
Thank you for your detailed response.
Mar 30 2019
Mar 28 2019
Mar 27 2019
I'm cc'ing @Anomie as I'm not 100% sure, but this sounds very much like a regression from the actor migration.
FWIW, given how much press https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ has been getting, view-as-other-people features make me nervous.
Mar 26 2019
We're a little worried about the ever expanding size of the security group in phabricator. There are very few visual editor related tasks in Security (You should be able to see them all now). For the moment we would like to just add you to the relevant tasks but not to the security group in general (Please ask if there is ever one you need to see that you can't). Please note this is not about you, we just needed to draw the line somewhere lest the security group becomes a total slippery slope.
I don't think there's anything to do here.
Mar 25 2019
In regards to API modules, you may want to consider making it similar to the authmanager login module, as during the normal login process people will be prompted for the 2FA stuff, so it will have to work with that flow anyways.
The user should be able to choose between enabled modules and maybe use them in parallel. But this will be put to the end of the project, as it may require some more work.
Mar 22 2019
Mar 21 2019
Mar 20 2019
So this is a bit of a grey area of if this change is within the realm of things that a community can request. The foundation may feel it wants a consistent feel to all the projects that it hosts.
FYI, these tests should already be run via CI (as part of composer tests)
Mar 18 2019
yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.