Bawolff (Brian Wolff)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (138 w, 6 d)
Availability
Available
LDAP User
Brian Wolff
MediaWiki User
Bawolff

Recent Activity

Wed, Jun 21

Bawolff added a comment to T160529: Sender email spoofing.

So i guess someone is sending spam subject lines to wikimedia-gh, with a forged from address of wikimedia-co@lists.wikimedia.org, in order for the mailing list software to resend the spam in the form of a pending moderation message. That's a really cute trick.

Wed, Jun 21, 7:03 AM · Security, Operations, Mail, Wikimedia-Mailing-lists

Mon, Jun 19

Bawolff added a comment to T168305: If you delete an account with user merge and delete - merging to Anonoymous, the user creation log shows it as if you're creating an IP.

Yes it was my ip.

Mon, Jun 19, 11:36 PM · MediaWiki-extensions-UserMerge
Bawolff created T168305: If you delete an account with user merge and delete - merging to Anonoymous, the user creation log shows it as if you're creating an IP.
Mon, Jun 19, 2:57 PM · MediaWiki-extensions-UserMerge
Bawolff added a comment to T152297: Add state or city level geotargeting to CentralNotice.

I'm not actually sure if it comes from the MaxMind db, and if so what db, but if it does - https://www.maxmind.com/en/geoip2-city-database-accuracy gives some accuracy numbers. Although that's averages per country, I imagine major urban centers are much more accurate than rural places.

Mon, Jun 19, 1:29 PM · Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Privacy
Bawolff added a comment to T152297: Add state or city level geotargeting to CentralNotice.

Do we know how accurate the data is for different countries? What level of
false positives would we be looking at?

Seddon

Mon, Jun 19, 1:25 PM · Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Privacy
Bawolff added a comment to T165540: Add CODE_OF_CONDUCT.md to Wikimedia repositories.

@Bawolff do you think that has been resolved now that a notification was sent to wikitech-l or should there be more / elsewhere?

Mon, Jun 19, 1:14 PM · MW-1.30-release-notes (WMF-deploy-2017-06-13_(1.30.0-wmf.5)), Patch-For-Review, Repository-Admins, Gerrit, GitHub-Mirrors, Developer-Relations
Bawolff added a comment to T152297: Add state or city level geotargeting to CentralNotice.

The geoip cookie already records the city (And a lat/long), so the data is already there

Mon, Jun 19, 12:24 PM · Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Privacy
Bawolff added a comment to T165540: Add CODE_OF_CONDUCT.md to Wikimedia repositories.

This discussion has become hard to follow, so I'll try to summarize:

  • there was lots of debate over whether adding CODE_OF_CONDUCT.md to (almost) every repo is a good or bad idea. Quick tally: 16 were for it (I'm also counting people who awarded tokens), 10 against. (There were maybe half a dozen comments which could be read as implicitly implying one or the other; I tried to err on the side of not overinterpreting and did not count those.) So there was consensus to add the files, although not an overwhelming one. Several people pointed out though that adding the file would be weird or harmful for certain deployment-related repos (such as Debian packaging repos). So we should keep the files which have been added, and probably add CoC files to the other repos as well, as long as we can avoid build/deployment type repos.
  • several people objected against pushing directly to the repo (and thus not leaving an audit trail in gerrit). Several other people objected against using gerrit changesets which would cause a torrent of notification mails, and DoS Jenkins with pointless build jobs. Nobody objected to Chad's proposal in T165540#3316733 to use auto-merge so I am assuming that's the consensus approach.
  • some argued against using markdown, or a long filename, but neither opinion was popular.
Mon, Jun 19, 12:09 PM · MW-1.30-release-notes (WMF-deploy-2017-06-13_(1.30.0-wmf.5)), Patch-For-Review, Repository-Admins, Gerrit, GitHub-Mirrors, Developer-Relations
Bawolff added a comment to T167400: Disable serving unpatrolled new files to Wikipedia Zero users.

re: the file header I'm assuming it'd be set for both the original and carried over to thumbnails, and purged from all once the file is patroled

Mon, Jun 19, 10:04 AM · Operations, Traffic, media-storage, Commons, Multimedia, Zero

Sat, Jun 17

Bawolff added a comment to T167400: Disable serving unpatrolled new files to Wikipedia Zero users.

Unless Commons have a lot of new file patrollers who really mark new files as patrolled when they are finished reviewing (which I see is not the case), I wouldn't support Bawolff's counter-proposal.

Sat, Jun 17, 5:12 AM · Operations, Traffic, media-storage, Commons, Multimedia, Zero

Fri, Jun 16

Bawolff added a comment to T167400: Disable serving unpatrolled new files to Wikipedia Zero users.

Wikipedia Zero traffic is tied to IP addresses, not users. So it definitely could be performant. Have MediaWiki set an unpatrolled header and purge on patrol. Then (somehow) configure Varnish to understand WP0 IP ranges and block if the unpatrolled header is set.

So the idea would be:

  • MediaWiki sets something along the lines of MediaWiki-patrol-status: unpatrolled in File::getContentHeaders()
  • Varnish looks for that header when getting files from swift. If the file is unpatrolled, and (maybe) its above a certain size, and the IP address is Zero-rated: Give a 403. Also make sure that cache varrying is set for unpatrolled files based on Zero-ratedness of IP
  • On patrol, MediaWiki makes swift backend remove the header, and sends purge to varnish.

    Downsides: If anyone using a zero-rated connection is a file patroller, they won't be able to see the file.

Why restrict this mechanism to Zero, making Zero different from other access? We could instead deny access to unpatrolled files for users that aren't logged-in. This would fix the problem at a broader scope re: copy- and other vio content spreading widely before patrolling, since the vast majority of readers are anonymous. Because Patrollers would have accounts, it eliminates that downside as well. This counter-proposal faces a few distinct problem areas of its own, though:

  1. I don't know off the top of my head, but there might be complications around CentralAuth and cross-wiki auth/session tokens. If a user has only logged in via enwiki, then sends a request to upload.wikimedia.org for a multimedia file which might be embedded, does that request always send some kind of validate-able CentralAuth session/token information?
  2. Currently Varnish's notion of logged-in-ness is very naive - it just looks for a seemingly valid Cookie, and could easily be faked by sending bogus Cookie values. I think this is still sufficient for the majority case though (anon users that don't understand how to set custom cookies or headers to evade our checks). We've talked before (for many other reasons than this particular case) about having varnish sign the outbound session cookie values to validate them in a distributed fashion (it would reject invented ones and strip its signature from valid ones before forwarding on to MW), but that's probably pretty far down our technical roadmap at present.

    Back to the meat of the proposal, though: we can do something similar to what you're describing, but not directly via actual cache hash/vary mechanisms. It's only possible to Vary a cache on attributes of a request, not attributes of a response. Thus, it's possible to vary on "Is this a Zero user?" and similarly "Is this a logged-in user?", but it's not possible to sanely vary on "What value is Swift currently sending in the MediaWiki-patrol-status: header of this response?". What we can do is explicitly and dynamically block the response with a 403 under those conditions, something like this pseudocode:

    ` sub just_before_final_content_delivery_to_user { // If response data is unpatrolled, deny access to Zero users if (resp.http.MediaWiki-patrol-status != "patrolled" && req.http.X-Carrier) { return synth(403, "Access denied") } } `

    However, this carries the caveat that there's no explicit realtime update to the patrol status of a cached file. The first time any user fetches the file through a given cache (regardless of Zero status), the file will be loaded into cache and kept, and the code above simply masks the response to the user when appropriate. Therefore, we'd also need to trigger a cache invalidation on the file when the patrolled status changes, just like we would on content replacement. Otherwise the initial unpatrolled state will persist too long in the cache. We could perhaps hack around that a bit by giving unpatrolled files a shorter TTL cap (e.g. 10 minutes instead of the usual 24h), but invalidate-on-patrol would be much cleaner and saner.
Fri, Jun 16, 7:18 PM · Operations, Traffic, media-storage, Commons, Multimedia, Zero

Thu, Jun 15

Bawolff added a comment to T167947: Allow searching for similar images on Commons via perceptual hashes.

Maybe dupe of T121797?

Thu, Jun 15, 11:54 AM · MediaWiki-File-management, Multimedia, Commons
Bawolff renamed T167947: Allow searching for similar images on Commons via perceptual hashes from Create an ImageHash for all Commons images to Allow searching for similar images on Commons via perceptual hashes.
Thu, Jun 15, 11:52 AM · MediaWiki-File-management, Multimedia, Commons
Bawolff added a comment to T167947: Allow searching for similar images on Commons via perceptual hashes.

A bigger question is where to store the hashes. Usually perceptual hashes are compared using hamming distance. This is sort of inefficient to do in a traditional mysql database. I remember years ago that manybubbles talked about how it would make sense to use elasticsearch as the storage backend for image similarity, so itd probably be useful to look into that direction

Thu, Jun 15, 11:51 AM · MediaWiki-File-management, Multimedia, Commons
Bawolff added a comment to T167400: Disable serving unpatrolled new files to Wikipedia Zero users.

Wikipedia Zero traffic is tied to IP addresses, not users. So it definitely could be performant. Have MediaWiki set an unpatrolled header and purge on patrol. Then (somehow) configure Varnish to understand WP0 IP ranges and block if the unpatrolled header is set.

Thu, Jun 15, 6:54 AM · Operations, Traffic, media-storage, Commons, Multimedia, Zero
Bawolff added a comment to T167060: en.wiki domain owned by us, but isn't hosted by us??.

Oh, i see, the A record points to a page which is hosted by the registrar for .wiki (who happens to use aws- i didnt originally think of navigating to 54.148.61.160 to find out more info...), so its essential some domain parking service that redirects to our site.

Thu, Jun 15, 12:18 AM · Operations, Traffic, DNS
Bawolff added a comment to T167060: en.wiki domain owned by us, but isn't hosted by us??.

Hmm. W.wiki seems to be similar in that we own the domain but the A record points to AWS. It has the additional interesting thing in that its included in the subject alt name of our main certificate

Thu, Jun 15, 12:10 AM · Operations, Traffic, DNS

Wed, Jun 14

Bawolff added a comment to T165860: Request for +2 rights on mediawiki/* for Ladsgroup.

I'm not happy about how T165540: Add CODE_OF_CONDUCT.md to Wikimedia repositories was handled, though it's weirdly a case of not using +2 and instead bypassing Gerrit altogether, which for some reason is apparently possible.

Wed, Jun 14, 2:21 AM · Release-Engineering-Team (Kanban), Repository-Ownership-Requests

Tue, Jun 13

Bawolff added a comment to T167812: TemplateStyles HTML injection.
  • css-sanitizer:
  • TemplateStyles:
Tue, Jun 13, 7:48 PM · Patch-For-Review, TemplateStyles, Security
Bawolff added a comment to T167812: TemplateStyles HTML injection.

I thought this would have been dealt with by T133147

Tue, Jun 13, 6:39 PM · Patch-For-Review, TemplateStyles, Security

Mon, Jun 12

Bawolff added a comment to T162823: Changing the alphabetical sorting (collation) @ ba.wikipedia.org.

The cl_from entries in those pages are missing (i.e. no page table entry) e.g. https://ba.wikipedia.org/w/index.php?curid=122102&uselang=en gives a badtitle error.

Mon, Jun 12, 6:42 PM · Wikimedia-Site-requests, MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), MediaWiki-Internationalization, I18n
Bawolff added a comment to T162823: Changing the alphabetical sorting (collation) @ ba.wikipedia.org.

Is this query from labs replica or actual db? In the past labs replicas have had replication issues related to DELETEs on categorylinks table that cause it to retain old rows that arent really there

Mon, Jun 12, 6:04 PM · Wikimedia-Site-requests, MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), MediaWiki-Internationalization, I18n
Bawolff added a comment to T139110: uca-fa collation shows pages starting with ا incorrectly under ء.

fawikisourcehas some left over:

[fawikisource]> SELECT cl_collation,count(*) FROM categorylinks GROUP BY cl_collation;
+--------------+----------+
| cl_collation | count(*) |
+--------------+----------+
| uca-fa       |       12 |
| xx-uca-fa    |    53010 |
+--------------+----------+
2 rows in set (0.03 sec)

We would probably want to switch fawikivoyage which currently uses uppercase has a collation.

Mon, Jun 12, 6:01 PM · MW-1.30-release-notes, MW-1.29-release-notes, MW-1.28-release-notes, Patch-For-Review, MediaWiki-Categories, MediaWiki-Internationalization

Fri, Jun 9

Bawolff updated subscribers of T165540: Add CODE_OF_CONDUCT.md to Wikimedia repositories.

IInstead people are hastily and haphazardly spamming this file to repositories, bypassing Gerrit and other normal approval processes. This is unacceptable.

Point of clarification: this is acceptable. It's what I told people to do when questioned about the best way to do it. I said to push to Gerrit (not directly pushing) and setting them to auto-submit. The changes are all still in gerrit, they just didn't wait for someone to come along and +2. That would've been an even bigger waste of time.

Fri, Jun 9, 7:50 PM · MW-1.30-release-notes (WMF-deploy-2017-06-13_(1.30.0-wmf.5)), Patch-For-Review, Repository-Admins, Gerrit, GitHub-Mirrors, Developer-Relations
Bawolff added a comment to T162771: Zerowiki is broken by <html> filtering.

I checked and there is a problem with the testing timer. I'm attaching a screenshot. If you need credentials to access, please contact me outside of Phabricator.

Fri, Jun 9, 7:36 PM · Zero, Security
Bawolff added a comment to T165540: Add CODE_OF_CONDUCT.md to Wikimedia repositories.

I know everyone is tired of discussing the code of conduct, but for non-Wikimedia repos hosted in gerrit, I think it would have been more appropriate to have a mailing list discussion before force merging a code of conduct doc into such repos.

Fri, Jun 9, 6:43 PM · MW-1.30-release-notes (WMF-deploy-2017-06-13_(1.30.0-wmf.5)), Patch-For-Review, Repository-Admins, Gerrit, GitHub-Mirrors, Developer-Relations
Bawolff added a comment to T162771: Zerowiki is broken by <html> filtering.

ping @DFoy : Everything look good? this has been live for a couple weeks now.

Fri, Jun 9, 5:20 PM · Zero, Security

Thu, Jun 8

Bawolff added a comment to T167038: Move most of MediaWiki within a /core folder.

Do we really want to imply to the user that they can just replace the core/ directory? What if we add a new php entry point? Will this make (tarball) users less likely to upgrade skins/ and extensions/?

Thu, Jun 8, 6:34 PM · ArchCom-RfC, MediaWiki-General-or-Unknown

Tue, Jun 6

Bawolff added a comment to T167216: $wgResourceModuleSkinStyles customizations are not being applied for Vector because MobileFrontend accidentally overrides them.

That's odd. Looks like the skin specific styles for vector are not loading.

Tue, Jun 6, 9:54 PM · MW-1.30-release-notes (WMF-deploy-2017-06-06_(1.30.0-wmf.4)), Reading-Web-Kanban-Board, Unplanned-Sprint-Work, Reading-Web-Backlog, Patch-For-Review, MobileFrontend

Mon, Jun 5

Bawolff created T167064: telnet gateway broken (unable to fetch articles).
Mon, Jun 5, 8:21 PM · Labs-project-other
Bawolff added a comment to T133408: Security review of TemplateStyles.

T40848

Is this referring to a Phabricator task?

Mon, Jun 5, 8:10 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles
Bawolff created T167060: en.wiki domain owned by us, but isn't hosted by us??.
Mon, Jun 5, 7:53 PM · Operations, Traffic, DNS
Bawolff moved T133408: Security review of TemplateStyles from In Progress to Done on the Security-Reviews board.

Sorry this took so long. I think this is good to go.

Mon, Jun 5, 8:53 AM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles
Bawolff added a comment to T13106: Enable customizing of CSS values filter.

Note that an alternative fix for this issue may come in the form of the TemplateStyles extension.

Mon, Jun 5, 8:46 AM · CSS, MediaWiki-Parser

Wed, May 31

Bawolff added a comment to T133408: Security review of TemplateStyles.

Just as an update, this is almost done and will be finished by the end of the week

Wed, May 31, 6:21 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles
Bawolff awarded T164898: PostgreSQL schema change for consistency with MySQL a Like token.
Wed, May 31, 5:00 PM · ArchCom-RfC, Technical-Debt, MediaWiki-Platform-Team, PostgreSQL

Mon, May 29

Bawolff added a comment to T139110: uca-fa collation shows pages starting with ا incorrectly under ء.

Change 354598 merged by jenkins-bot:
[mediawiki/core@master] Hack around icu breakage for fa sorting

https://gerrit.wikimedia.org/r/354598

@Bawolff If at all convenient, please do add tests for this.

Mon, May 29, 4:24 PM · MW-1.30-release-notes, MW-1.29-release-notes, MW-1.28-release-notes, Patch-For-Review, MediaWiki-Categories, MediaWiki-Internationalization

May 23 2017

Bawolff added a comment to T139110: uca-fa collation shows pages starting with ا incorrectly under ء.

I suppose we need to run the updateCollation.php script on beta now to verify?

May 23 2017, 12:45 PM · MW-1.30-release-notes, MW-1.29-release-notes, MW-1.28-release-notes, Patch-For-Review, MediaWiki-Categories, MediaWiki-Internationalization

May 22 2017

Bawolff added a member for Vuln-Infoleak: Bawolff.
May 22 2017, 7:25 PM
Qgil awarded T163487: Newsletter extension should use phpcs to enforce mediawiki coding standards. a Party Time token.
May 22 2017, 4:53 PM · Patch-For-Review, MediaWiki-extensions-Newsletter

May 21 2017

Bawolff added a comment to T115095: Security review of Newsletter extension.

It looks like as of the hackathon all of this is done (Yay!). I'm leaving this open because I'm going to do a quick double check of the fixes later this week, but this bug is essentially done :D

May 21 2017, 5:27 PM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Bawolff added a comment to T165234: Navigation buttons on Special:Newsletter (when more than 60 newsletters) fatal .

I can't for the life of me figure out how this could have happened

#0 /var/www/core/core/includes/libs/rdbms/TransactionProfiler.php(218): Wikimedia\Rdbms\TransactionProfiler->reportExpectationViolated('writes', 'query-m: REPLAC...')

May 21 2017, 8:38 AM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff updated subscribers of T165234: Navigation buttons on Special:Newsletter (when more than 60 newsletters) fatal .

Maybe its just localization cache screwing with the no-writes in read access requests, transaction profiler thingy

May 21 2017, 6:38 AM · Patch-For-Review, MediaWiki-extensions-Newsletter

May 20 2017

Bawolff committed rECKT9d5d29a0e0aa: Fix edit conflict handling in lists. (authored by Bawolff).
Fix edit conflict handling in lists.
May 20 2017, 5:55 PM
Bawolff committed rECKT34a62b6549a9: Fix edit conflict handling in lists. (authored by Bawolff).
Fix edit conflict handling in lists.
May 20 2017, 5:51 PM
Bawolff committed rECKTb855d20a9fb3: Fix edit conflict handling in lists. (authored by Bawolff).
Fix edit conflict handling in lists.
May 20 2017, 5:48 PM
Bawolff committed rECKTe87716195a43: Fix edit conflict handling in lists. (authored by Bawolff).
Fix edit conflict handling in lists.
May 20 2017, 5:16 PM
Bawolff added a comment to T165860: Request for +2 rights on mediawiki/* for Ladsgroup.

+1

May 20 2017, 10:55 AM · Release-Engineering-Team (Kanban), Repository-Ownership-Requests
Bawolff committed rECKT8094b3a7c857: Assign column-agnostic UID to individual list entries (authored by Harej).
Assign column-agnostic UID to individual list entries
May 20 2017, 10:44 AM

May 19 2017

Bawolff added a comment to T164059: MediaWiki\Linker\LinkRenderer::makeKnownLink() must implement interface MediaWiki\Linker\LinkTarget, null given on Special:Watchlist.

$pageTitle = $rc->getTitle(); in the getDiffHistLinks method can return null, a case not currently handled.

May 19 2017, 10:05 PM · MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), User-notice, Patch-For-Review, Wikimedia-log-errors, MediaWiki-Watchlist
Bawolff created T165797: if using json with callback parameter in api on and you use the non-anon token, the error message is confusing.
May 19 2017, 5:19 PM · MW-1.30-release-notes (WMF-deploy-2017-06-27_(1.30.0-wmf.7)), Patch-For-Review, MediaWiki-API
Bawolff merged T165777: [FEATUREREQUEST] RSS/ATOM Feed of Version/News into T165773: Setup FeaturedFeeds extension to have RSS of mw:News.
May 19 2017, 3:50 PM · Developer-Relations
Bawolff merged task T165777: [FEATUREREQUEST] RSS/ATOM Feed of Version/News into T165773: Setup FeaturedFeeds extension to have RSS of mw:News.
May 19 2017, 3:50 PM
Bawolff added a comment to T165768: $wgShowSQLErrors doesn't seem to be working anymore.

Yay it works, but it seems silly that we now have 2 separate globals for showing sql errors (The $wgShowSQLErrors still seems to be needed for the api)

May 19 2017, 3:43 PM · MediaWiki-Debug-Logger, MediaWiki-Database
Bawolff created T165773: Setup FeaturedFeeds extension to have RSS of mw:News.
May 19 2017, 2:48 PM · Developer-Relations
Bawolff added projects to T165768: $wgShowSQLErrors doesn't seem to be working anymore: MediaWiki-Database, MediaWiki-Debug-Logger.
May 19 2017, 2:29 PM · MediaWiki-Debug-Logger, MediaWiki-Database
Bawolff created T165768: $wgShowSQLErrors doesn't seem to be working anymore.
May 19 2017, 2:28 PM · MediaWiki-Debug-Logger, MediaWiki-Database

May 17 2017

Bawolff added a comment to T162771: Zerowiki is broken by <html> filtering.

Go ahead and try it - let me know when it's live so I can do another test

May 17 2017, 1:24 PM · Zero, Security
Bawolff changed the visibility for T162771: Zerowiki is broken by <html> filtering.
May 17 2017, 1:17 PM · Zero, Security
Bawolff added a comment to T162771: Zerowiki is broken by <html> filtering.

Sorry for the delay, we will do this soon: https://gerrit.wikimedia.org/r/#/c/354113/

May 17 2017, 12:39 PM · Zero, Security

May 16 2017

Bawolff changed the visibility for T161579: Review of reddit post about keyholder.
May 16 2017, 9:41 PM · Release-Engineering-Team, Security
Bawolff placed T161579: Review of reddit post about keyholder up for grabs.
May 16 2017, 9:41 PM · Release-Engineering-Team, Security
Bawolff closed T161579: Review of reddit post about keyholder as Resolved.
May 16 2017, 9:41 PM · Release-Engineering-Team, Security
Bawolff changed the status of T165476: testing if #wikimedia-dev picks up on this? from Resolved to Invalid.
May 16 2017, 10:43 AM · Trash
Bawolff changed the visibility for T165476: testing if #wikimedia-dev picks up on this?.
May 16 2017, 10:42 AM · Trash
Bawolff closed T165476: testing if #wikimedia-dev picks up on this? as Resolved.
May 16 2017, 10:42 AM · Trash
Bawolff added a comment to T165476: testing if #wikimedia-dev picks up on this?.

Add a test comment?

May 16 2017, 10:42 AM · Trash
Bawolff created T165476: testing if #wikimedia-dev picks up on this?.
May 16 2017, 10:41 AM · Trash
Bawolff changed the visibility for T164800: A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS.
May 16 2017, 10:40 AM · Vuln-XSS, Security
Bawolff closed T164800: A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS as Resolved.
May 16 2017, 10:40 AM · Vuln-XSS, Security
Bawolff added a comment to T164800: A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS.

Changes made:

May 16 2017, 10:40 AM · Vuln-XSS, Security
Bawolff added a comment to T165455: Go from "E" to "A+" on Securityheaders.io.

In theory we could have a whitlist and then emit DENY or ALLOW-FROM depending on the origin, but it would have to be implemented in all kinds of things that render/cache wiki pages (MediaWiki, Parsoid, Varnish...) which is a bit of a pain. Maybe it could be limited to authenticated page views (framing an unauthenticated view seems pretty harmless).

May 16 2017, 10:25 AM · Wikimedia-General-or-Unknown, Security
Bawolff placed T107707: Login alert when user logs in from new machine up for grabs.

unassigning from self. Community-tech has taken over working on this extension.

May 16 2017, 8:41 AM · Community-Tech-Sprint, Security-Core, MediaWiki-User-login-and-signup
Bawolff added a comment to T161647: RFC: Deprecate using php serialization inside MediaWiki.

One handy (ab)use of php serialization is deep cloning

May 16 2017, 8:35 AM · ArchCom-RfC, Services (watching), Security
Bawolff added a comment to T165455: Go from "E" to "A+" on Securityheaders.io.

This is probably the header that would improve our security the most. I've been working on this, but progress has been very slow, largely due to lack of time on my part. See https://www.mediawiki.org/wiki/Requests_for_comment/Content-Security-Policy and T135963 for more details. There are different levels of using this header, with different levels of changes required depending on how "strict".

May 16 2017, 7:59 AM · Wikimedia-General-or-Unknown, Security
Bawolff added a parent task for T92002: implement Public Key Pinning (HPKP) for Wikimedia domains: T165455: Go from "E" to "A+" on Securityheaders.io.
May 16 2017, 7:11 AM · Operations, Traffic, HTTPS
Bawolff added subtasks for T165455: Go from "E" to "A+" on Securityheaders.io: T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki, T92002: implement Public Key Pinning (HPKP) for Wikimedia domains.
May 16 2017, 7:11 AM · Wikimedia-General-or-Unknown, Security
Bawolff added a comment to T48560: non consistent X-Frame-Options.

Its related to whether a page is "click-jackable". For ordinary articles, usually that means if there is a "patrol" link on the page.

May 16 2017, 7:11 AM · MediaWiki-General-or-Unknown

May 4 2017

Bawolff added a comment to T133408: Security review of TemplateStyles.

I'm still working through all this, but some initial things:

  • As a precaution, I think there should be a post processing step to kill all U+007F characters, in case someone manages to insert a strip marker. I don't think its possible to insert a strip marker in a valid way into a stylesheet, but just in case, it doesn't hurt to replace U+007F with a unicode replacement character or css \7f escape or something.

You could embed it inside a CSS string. Elsewhere it would probably parse as a <delim-token>, but the sanitizer should filter those out (which is good because there's no way to legally escape them). Or a comment, but the sanitizer will always filter those out.

I think I'll have css-sanitizer use hex escapes for all non-graphic characters except U+0020 in strings and names, and I'll have TemplateStyles replace U+007F with U+FFFD if any sneak through the sanitizer.

May 4 2017, 6:28 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles

May 3 2017

Bawolff added a comment to T133408: Security review of TemplateStyles.

I'm still working through all this, but some initial things:

May 3 2017, 10:07 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles
Bawolff updated subscribers of T164265: Lost 2FA details, request recovery..
May 3 2017, 3:29 PM · Wikimedia-Site-requests

May 2 2017

Bawolff closed Restricted Task, a subtask of T163721: Update wikitech-static and develop procedures to keep it maintained, as Resolved.
May 2 2017, 8:36 PM · Patch-For-Review, Operations, Labs, wikitech.wikimedia.org

Apr 30 2017

Bawolff updated the task description for T158689: Parameters injection in SyntaxHighlight results in multiple vulnerabilities.
Apr 30 2017, 6:40 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), Patch-For-Review, Vuln-XSS, Security
Bawolff updated subscribers of T164155: new minor release needed for syntaxhighlight.

@Legoktm: there is also a report that debian has the wrong version as well (I havent verified this myself)

Apr 30 2017, 12:46 AM · Release, Security
Bawolff updated subscribers of T164155: new minor release needed for syntaxhighlight.
Apr 30 2017, 12:40 AM · Release, Security

Apr 29 2017

Bawolff added a comment to T164155: new minor release needed for syntaxhighlight.

I sent a warning to mediawiki-l and wikitech-l (https://lists.wikimedia.org/pipermail/mediawiki-l/2017-April/046524.html) arguably an issue of this type deserves a warning to mediawiki-announcements but i dont have send access to that mailing list.

Apr 29 2017, 8:49 PM · Release, Security
Bawolff changed the visibility for T164155: new minor release needed for syntaxhighlight.
Apr 29 2017, 8:44 PM · Release, Security
Bawolff triaged T164155: new minor release needed for syntaxhighlight as Unbreak Now! priority.

Theres a post about this on oss-security now

Apr 29 2017, 8:27 PM · Release, Security
Bawolff added a project to T164155: new minor release needed for syntaxhighlight: Release.
Apr 29 2017, 8:03 PM · Release, Security
Bawolff created T164155: new minor release needed for syntaxhighlight.
Apr 29 2017, 8:02 PM · Release, Security
Bawolff added a comment to T158689: Parameters injection in SyntaxHighlight results in multiple vulnerabilities.

We should really issue another release for this right away. The syntax highlight bug was by far the most severe of all the bugs last release. To avoid confusion we should probably bump the mediawiki version number (eventhough that version number technically only applies to mediawiki core and not syntaxhighlight)

Apr 29 2017, 7:59 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), Patch-For-Review, Vuln-XSS, Security

Apr 28 2017

Bawolff added a comment to T164045: PDF thumbnails fail to render on newly-uploaded PDF files.

+1 to just reverting the pdfhandler config change

Apr 28 2017, 9:51 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Regression, MediaWiki-extensions-PdfHandler, Multimedia, MediaWiki-File-management, Wikisource, Commons
Bawolff added a comment to T164045: PDF thumbnails fail to render on newly-uploaded PDF files.

The character encoding thing looks like its related to colours. Presumably the escape control character is being stripped by the logs

Apr 28 2017, 9:46 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Regression, MediaWiki-extensions-PdfHandler, Multimedia, MediaWiki-File-management, Wikisource, Commons
Bawolff added a comment to T164047: Captchas sent with wrong mime type on beta.

I mean its being sent as Content-Type: application/x-www-form-urlencoded

Apr 28 2017, 2:08 AM · Beta-Cluster-Infrastructure
Bawolff created T164047: Captchas sent with wrong mime type on beta.
Apr 28 2017, 1:55 AM · Beta-Cluster-Infrastructure

Apr 27 2017

Bawolff added a comment to T163409: Creating CollaborationListContent features does not work on Beta Cluster.

Whats the error in question?

Apr 27 2017, 7:23 AM · MW-1.30-release-notes (WMF-deploy-2017-05-09_(1.30.0-wmf.1)), Patch-For-Review, MediaWiki-extensions-CollaborationKit

Apr 25 2017

Bawolff created P5332 spam users needing to be locked.
Apr 25 2017, 11:55 PM
Bawolff added a comment to T162771: Zerowiki is broken by <html> filtering.

This week is already becoming kind of insane due to events on frwiki. How about we do this on monday

Apr 25 2017, 10:52 PM · Zero, Security
Bawolff changed the visibility for T163310: I couldn't find a way to log out of Pivot.
Apr 25 2017, 9:09 PM · Security
Bawolff closed T163310: I couldn't find a way to log out of Pivot as Declined.

This is more a browser UI issue (This is the same for anything else protected by basic http auth e.g https://logstash.wikimedia.org )

Apr 25 2017, 9:09 PM · Security