Bawolff (Brian Wolff)
Security

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (203 w, 6 d)
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Yesterday

Bawolff added a project to T204016: ArticleCreationWorkflow does not actually enforce enwp's autoconfirmed requirement for page creation in the permission system: Security.
Thu, Sep 20, 6:15 PM · Security, Community-Tech-Sprint, Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow
Bawolff added a comment to T202596: Write our anticipated "phase two" schemas and submit for review.

That looks really bad performance. Not only that scans the revision table from top to bottom (>200GB of data) making it slow, it is nondeterministically slow- it will be faster or slower depending on the parameters and existing data.

You can emulate it by running (don't run it, it doesn't finish on production and you may not be able to kill it):

root@db1089[enwiki]> select revision.rev_id, page.page_title from revision left join page     on page.page_title = concat('Diff/', revision.rev_id) where    page.page_namespace = 4 order by revision.rev_id desc limit 100;
^CCtrl-C -- query killed. Continuing normally.
ERROR 1317 (70100): Query execution was interrupted

Does this seem like a good alternative to maintaining a link table between rev_id and judgment_page.page_id?

Please create a suitable schema with simple queries. Queries that do more complex stuff than point selects using primary keys regarding the revision table will just not work on production, with very close to 1 billion rows. Please test your queries on the wikirreplicas to check they are suitable for production.

Please CC in the future @Marostegui and @mark.

Thu, Sep 20, 7:30 AM · Patch-For-Review, DBA, Scoring-platform-team (Current), User-Joe, Operations, JADE
Bawolff created T204911: make phan-taint-check handle array_map.
Thu, Sep 20, 5:23 AM · phan-taint-check-plugin
Bawolff added a comment to T204094: Minerva taint error: Calling method \BaseTemplate::set() in \SkinMinerva::prepareHeaderAndFooter that outputs using tainted argument.

Yeah, i think it makes sense to move this job back to nonvoting until this ticket is figured out

Thu, Sep 20, 1:23 AM · Patch-For-Review, Readers-Web-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q1), Continuous-Integration-Config, MinervaNeue, phan-taint-check-plugin

Wed, Sep 19

Bawolff added a comment to T204016: ArticleCreationWorkflow does not actually enforce enwp's autoconfirmed requirement for page creation in the permission system.

@Bawolff A concern was raised in the team that this is potentially quite heavier than a relatively quick security fix; it involves some potential back-and-forth on how to handle the behavior.

Now that we have the abuse filter that @MusikAnimal created, which seems to block the loophole itself on English Wiki, and considering that this only is enabled on English WIki at all, can we work on a followup fix as non-security? As in, can we have it on gerrit, going formal review?

Wed, Sep 19, 10:56 PM · Security, Community-Tech-Sprint, Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow

Mon, Sep 17

Bawolff added a project to T204603: #Security access for Mooeypoo: Security-Team.
Mon, Sep 17, 9:13 PM · Security-Team, Security
Bawolff added a comment to T204590: Add sbassett to security@.

Can someone add @sbassett to security@ please?

done, based on "new security engineer"

I think apalmer@wikimedia.org needs to be removed

can OIT please trigger the regular offboarding workflow to notify us? It already caused a mess (spam/ bounces) that the email address was removed without warning (on a weekend even) while still being on aliases and we still don't know if this is a full offboarding.

Mon, Sep 17, 9:07 PM · Operations
Bawolff removed a member for Security-Team: Hiramcoop.
Mon, Sep 17, 7:37 PM
Bawolff added a comment to T204590: Add sbassett to security@.

While we are on the subject, I think apalmer@wikimedia.org needs to be removed

Mon, Sep 17, 7:27 PM · Operations
Bawolff closed T199996: Security Issue Access Request for Quiddity as Resolved.

Added

Mon, Sep 17, 2:52 PM · Security
Bawolff added a member for Security: Quiddity.
Mon, Sep 17, 2:52 PM
Bawolff placed T201492: Security review for FormWizard extension up for grabs.

Review of revision 988d242afdd2

Mon, Sep 17, 4:15 AM · FormWizard, Security-Reviews

Sun, Sep 16

Bawolff added a comment to T204016: ArticleCreationWorkflow does not actually enforce enwp's autoconfirmed requirement for page creation in the permission system.

Would Community-Tech be able to work on remediating this issue, as the team that worked on this feature initially?

Sun, Sep 16, 6:37 PM · Security, Community-Tech-Sprint, Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow
Bawolff moved T201492: Security review for FormWizard extension from Scheduled to In Progress on the Security-Reviews board.
Sun, Sep 16, 6:04 PM · FormWizard, Security-Reviews
Bawolff closed T177765: Security review of mediawiki-services-chromium-render as Resolved.

Approved, looks good.

Sun, Sep 16, 6:02 PM · Services (watching), Security-Reviews
Bawolff closed T177765: Security review of mediawiki-services-chromium-render, a subtask of T181084: [EPIC] Deploy the mediawiki-services-chromium-render service, as Resolved.
Sun, Sep 16, 6:02 PM · Readers-Web-Backlog (Readers-Web-Kanbanana-Board-2018-19-Q1), Readers-Web-Kanbanana-Board-Old, Proton, Epic

Fri, Sep 14

Bawolff added a comment to T21291: Mechanism to find usages of raw-html messages.

The PHP taint module seems like a reasonable tool, although I don't know how waterproof it is. We wouldn't have to require it, but we could support it if installed, and install it on Wikimedia and monitor the logs.

A more comprehensive solution would be to make message-retrieving functions not return raw strings, but rather some class like UntrustedString. This wouldn't auto-convert to a string, you'd have to convert it with escaping methods, like maybe ->forHTML() or ->forSQL() or such. We might not even have to have a method to get the raw string, unless there are valid use-cases. Then the only problem would be if someone writes code that escapes for the wrong type of output, like escaping for SQL then outputting as HTML. I'm not so worried about this getting past code review, but if we wanted extra safety, we could have UntrustedSQLString and so on that get passed around instead of strings, and have HTML output methods only accept raw strings or UntrustedHTMLStrings (and perhaps auto-escape plain UntrustedStrings, if we're in favor of being less explicit).

This is basically the same idea as Nikerabbit's patch, except using classes instead of mangling the strings, and I think it should be usable for production. Once we have such a mechanism in place, we can also use it for Request.

Fri, Sep 14, 6:34 PM · Patch-For-Review, Parsing-Team, MediaWiki-Parser
Bawolff added a comment to T204279: Fine-grained Sanitizer control.

The current PHP sanitizer mechanism seems to encourage extension authors to emit HTML (rather than wikitext) if they need access to elements which would otherwise be sanitized, and the HTML-output mode bypasses the sanitizer completely. That increases the burden of security review, since now every part of that extension could be an unwitting vector for evil user-generated HTML. If instead the extension output is *always* sanitized, and there are more fine-grained mechanisms to tunnel specific "allowed" features through the sanitizer, we can undertake more focused security reviews of a smaller trusted code base.

I'm not sure I agree with this assessment. I think the problem lies in the parser TagHook interface which promotes outputting html, not the Sanitizer. Additionally perhaps a culture of skipping the sensitization process entirely when needed instead of skipping it on a fine grained basis.

I'm not sure I see the practical difference between this proposal, and having strip markers like we currently do. Arguably this proposal is more elegant in a way as it doesn't rely on substitution but nice DOM methods, however at the end of the day, the result seems pretty similar.

Fri, Sep 14, 12:21 AM · Security, Parsing-Team, Parsoid
Bawolff added a comment to T204279: Fine-grained Sanitizer control.

The current PHP sanitizer mechanism seems to encourage extension authors to emit HTML (rather than wikitext) if they need access to elements which would otherwise be sanitized, and the HTML-output mode bypasses the sanitizer completely. That increases the burden of security review, since now every part of that extension could be an unwitting vector for evil user-generated HTML. If instead the extension output is *always* sanitized, and there are more fine-grained mechanisms to tunnel specific "allowed" features through the sanitizer, we can undertake more focused security reviews of a smaller trusted code base.

Fri, Sep 14, 12:19 AM · Security, Parsing-Team, Parsoid

Thu, Sep 13

Bawolff added a project to T176232: Unable to open Special:ProblemChanges due to SQL error (categorylinks.cl_from doesn't exist in table): Easy.
Thu, Sep 13, 3:42 PM · Easy, Wikimedia-production-error, MediaWiki-extensions-FlaggedRevs
Bawolff closed T195009: Cite extension does not pass phan-taint-check 1.2.0 as Resolved.
Thu, Sep 13, 7:33 AM · MW-1.32-release-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), Patch-For-Review, Cite, phan-taint-check-plugin
Bawolff closed T195009: Cite extension does not pass phan-taint-check 1.2.0, a subtask of T193909: update phan-taint-check to 1.2.0, as Resolved.
Thu, Sep 13, 7:33 AM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T203312: Add sniff that preg_quote should not be used with 1 argument.

FWIW, Personally, I dislike the idea of using brackets as a delimiter. That seems confusing.

Thu, Sep 13, 7:29 AM · MediaWiki-Codesniffer
Bawolff created T204193: SecurePoll auth-api.php needs to be rewritten to be a normal api module.
Thu, Sep 13, 6:57 AM · Easy, MediaWiki-extensions-SecurePoll
Bawolff closed T203490: Blocked MobileFrontend merges: Calling method \ApiMobileView::parseSectionsData in \ApiMobileView::getData that is always unsafe as Resolved.
Thu, Sep 13, 3:32 AM · Patch-For-Review, MW-1.32-release-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), phan-taint-check-plugin

Wed, Sep 12

Bawolff added a comment to T151890: Publish an analysis of the suppression of selected user_properties in 11/2016.

To clarify some things:

Wed, Sep 12, 4:27 PM · Security, Cloud-Services
Bawolff added a comment to T151890: Publish an analysis of the suppression of selected user_properties in 11/2016.

If these user_properties actually were being used for malicious stalking, and there had been real cases where this was the root cause, then fine, let's say that and at least say how many incidents there have been. My guess, it's zero.

Wed, Sep 12, 3:29 PM · Security, Cloud-Services

Tue, Sep 11

Bawolff claimed T201492: Security review for FormWizard extension.
Tue, Sep 11, 7:59 PM · FormWizard, Security-Reviews
Bawolff closed T128334: Investigation: Make upload-by-URL whitelist not dependent on a configuration setting for Commons as Declined.

Hi. At this time we decided not to do this. We think having the whitelist reduces risk well at the same time is really not very annoying as there is a relatively easy process to get config changes through.

Tue, Sep 11, 7:56 PM · MediaWiki-extensions-GWToolset, Multimedia, Security-Reviews, Commons
Bawolff claimed T202143: Security review for Guzzle 6.3.3.
Tue, Sep 11, 7:47 PM · User-Addshore, Security-Reviews, MediaWiki-Vendor
Bawolff closed T175160: Identify the source of WHOIS data, the retrieval method, and update frequency as Declined.

We're going to decline this for now. Please reopen once you have something more concrete for us to review

Tue, Sep 11, 7:41 PM · Security-Reviews
Bawolff moved T175160: Identify the source of WHOIS data, the retrieval method, and update frequency from Backlog to Waiting/Blocked on the Security-Reviews board.
Tue, Sep 11, 7:40 PM · Security-Reviews
Bawolff claimed T200279: Security review for WikibaseMediaInfo.
Tue, Sep 11, 7:34 PM · Security-team-backlog, Security-Reviews
Bawolff moved T200279: Security review for WikibaseMediaInfo from Backlog to Scheduled on the Security-Reviews board.
Tue, Sep 11, 7:33 PM · Security-team-backlog, Security-Reviews
Bawolff moved T177765: Security review of mediawiki-services-chromium-render from Backlog to In Progress on the Security-Reviews board.
Tue, Sep 11, 7:23 PM · Services (watching), Security-Reviews
Bawolff moved T202143: Security review for Guzzle 6.3.3 from Backlog to Scheduled on the Security-Reviews board.
Tue, Sep 11, 7:18 PM · User-Addshore, Security-Reviews, MediaWiki-Vendor
Bawolff moved T202295: Security review major redesign of the TwoColConflict extension from Backlog to Scheduled on the Security-Reviews board.
Tue, Sep 11, 7:09 PM · Security-Reviews, Two-Column-Edit-Conflict-Merge, WMDE-QWERTY-Team, TCB-Team
Bawolff closed T203233: Security review Extension:Blackout as Declined.

Hi, we need agreement that this extension should be deployed before we will review it formally.

Tue, Sep 11, 7:07 PM · MediaWiki-extensions-Other, Security-Reviews
Bawolff closed T203233: Security review Extension:Blackout, a subtask of T203228: Review and deploy Blackout extension, as Declined.
Tue, Sep 11, 7:07 PM · MediaWiki-extensions-Other, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
Bawolff added a comment to T202213: Empty strings in Chinese.

I suspect https://www.mediawiki.org/wiki/Extension:CLDR to be the extension that adds these links.

Tue, Sep 11, 5:42 PM · Patch-For-Review, Chinese-Sites, Timeless
Bawolff added a comment to T204016: ArticleCreationWorkflow does not actually enforce enwp's autoconfirmed requirement for page creation in the permission system.

Anyway, personally I think the various user rights exceptions with hooks are really confusing and getting out of hand. I think we should do things around "rights" and assign things to groups, for clarity's sake. So something (based on the viewdeletedfile right) along the lines of:

Tue, Sep 11, 5:08 AM · Security, Community-Tech-Sprint, Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow
Bawolff added a comment to T204016: ArticleCreationWorkflow does not actually enforce enwp's autoconfirmed requirement for page creation in the permission system.

The extension isnt documented as restricting anything and doesnt hook into the mediawiki permission system...so that seems to be working as intended? (It does have code to not give the redirect to some people but thats not really documented as a security measure)

Tue, Sep 11, 4:03 AM · Security, Community-Tech-Sprint, Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow
Bawolff added a comment to T177765: Security review of mediawiki-services-chromium-render.

@Bawolff: How's this going? Sorry if I've missed an update elsewhere.

Tue, Sep 11, 3:45 AM · Services (watching), Security-Reviews

Mon, Sep 10

Bawolff added a comment to T189227: taint-checks for CentralAuth failing.

Xml::encodeJsCall() escapes its $args as JSON, not HTML directly, and outputs a snippet of JavaScript code. I don't know if "escapes HTML" is all that accurate;

Mon, Sep 10, 3:52 PM · MW-1.32-release-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), Patch-For-Review, phan-taint-check-plugin, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security
Bawolff awarded T201203: blog.wikimedia.org loads external scripts a Heartbreak token.
Mon, Sep 10, 2:39 PM · Privacy, WMF-Blog-Social-Team, Wikimedia-Blog
Bawolff added a comment to T151890: Publish an analysis of the suppression of selected user_properties in 11/2016.

The bug is public now.

Mon, Sep 10, 1:55 PM · Security, Cloud-Services
Bawolff removed a project from T150679: Some Labs DB user_properties view fields are sensitive: Cloud-Services.
Mon, Sep 10, 1:45 PM · Vuln-Infoleak, Privacy, DBA, Toolforge, Security

Sun, Sep 9

Bawolff committed rERSE1e90b2b3a2b7: Restructure extension so parser cache can be used. (authored by Bawolff).
Restructure extension so parser cache can be used.
Sun, Sep 9, 7:38 PM
Bawolff added a comment to T203912: HotCat loads code that can be edited without editsitejs right.

Its a really common pattern to do <msg>/langcode. Its even supported by us if the msg is not content language msg (which would be insane for a js msg).

Sun, Sep 9, 4:33 PM · Wikimedia-General-or-Unknown, JavaScript, Security
Bawolff committed rERSEc8c4a009878f: Restructure extension so parser cache can be used. (authored by Bawolff).
Restructure extension so parser cache can be used.
Sun, Sep 9, 5:42 AM
Bawolff committed rERSE37972fa2117f: Restructure extension so parser cache can be used. (authored by Bawolff).
Restructure extension so parser cache can be used.
Sun, Sep 9, 5:30 AM

Sat, Sep 8

Bawolff committed rERSE0c94dc3ee90f: Add support for fractional weights (authored by Bawolff).
Add support for fractional weights
Sat, Sep 8, 5:21 PM
Bawolff committed rERSEb09e40822c72: Add support for fractional weights (authored by Bawolff).
Add support for fractional weights
Sat, Sep 8, 5:21 PM
Bawolff updated subscribers of T203882: phan-taint-check false positive in Sudo extension.
Sat, Sep 8, 4:41 PM · phan-taint-check-plugin
Bawolff created T203884: HTMLForm multiselect with dropdown=>true seems to mishandle the default option treating the key as the value.
Sat, Sep 8, 4:38 PM · MediaWiki-HTMLForm, OOUI
Bawolff added a project to T203882: phan-taint-check false positive in Sudo extension: phan-taint-check-plugin.
Sat, Sep 8, 4:19 PM · phan-taint-check-plugin
Bawolff created T203882: phan-taint-check false positive in Sudo extension.
Sat, Sep 8, 4:18 PM · phan-taint-check-plugin
Bawolff added a comment to T203583: {{subst:REVISIONUSER}} no longer substitutes into the current user name, but the username of the last revision .

@Tgr agreed, but I was assuming @Bawolff's issue was just a risk, not an actual vulnerability; I was just putting forward a strawman guess at what he was thinking. Maybe @Bawolff can create a new issue for the privacy risk (security-tagged if it's a vulnerability), and we can discuss whether or how we might mitigate them or deprecate the REVISION* magic words independent of this particular MCR regression.

Sat, Sep 8, 2:23 PM · MW-1.32-release-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)), User-notice, Patch-For-Review, Multi-Content-Revisions (MCR-SDC File Caption Support - phase 2), Regression, MediaWiki-Parser, MediaWiki-Page-editing
Bawolff added a comment to T203435: 'cryptography' dependency reported as vulnerable.

Thanks @Dalba.

@Aklapper Can you make this task visible, now that it is resolved?

Thanks.

Sat, Sep 8, 2:15 PM · Pywikibot-core, Security
Bawolff changed the visibility for T203435: 'cryptography' dependency reported as vulnerable.
Sat, Sep 8, 2:14 PM · Pywikibot-core, Security
Bawolff closed T203346: phan-taint-check-plugin failing for Renameuser extension as Resolved.

yes. I imagine that LibraryUpgrader will get to it in short order.

Sat, Sep 8, 3:21 AM · Patch-For-Review, MediaWiki-extensions-Renameuser, phan-taint-check-plugin
Bawolff closed T203281: phan-taint-check regression in LiquidThreads as Resolved.

This was fixed by suppressing the errors. See T203690

Sat, Sep 8, 3:20 AM · MediaWiki-extensions-LiquidThreads, phan-taint-check-plugin
Bawolff removed a project from T133664: Statically analyse MinervaNeue codebases with Phan: phan-taint-check-plugin.

It appears that phan-taint-check is voting on MinervaNeue, so removing that project from this bug.

Sat, Sep 8, 2:39 AM · Readers-Web-Backlog (Tracking), Technical-Debt (RW-Tech-Debt), MobileFrontend
Bawolff added a comment to T202386: Add phan-taint-check-plugin to FundraisingEmailUnsubscribe extension.

Huh. Currently failing due to:
Package mediawiki/phan-taint-check-plugin at version 1.5.0 has a PHP requirement incompatible with your PHP version (5.6.33)

Sat, Sep 8, 2:34 AM · Patch-For-Review, Fundraising-Backlog, MediaWiki-extensions-Other, phan-taint-check-plugin
Bawolff added a comment to T202384: Add phan-taint-check-plugin to DonationInterface extension.

It seems like it is mostly failing on double escaping in debug related code:

./gateway_common/GatewayPage.php:271 SecurityCheck-DoubleEscaped Calling method \Html::element() in \GatewayPage::displayResultsForDebug that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./gateway_common/GatewayPage.php +270)
./gateway_common/GatewayPage.php:283 SecurityCheck-DoubleEscaped Calling method \Html::element() in \GatewayPage::displayResultsForDebug that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./gateway_common/GatewayPage.php +282; ./gateway_common/GatewayPage.php +282)
./gateway_common/GatewayPage.php:287 SecurityCheck-DoubleEscaped Calling method \Html::element() in \GatewayPage::displayResultsForDebug that outputs using tainted argument $[arg #3]. (Caused by: Builtin-\Html::element) (Caused by: ./gateway_common/GatewayPage.php +279; ./gateway_common/GatewayPage.php +279)
./gateway_common/GatewayPage.php:308 SecurityCheck-DoubleEscaped Calling method \Html::element() in \GatewayPage::displayResultsForDebug that outputs using tainted argument $val. (Caused by: Builtin-\Html::element) (Caused by: ./gateway_common/GatewayPage.php +307)
./globalcollect_gateway/globalcollect_gateway.body.php:82 SecurityCheck-DoubleEscaped Calling method \htmlspecialchars() in \GlobalCollectGateway::displayBankTransferInformation that outputs using tainted argument $[arg #1]. (Caused by: ./globalcollect_gateway/globalcollect_gateway.body.php +57)
./globalcollect_gateway/globalcollect_gateway.body.php:136 SecurityCheck-DoubleEscaped Calling method \htmlspecialchars() in \GlobalCollectGateway::displayOnlineBankTransferInformation that outputs using tainted argument $[arg #1]. (Caused by: ./globalcollect_gateway/globalcollect_gateway.body.php +117)
Sat, Sep 8, 2:23 AM · Patch-For-Review, Fundraising-Backlog, MediaWiki-extensions-DonationInterface, phan-taint-check-plugin
Bawolff closed T201987: Make IDatabase::makeList safe for phan-taint-check-plugin as Resolved.
Sat, Sep 8, 12:48 AM · Patch-For-Review, phan-taint-check-plugin

Fri, Sep 7

Bawolff closed T201902: Make taint-check-plugin known about HTMLInfoField 'rawrow' option as Resolved.
Fri, Sep 7, 7:21 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff closed T201811: Make Pager::getNavigationBar safe for phan-taint-check-plugin as Resolved.
Fri, Sep 7, 7:20 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff closed T201811: Make Pager::getNavigationBar safe for phan-taint-check-plugin, a subtask of T202375: Add phan-taint-check-plugin to FlaggedRevs extension, as Resolved.
Fri, Sep 7, 7:20 PM · MW-1.32-release-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), Patch-For-Review, MediaWiki-extensions-FlaggedRevs, phan-taint-check-plugin
Bawolff added a comment to T203822: Consider adding .mw-wiki-logo {background-size: 135px} to skin CSS.

interesting. TIL, that not all the logos are the same size. The docs (in includes/DefaultSettings.php) do say The logo size should be 135x135 pixels but guess that's not true in practise.

Fri, Sep 7, 6:51 PM · CSS, MediaWiki-Interface
Bawolff added a comment to T202675: Request creation of antiharassment VPS project.

The name comes from The Good Place, which if you have seen the show, is a fitting name for the work we are doing (if you haven't, I wont spoil it for you). This also seemed like something more fun than "aht" or it's derivatives. :)

Fri, Sep 7, 5:57 PM · cloud-services-team (Kanban), Cloud-VPS (Project-requests)
Bawolff renamed T203822: Consider adding .mw-wiki-logo {background-size: 135px} to skin CSS from Consider adding .mw-wiki-logo {background-size: contain} to skin CSS to Consider adding .mw-wiki-logo {background-size: 135px} to skin CSS.
Fri, Sep 7, 5:53 PM · CSS, MediaWiki-Interface
Bawolff added a comment to T203822: Consider adding .mw-wiki-logo {background-size: 135px} to skin CSS.

Actually we probably don't want background-size:contain, because the a.mw-wiki-logo has a size of 160x160, but logos are supposed to be 135x135 (I think).

Fri, Sep 7, 5:42 PM · CSS, MediaWiki-Interface
Bawolff created T203822: Consider adding .mw-wiki-logo {background-size: 135px} to skin CSS.
Fri, Sep 7, 5:25 PM · CSS, MediaWiki-Interface
Bawolff committed rERSE69b2afb75801: Add support for fractional weights (authored by Bawolff).
Add support for fractional weights
Fri, Sep 7, 2:46 AM
Bawolff added a comment to T203733: Extension:NoCat isn't setting up ParserOutputHook properly.

[I didn't actually test, but when I copied into the other extension i was working on, the code didn't work]

Fri, Sep 7, 1:36 AM · MediaWiki-extensions-Other, Easy
Bawolff created T203733: Extension:NoCat isn't setting up ParserOutputHook properly.
Fri, Sep 7, 1:35 AM · MediaWiki-extensions-Other, Easy

Thu, Sep 6

Bawolff created T203726: Privacy policy FAQ links to https://bits.wikimedia.org/geoiplookup which is long dead.
Thu, Sep 6, 11:58 PM · WMF-Legal, Privacy
Bawolff added a comment to T203690: phan-taint-check-plugin failing for LiquidThreads extension.

Leaving this bug open as there were additional failures I surpressed. They seemed reasonable, except they don't show up when I run tests locally, so I have to figure out what's going on there...

Thu, Sep 6, 10:20 PM · MW-1.32-release-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), phan-taint-check-plugin, MediaWiki-extensions-LiquidThreads
Bawolff closed T203657: phan-taint-check should avoid false positives with getQueryInfo() methods as Resolved.
Thu, Sep 6, 9:33 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T203583: {{subst:REVISIONUSER}} no longer substitutes into the current user name, but the username of the last revision .

As an aside its too bad we cant kill this behaviour. Its a privacy risk.

In preview or on save or both? I doubt that removal of this behaviour in previews would’ve been noticed, but most people would expect and find useful to have this feature working when saving.

Thu, Sep 6, 7:07 PM · MW-1.32-release-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)), User-notice, Patch-For-Review, Multi-Content-Revisions (MCR-SDC File Caption Support - phase 2), Regression, MediaWiki-Parser, MediaWiki-Page-editing
Bawolff added a comment to T203583: {{subst:REVISIONUSER}} no longer substitutes into the current user name, but the username of the last revision .

As an aside its too bad we cant kill this behaviour. Its a privacy risk.

Thu, Sep 6, 6:19 PM · MW-1.32-release-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)), User-notice, Patch-For-Review, Multi-Content-Revisions (MCR-SDC File Caption Support - phase 2), Regression, MediaWiki-Parser, MediaWiki-Page-editing
Bawolff created T203657: phan-taint-check should avoid false positives with getQueryInfo() methods.
Thu, Sep 6, 12:22 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff created T203655: LogFormatter::getIRCActionText() incorrectly escaping messages.
Thu, Sep 6, 12:12 PM · MediaWiki-Recent-changes, MediaWiki-Logging, I18n, Growth-Team
Bawolff added a comment to T167762: Split core en.json to several files.
Thanks for the comment! If I understand correctly, this sounds sensible, but I'm really not familiar with this. Who is developing it? (You?)
Thu, Sep 6, 12:02 PM · Patch-For-Review, translatewiki.net, MediaWiki-Internationalization, I18n
Bawolff added a comment to T167762: Split core en.json to several files.

Change 458165 had a related patch set uploaded (by Amire80; owner: Amire80):
[mediawiki/core@master] WIP Move exif messages to a separate i18n file

https://gerrit.wikimedia.org/r/458165

Thu, Sep 6, 11:40 AM · Patch-For-Review, translatewiki.net, MediaWiki-Internationalization, I18n
Bawolff created T203652: Fix caused-by lines in phan-taint-check.
Thu, Sep 6, 11:38 AM · phan-taint-check-plugin
Bawolff created T203651: Optimize phan-taint-check speed.
Thu, Sep 6, 11:37 AM · phan-taint-check-plugin
Bawolff added a comment to T203630: Configure CI to run phan-taint-check-plugin for MediaWiki core.

There are still quite a few false positives to sort out, but its starting to get more manageable

Thu, Sep 6, 11:34 AM · Continuous-Integration-Config, MediaWiki-Core-Tests, phan-taint-check-plugin
Bawolff added a comment to T203490: Blocked MobileFrontend merges: Calling method \ApiMobileView::parseSectionsData in \ApiMobileView::getData that is always unsafe.

Immediate issue resolved. The bug remains.
Thanks for the pointer @Bawolff !

Thu, Sep 6, 12:20 AM · Patch-For-Review, MW-1.32-release-notes (WMF-deploy-2018-09-18 (1.32.0-wmf.22)), phan-taint-check-plugin
Bawolff closed T202112: phan-taint-check-plugin false positive in AuthenticationRequest due to HTMLForm confusion as Resolved.
Thu, Sep 6, 12:19 AM · Patch-For-Review, MediaWiki-Authentication-and-authorization, phan-taint-check-plugin
Bawolff added a comment to T201987: Make IDatabase::makeList safe for phan-taint-check-plugin.

It seems like there is still a problem when using things like $dbr->makeList( [ 'foo' => [ $evil1, $evil2 ] ], LIST_AND ); which should be safe (See Block.php in core.

Thu, Sep 6, 12:16 AM · Patch-For-Review, phan-taint-check-plugin
Bawolff closed T203308: phan-taint-check sometimes can't tell that the third arg to a tag hook is a Parser object unless there is a type hint as Resolved.
Thu, Sep 6, 12:12 AM · Patch-For-Review, phan-taint-check-plugin

Wed, Sep 5

Bawolff added a comment to T203179: Sort out HTTP caching issues for fixcopyright wiki.

However, if we use ULS to set the language, the assumption might be that people will touch the language selector rarely, so its not a common case to get to the other url.

Wed, Sep 5, 9:35 PM · fixcopyright.wikimedia.org, MW-1.32-release-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)), Patch-For-Review, Traffic, Operations
Bawolff added a comment to T202181: [Spike 4 hours] Investigate the work involved in defaulting SVGs to show wiki language if available.

Mostly: @kaldari is correct in T202181#4511685 . Note that the RL svg handling is a separate subsystem (which is a bit confusing) that is not used for user svgs.

Wed, Sep 5, 9:27 PM · SVG Translate Tool, Community-Tech-Sprint, Spike, Commons, Community-Tech
Bawolff added a comment to T203179: Sort out HTTP caching issues for fixcopyright wiki.

Varnish seems to be caching it fine (Assuming you don't have cookies, which I imagine pretty much nobody would as not SUL). However, if you use language selector you end up at https://fixcopyright.wikimedia.org/wiki/Fix_copyright?title=Fix_copyright&uselang=fr which seems to have an X-Cache-Status of pass, so I guess that is not varnish cached.

Wed, Sep 5, 9:14 PM · fixcopyright.wikimedia.org, MW-1.32-release-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)), Patch-For-Review, Traffic, Operations
Bawolff added a comment to T203179: Sort out HTTP caching issues for fixcopyright wiki.

Great :) And the special page TTL was fixed in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/EUCopyrightCampaign/+/457097 to be 24h.

Wed, Sep 5, 9:09 PM · fixcopyright.wikimedia.org, MW-1.32-release-notes (WMF-deploy-2018-09-04 (1.32.0-wmf.20)), Patch-For-Review, Traffic, Operations
Bawolff added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

There seems to be quite a bit of activity on this, but the RFC is still tagged as "under discussion". As far as I know, some parts of the RFC were approved, while other where still being discussed. What's the status here? What remains to be done? What are the plans? Is this ready for a final discussion?

Wed, Sep 5, 8:11 PM · TechCom-RFC (TechCom-Approved), Patch-For-Review, Core-Platform-Team, Epic, Security-Team
Bawolff added a comment to T203095: Security review of EU copyright stuff.

Ok. So I made 2 patches, provided that those are merged. This is approved subject to the following:

Wed, Sep 5, 2:53 PM · fixcopyright.wikimedia.org, Patch-For-Review, Security-Team, Security-Reviews
Bawolff added a comment to T203095: Security review of EU copyright stuff.

@Bawolff Thanks for working on this. For the purpose of coordinating our announcement, what is the estimated time this will be done tomorrow morning?

Wed, Sep 5, 1:40 AM · fixcopyright.wikimedia.org, Patch-For-Review, Security-Team, Security-Reviews