Page MenuHomePhabricator

Bawolff (Brian Wolff)
SecurityAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (238 w, 3 d)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Fri, May 17

Bawolff added a comment to T101631: rev_len should be available also for deleted revisions in database replicas.

If I can get a thumbs up from @Bawolff, perhaps?

The current logic expressly filters rev_len on deleted revisions: if(rev_deleted&1,null,rev_len) as rev_len. I don't know if that's just for consistency or if someone thinks that really should be kept out of the replicas. As stated above, it does seem to be available online, though I'm not sure if that's all versions of the deleted field, since that's an integer, I think.

Fri, May 17, 1:39 PM · cloud-services-team (Kanban), Data-Services, Cloud-VPS

Tue, May 14

Bawolff claimed T223307: Security review libraries used by WebAuthn extension.
Tue, May 14, 5:12 PM · Security-Team-Reviews, MediaWiki-extensions-OATHAuth
Bawolff created T223307: Security review libraries used by WebAuthn extension.
Tue, May 14, 5:12 PM · Security-Team-Reviews, MediaWiki-extensions-OATHAuth

Fri, May 10

Bawolff placed T201492: Security review for FormWizard extension up for grabs.
Fri, May 10, 10:46 PM · Security-Team-Review-Active, FormWizard
Bawolff added a comment to T201492: Security review for FormWizard extension.

So I guess this isn't quite ready for a security review given previous comment, but some thoughts

Fri, May 10, 10:46 PM · Security-Team-Review-Active, FormWizard
Bawolff changed the visibility for T142314: Null byte in old versions of Replace Text may cause arbitrary execution.
Fri, May 10, 10:03 PM · MediaWiki-extensions-ReplaceText, Security
Bawolff closed T142314: Null byte in old versions of Replace Text may cause arbitrary execution as Declined.

This is old enough now to no longer be relevant.

Fri, May 10, 10:02 PM · MediaWiki-extensions-ReplaceText, Security
Bawolff added a comment to T222849: OATHAuth disable 2fa doesn't properly check getLoginSecurityLevel().

Ah, that's confusing. Thanks.

Fri, May 10, 4:56 AM · MediaWiki-extensions-OATHAuth
Bawolff added a comment to T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled.

The threat model here is kind of debatable. Its unclear what security goals we are trying to accomplish with the displaytitle restrictions, and thus I'm unsure (unsure in the sense of actually do not know, not unsure in the sense of disagreeing) if further restrictions on it are justified.

Fri, May 10, 4:51 AM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser

Thu, May 9

Bawolff awarded T127640: Re-evaluate our use of Phabricator Conpherence chat a Doubloon token.
Thu, May 9, 9:57 PM · Developer-Advocacy (Apr-Jun 2019), Phabricator

Wed, May 8

Bawolff created T222849: OATHAuth disable 2fa doesn't properly check getLoginSecurityLevel().
Wed, May 8, 10:42 PM · MediaWiki-extensions-OATHAuth
Bawolff added a comment to T182536: Fix security issues found in Graphs extension during review of vega 2.

wikititle:/// is supposed to prevent query paramters from being used, however it could probably be bypassed if they are percent encoded due to T96274 (e.g. https://en.wikipedia.org/wiki/Main_Page%3faction=history%26curid=2120 is interpreted by our servers incorrectly )

Wed, May 8, 5:45 PM · Patch-For-Review, Security, Graphs
Bawolff changed the visibility for T182536: Fix security issues found in Graphs extension during review of vega 2.
Wed, May 8, 5:37 PM · Patch-For-Review, Security, Graphs
Bawolff created T222807: Sandbox Graph extension into an iframe.
Wed, May 8, 4:26 PM · Graphs
Bawolff created T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries.
Wed, May 8, 4:24 PM · JavaScript, Maps, Security-Team-Review-Active, Graphs
Bawolff changed the visibility for T172938: Security review new version of the Vega lib.
Wed, May 8, 3:45 PM · Security, Security-Team-Reviews, Graphs, Graphoid

Tue, May 7

Bawolff created T222681: WikidataPageBanner uses a blacklist of skin names to decide 'prebodyhtml' support instead of sane feature detection.
Tue, May 7, 4:52 AM · patch-welcome, Readers-Web-Backlog (Tracking), User-Jdlrobson, Technical-Debt, Wikidata-Page-Banner, Timeless, Wikidata
Bawolff added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

Tue, May 7, 4:13 AM · Security-Team-Review-Active, Wikimedia-Planet

Mon, May 6

Bawolff added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

I think the main things we want to check:

Mon, May 6, 6:46 AM · Security-Team-Review-Active, Wikimedia-Planet

Thu, May 2

Bawolff added a comment to T222324: Unable to perform revision deletion on Commons.

Yup, triggered on GET to https://commons.wikimedia.org/w/index.php?title=User%3AJdforrester_%28WMF%29%2Fsandbox&action=revisiondelete&type=revision&ids%5B348296966%5D=1:

[ [[https://logstash.wikimedia.org/app/kibana#/doc/logstash-*/logstash-2019.05.02/mediawiki?id=AWp2UJLb3aPtkd7P1oBE&_g=()|XMpRwApAMFQAAE8PXE0AAAAQ]] ] 2019-05-02 02:12:33: Fatal exception of type "WMFTimeoutException"

This is on a trivial page (two revisions, one editor); possibly this is caused by actor changes?

Thu, May 2, 2:34 AM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Patch-For-Review, Performance, MediaWiki-Revision-deletion, Security
Bawolff added a comment to T222324: Unable to perform revision deletion on Commons.

Note security did some minor adjustments to the revdel process on tuesday but nothing that should cause this.

Thu, May 2, 2:11 AM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Patch-For-Review, Performance, MediaWiki-Revision-deletion, Security

Mon, Apr 29

Bawolff added a comment to T220440: GSoC 2019 Proposal: Integrate SVG Translate with Content Translation.

My understanding is that the content translation tool is optimized for the use case where the two translations are independent (e.g. between wikis), where E:Translate is optimized for the use case of translating documents where one of the languages are controlling (e.g. Like software translation). Admittedly I don't follow translation stuff very closely, so I may just be mistaken, but assuming that assumption is correct, may I ask what the rationale is for integrating into ContentTranslation over E:Translate is?

Mon, Apr 29, 8:42 AM · Google-Summer-of-Code (2019)

Fri, Apr 26

Bawolff added a comment to T221998: Create comprehensive global account action log for all CentralAuth wikis.

For what you are literally asking for: https://tools.wmflabs.org/guc/

Fri, Apr 26, 10:32 PM · MediaWiki-extensions-CentralAuth

Tue, Apr 23

Bawolff closed T172938: Security review new version of the Vega lib as Resolved.

so I think we've done everything on our end. See my comment above for my comments on the library - please address those things before using vega 3. Let me know if you have any questions.

Tue, Apr 23, 5:11 PM · Security, Security-Team-Reviews, Graphs, Graphoid
Bawolff closed T172938: Security review new version of the Vega lib, a subtask of T165118: Support Vega 3.0+ and Vega Lite 2.0+, as Resolved.
Tue, Apr 23, 5:11 PM · Outreach-Programs-Projects, Graphs
Bawolff created T221576: Password length requirement error shown twice.
Tue, Apr 23, 7:35 AM · MediaWiki-User-login-and-signup, Security-Team, Anti-Harassment

Mon, Apr 22

Bawolff added a comment to T219728: Support for new Japanese era name "Reiwa".

The patch should be deployed to Japanese language sites until May 1 JST..

Mon, Apr 22, 3:24 AM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.27-release-notes, MW-1.32-notes, MW-1.31-release-notes, MW-1.33-notes, MW-1.33-release, Patch-For-Review, MediaWiki-Internationalization, User-Rxy, I18n

Apr 20 2019

Bawolff changed the visibility for T221499: Disable TLS 1.0 and 1.1 in apache for gerrit.wikimedia.org.
Apr 20 2019, 4:15 PM · Patch-For-Review, Gerrit, Security
Bawolff added a comment to T221499: Disable TLS 1.0 and 1.1 in apache for gerrit.wikimedia.org.

https://www.ssllabs.com/ssltest/analyze.html?d=gerrit.wikimedia.org&s=2620%3a0%3a861%3a3%3a208%3a80%3a154%3a85&latest suggests ssl3 is already disabled

Apr 20 2019, 4:15 PM · Patch-For-Review, Gerrit, Security

Apr 18 2019

Bawolff added a comment to T221347: PHP7 opcache sometimes corrupts when cleared (was: Fatal ConfigException, undefined InitialiseSettings variable).

Hmm, L and K having a hamming distance of 3 - Could this possibly be a memory error that wasn't detectable by ECC as a 3 bit error?

Apr 18 2019, 6:06 PM · PHP 7.2 support, Operations, Wikimedia-production-error

Apr 16 2019

Bawolff added a comment to T220657: Establish Architecture Principles as a policy.

There is no formal definition, but in practice, it means anything that is maintained by WMF staff

Apr 16 2019, 12:22 AM · TechCom-RFC (TechCom-Approved), TechCom

Apr 9 2019

Bawolff added a comment to T172938: Security review new version of the Vega lib.

@Bawolff are there any CSP issues with srcdoc? In my example, parent can have a different CSP rules than iframe. This way you can enable unsafe-eval in the frame, without allowing it in the parent.

Apr 9 2019, 5:27 PM · Security, Security-Team-Reviews, Graphs, Graphoid

Apr 8 2019

Bawolff added a comment to T107069: Convert HistoryAction.php to use OOUI and MW's new DateInputWidget.

Screenshot. Note that not a single row of the history page shows up. (Note: My font size may be mildly above normal. Some of us like big letters to help our eyes. Notwithstanding that, I would consider this an unreasonable amount of screen real-estate being taken up).

Apr 8 2019, 10:11 PM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.33-notes (1.33.0-wmf.24; 2019-04-02), UI-Standardization-Kanban, User-Jdlrobson, Advanced Mobile Contributions, MediaWiki-History-and-Diffs, UI-Standardization
Bawolff added a comment to T107069: Convert HistoryAction.php to use OOUI and MW's new DateInputWidget.

Just fyi, I would describe half as an underexageration. Screenshot incoming

Apr 8 2019, 10:07 PM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.33-notes (1.33.0-wmf.24; 2019-04-02), UI-Standardization-Kanban, User-Jdlrobson, Advanced Mobile Contributions, MediaWiki-History-and-Diffs, UI-Standardization
Bawolff created T220321: restart installation warning has a newline after warning icon that looks a little weird.
Apr 8 2019, 2:49 AM · MediaWiki-Installer

Apr 7 2019

Bawolff created T220312: categories are broken on sqlite as a result of calling beginMasterChanges() prior to the job insert being comitted.
Apr 7 2019, 10:54 PM · SQLite, MediaWiki-Database
Bawolff added a comment to T219429: Special:log displays viewer IP address instead of log_user_text when log_user is non-zero and associated account does not exist.

Note, @RhinosF1 is also complaining about this issue in #mediawiki irc about the site https://thelostjewel.com/index.php?title=Special:Log&dir=prev&type=newusers&user=&page=&wpdate=&tagfilter=

Apr 7 2019, 7:30 PM · Privacy, MediaWiki-Special-pages

Apr 5 2019

Bawolff changed the visibility for T151687: Insecure CORS access control of JS in Wikipedia.org.
Apr 5 2019, 4:03 PM · Discovery, Wikimedia-Portals, Security

Apr 4 2019

Bawolff added a comment to T220023: Ajax request to external URL from wikimedia website.

@Bawolff I will explain how hijri date is calculated.

In hijri date, there are 12 months. Each month has days between 29-30 days. And we can't know whether the number of days are 29, or 30 except if we look to the moon move. So in middle east countries they look to the moon in 28th night to see what is the status of the moon. If it's new moon, then this means that a new month will start.

For example, today is 28 Regeb 1440 (hijri date), and today night each middle eastern country will look at the moon at night (Most countries followed Saudi Arabia decision), and determine if tomorrow will be start of new month, or not. If it's the start of new month then this means that the current hijri month number of days will be 29, else it will be 30 days.

The difference between 29, or 30 cause all the mistakes and the differences. All the tools in the internet depends on mathematical calculations to determine the length of each month (To my knowledge). Except the two websites I've listed before. The advantage of these websites is that it's updated each day, very trusted, and it's operated by special institutions that focus on hijri date calendars, pray times...etc.

The problem with MW is in Language.php file. Specially the tsToHijri function. This is where hijri date is calculated.

Apr 4 2019, 5:08 PM · Privacy
Bawolff added a comment to T220064: Update RandomInCategory to meet current standards.

Honestly, probably better to use the extension if it still works, uncyclomedia probably doesn't have big enough categories to matter.

Apr 4 2019, 4:39 AM · Uncyclomedia, MediaWiki-extensions-Other
Bawolff added a comment to T220023: Ajax request to external URL from wikimedia website.

@Reedy Unfortunately the website seems that it depends on PHP code. There is no evidence that it depends on JavaScript code to calculate the date. I've made a lot of research about this problem, and The only way in my opinion to solve this problem is by depending on 3rd party website.

Apr 4 2019, 4:34 AM · Privacy

Apr 3 2019

Bawolff added a project to T220023: Ajax request to external URL from wikimedia website: Privacy.
Apr 3 2019, 9:30 PM · Privacy
Bawolff added a comment to T220023: Ajax request to external URL from wikimedia website.

The error is only a warning so it doesnt actually block things yet. But will soon. It is a violation of the privacy policy unless the user has specificly opted in.

Apr 3 2019, 9:30 PM · Privacy

Apr 2 2019

Bawolff closed T219827: Proposal: Make centralauth db replicate to all the analytics dbstores as Declined.

That's not possible cause it would require setting up multi-source replication on all the instances that are not s7 (where centralauth database lives).

We are not supporting multi-source anymore on new deployments for a number of reasons. It is only living on labsdb hosts and we have already communicated to WMCS that long term that doesn't scale and we need to find a way to workaround it.

Sorry :-(

Apr 2 2019, 7:07 AM · Analytics

Apr 1 2019

Bawolff created T219832: checkComposerLockUpToDate.php doesn't handle non-exact version constraints properly.
Apr 1 2019, 7:54 PM · MediaWiki-Installer, MediaWiki-Maintenance-scripts
Bawolff added a comment to T219689: Undeprecate User::setPassword().

Going to un-deprecate, though we are in favor of eventually deprecating the User Object. That is a while off.

Apr 1 2019, 7:25 PM · Core Platform Team Backlog (Later), Patch-For-Review, Core Platform Team, MediaWiki-Authentication-and-authorization
Bawolff added a comment to T219827: Proposal: Make centralauth db replicate to all the analytics dbstores.

(e.g. Checking what percentage of enwiki admins have 2FA enabled).

Apr 1 2019, 6:58 PM · Analytics
Bawolff created T219827: Proposal: Make centralauth db replicate to all the analytics dbstores.
Apr 1 2019, 6:54 PM · Analytics
Bawolff added a comment to T219745: Checking contributions on mobile and shows error when usernames containing Japanese chracters.

For reference, the english translation of the error seems to be:

Bad username given
Cannot look for contributions without a user or with a user that does not exist.
Apr 1 2019, 5:54 AM · MobileFrontend
Bawolff added a comment to T219728: Support for new Japanese era name "Reiwa".

If I understand correctly this will require CLDR 35.1, ICU 64.2 and Unicode 12.1 planned for 2019-05-07.

Apr 1 2019, 5:38 AM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.27-release-notes, MW-1.32-notes, MW-1.31-release-notes, MW-1.33-notes, MW-1.33-release, Patch-For-Review, MediaWiki-Internationalization, User-Rxy, I18n
Bawolff added a comment to T219541: performance optimize timeless.

So reading a bit about client side performance [This is not my area of expertise] - the best thing (all other things being equal) to do is transfer less bytes. But that's easier said then done.

Apr 1 2019, 5:11 AM · Timeless

Mar 31 2019

Bawolff added a project to T219738: PHP Warning: Array key should be either a string or an integer: EventBus.
Mar 31 2019, 8:53 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, EventBus, Analytics, Wikimedia-production-error
Bawolff added a comment to T219738: PHP Warning: Array key should be either a string or an integer.

"EventFactory.php" line 144 also seems kind of wrong. Its passing the wiki name to self::getDomain, but the docs for self::getDomain indicate that that parameter is a boolean for whether or not the wiki display name is used, not as a value to pass the wikiid

Mar 31 2019, 8:53 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, EventBus, Analytics, Wikimedia-production-error
Bawolff updated subscribers of T219738: PHP Warning: Array key should be either a string or an integer.
Mar 31 2019, 8:50 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, EventBus, Analytics, Wikimedia-production-error
Bawolff added a comment to T219738: PHP Warning: Array key should be either a string or an integer.

I think there might be more than one thing going wrong here, but primarily:

Mar 31 2019, 8:49 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Kanban (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, EventBus, Analytics, Wikimedia-production-error
Bawolff updated the task description for T219736: ttmserver/ElasticSearchTTMServer.php: Call to a member function getAggregations() on null.
Mar 31 2019, 6:10 PM · Language-Team (Language-2019-April-June), MW-1.34-notes (1.34.0-wmf.3; 2019-04-30), User-abi_, Wikimedia-production-error, MediaWiki-extensions-Translate
Bawolff created T219725: Setup Fresnel to work with timeless.
Mar 31 2019, 6:21 AM · MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Patch-For-Review, Timeless
Bawolff added a comment to T219541: performance optimize timeless.

So I think we should do some research into how much different CSS footprints affect performance before actually doing anything, but some initial thoughts on CSS in timeless:

Mar 31 2019, 6:13 AM · Timeless
Bawolff added a comment to T217883: Use the "Timeless" skin by default on frwiktionary.

Thank you for your detailed response.

Mar 31 2019, 1:55 AM · Wikimedia-Site-requests

Mar 30 2019

Bawolff updated the task description for T219541: performance optimize timeless.
Mar 30 2019, 9:15 PM · Timeless

Mar 28 2019

Bawolff updated the task description for T219541: performance optimize timeless.
Mar 28 2019, 11:38 PM · Timeless
Bawolff updated the task description for T219541: performance optimize timeless.
Mar 28 2019, 11:23 PM · Timeless
Bawolff created P8306 Percent recent changes using timeless.
Mar 28 2019, 6:56 PM
Bawolff created T219541: performance optimize timeless.
Mar 28 2019, 5:53 PM · Timeless

Mar 27 2019

Bawolff updated subscribers of T219429: Special:log displays viewer IP address instead of log_user_text when log_user is non-zero and associated account does not exist.

I'm cc'ing @Anomie as I'm not 100% sure, but this sounds very much like a regression from the actor migration.

Mar 27 2019, 6:09 PM · Privacy, MediaWiki-Special-pages
Bawolff added a comment to T219289: Security Review For viewing Special:Homepage as rendered for other users.

FWIW, given how much press https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ has been getting, view-as-other-people features make me nervous.

Mar 27 2019, 6:00 PM · Security-Team-Reviews, Growth-Team (Current Sprint)

Mar 26 2019

Bawolff closed T218588: Security Issue Access Request for DLynch as Declined.

We're a little worried about the ever expanding size of the security group in phabricator. There are very few visual editor related tasks in Security (You should be able to see them all now). For the moment we would like to just add you to the relevant tasks but not to the security group in general (Please ask if there is ever one you need to see that you can't). Please note this is not about you, we just needed to draw the line somewhere lest the security group becomes a total slippery slope.

Mar 26 2019, 3:14 PM · Security-Team, Security
Bawolff changed the visibility for T199178: TemplateData doesn't sanitize descriptions etc..
Mar 26 2019, 3:02 PM · User-Ryasmeen, VisualEditor, TemplateData, Security
Bawolff closed T199178: TemplateData doesn't sanitize descriptions etc. as Resolved.

I don't think there's anything to do here.

Mar 26 2019, 3:02 PM · User-Ryasmeen, VisualEditor, TemplateData, Security

Mar 25 2019

Bawolff added a comment to T218210: SO878 Step 1: Refactor OATHAuth extension.

In regards to API modules, you may want to consider making it similar to the authmanager login module, as during the normal login process people will be prompted for the 2FA stuff, so it will have to work with that flow anyways.

Mar 25 2019, 4:46 PM · Core Platform Team Kanban (Contractor - Doing), Core Platform Team (Security, stability, performance and scalability (TEC1)), Patch-For-Review, MediaWiki-extensions-OATHAuth
Bawolff added a comment to T218210: SO878 Step 1: Refactor OATHAuth extension.

The user should be able to choose between enabled modules and maybe use them in parallel. But this will be put to the end of the project, as it may require some more work.

Mar 25 2019, 4:31 PM · Core Platform Team Kanban (Contractor - Doing), Core Platform Team (Security, stability, performance and scalability (TEC1)), Patch-For-Review, MediaWiki-extensions-OATHAuth
Bawolff added a watcher for MediaWiki-extensions-OATHAuth: Bawolff.
Mar 25 2019, 4:28 PM

Mar 22 2019

Bawolff changed the visibility for T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.
Mar 22 2019, 1:08 AM · cloud-services-team (Kanban), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OAuth, Security

Mar 21 2019

Mill <mill@mail.com> committed rERSE6637779a6ae0: %26jbaaaaaaaaaaa (authored by Bawolff).
%26jbaaaaaaaaaaa
Mar 21 2019, 12:37 AM

Mar 20 2019

Bawolff added a subtask for T206676: 1.33.0-wmf.22 deployment blockers: T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22.
Mar 20 2019, 10:48 PM · Release-Engineering-Team (Kanban), User-zeljkofilipin, Release, Train Deployments
Bawolff added a parent task for T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22: T206676: 1.33.0-wmf.22 deployment blockers.
Mar 20 2019, 10:48 PM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), MediaWiki-General-or-Unknown, Regression
Bawolff created T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22.
Mar 20 2019, 10:46 PM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), MediaWiki-General-or-Unknown, Regression
Bawolff updated subscribers of T217883: Use the "Timeless" skin by default on frwiktionary.

So this is a bit of a grey area of if this change is within the realm of things that a community can request. The foundation may feel it wants a consistent feel to all the projects that it hosts.

Mar 20 2019, 9:54 PM · Wikimedia-Site-requests
Bawolff added a comment to T218721: Have CI run seccheck tests.

FYI, these tests should already be run via CI (as part of composer tests)

Mar 20 2019, 1:43 PM · Patch-For-Review, phan-taint-check-plugin, Continuous-Integration-Config

Mar 18 2019

Bawolff added a comment to T207344: Phan-taint-check-plugin not available for PHP > 7.0.

yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.

Mar 18 2019, 2:38 PM · phan-taint-check-plugin
Bawolff added a comment to T218568: Allow CORS from query.wikidata.org to production wikis.

Reading https://meta.wikimedia.org/w/api.php?action=help&modules=shortenurl - doesn't seem to require a CSRF token, so I'm not sure that CORS is needed here? (more specifically, you can use the generic origin=* I think).

Mar 18 2019, 2:01 PM · Security, Wikimedia-Site-requests, Discovery, Wikidata-Query-Service, Wikidata

Mar 15 2019

Aklapper empowered Bawolff as an administrator.
Mar 15 2019, 5:27 PM
Bawolff created T218383: Remove @dap (Darian Patrick) as github admin.
Mar 15 2019, 3:51 AM · Security-Team, GitHub-Mirrors

Mar 13 2019

Bawolff added a comment to T218135: +2 in mediawiki/* for WMDE engineers.

I'm not sure how to say this without coming off as a dick, so I'm just going to go ahead: Jeroen De Dauw already has 2 failed requests for +2 in mediawiki/core 1 2. Admittedly this was a long time ago, but the last time he did anything non-trivial in MW core was in 2013. I feel like this is sort of a backdoor around previous community consensus.

Mar 13 2019, 1:09 AM · MediaWiki-Gerrit-Group-Requests
Bawolff added a comment to T216295: RFC: Update to Gerrit privilege policy .

I think this should be explicitly announced on wikitech-l, and not just buried in a techcom update

Mar 13 2019, 12:42 AM · TechCom-RFC (TechCom-Approved), Developer-Advocacy

Mar 12 2019

Bawolff closed T215048: Security review for the WikimediaEditorTasks extension as Resolved.

Overall: Looks good - Extension passes security review. There are a couple very small things though I would like to see changed.

Mar 12 2019, 10:55 AM · Security-Team-Reviews, Wikipedia-Android-App-Backlog, WikimediaEditorTasks, Reading-Infrastructure-Team-Backlog
Bawolff closed T215048: Security review for the WikimediaEditorTasks extension, a subtask of T212795: Build infrastructure to track counts of qualifying edits for the Suggested Edits feature, as Resolved.
Mar 12 2019, 10:55 AM · WikimediaEditorTasks, Wikipedia-Android-App-Backlog, Reading-Infrastructure-Team-Backlog (Kanban)

Mar 8 2019

Aklapper awarded T217917: Phabricator admin rights for bawolff a Like token.
Mar 8 2019, 9:27 PM · Phabricator
MarcoAurelio awarded T217917: Phabricator admin rights for bawolff a Like token.
Mar 8 2019, 8:49 PM · Phabricator
D3r1ck01 awarded T217917: Phabricator admin rights for bawolff a Like token.
Mar 8 2019, 7:50 PM · Phabricator
Bawolff created T217917: Phabricator admin rights for bawolff.
Mar 8 2019, 7:49 PM · Phabricator
Bawolff added a comment to T217860: Allow Abandon rights on Gerrit for WMFOffice.

This sounds like a bad idea. Administrators probably shouldn't normally be able to do that, without someone literally going into MySQL etc.

Mar 8 2019, 1:37 AM · Trust-and-Safety, Security-Team

Mar 7 2019

Bawolff added a comment to T217860: Allow Abandon rights on Gerrit for WMFOffice.

Ok, I tried to make a more restrictive group called VandalFighters, which i added WMFOffice to (And removed WMFOffice from Administrators). It has the ability to abandon patches, delete patches (Note there is no undo, so be careful with the delete button), mark patches -2, flush caches, and adjust accounts (in particular mark an account "inactive" which is like block).

Mar 7 2019, 9:49 PM · Trust-and-Safety, Security-Team
Bawolff closed T217860: Allow Abandon rights on Gerrit for WMFOffice as Resolved.

Done. User is now in Administrator group

Mar 7 2019, 7:56 PM · Trust-and-Safety, Security-Team
Bawolff added a comment to T217361: Security Issue Access Request for steward election.

Following users have been resigned or did not pass annual confirmation: @MBisanz, @Mentifisto, and @MF-Warburg. I've removed them from acl*stewards but if they are in Security, please process them.

Mar 7 2019, 4:54 AM · Security-Team, User-revi, Stewards-and-global-tools, Security

Mar 5 2019

Bawolff created P8163 checkuser stats for loginwiki feb.
Mar 5 2019, 10:15 PM
Bawolff added a project to T217713: Checkuser throws exception if looking up user with invalid name: CheckUser.
Mar 5 2019, 10:07 PM · Patch-For-Review, Wikimedia-production-error, CheckUser
Bawolff created T217713: Checkuser throws exception if looking up user with invalid name.
Mar 5 2019, 10:06 PM · Patch-For-Review, Wikimedia-production-error, CheckUser
Bawolff closed T216311: Security review GraphQL as Declined.

Sorry, but we're not going to review this unless there is definite interest in using production.

Mar 5 2019, 6:17 PM · MediaWiki-extensions-GraphQL, Security-Team-Reviews
Bawolff closed T216311: Security review GraphQL, a subtask of T216870: Deploy GraphQL to Beta, as Declined.
Mar 5 2019, 6:17 PM · MediaWiki-extensions-GraphQL, Wikimedia-extension-review-queue, Wikimedia-Extension-setup