Bawolff (Brian Wolff)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Sunday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (125 w, 6 d)
Availability
Available
LDAP User
Brian Wolff
MediaWiki User
Bawolff

Recent Activity

Tue, Mar 21

Bawolff committed rECKTe62401dea3d4: Avoid logs about unexpected writes from special page. (authored by Bawolff).
Avoid logs about unexpected writes from special page.
Tue, Mar 21, 9:59 PM
Bawolff committed rECKT87014f0d3f60: Be more defensive about checking revision is present (authored by Bawolff).
Be more defensive about checking revision is present
Tue, Mar 21, 9:25 PM
Bawolff changed the visibility for T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki.
Tue, Mar 21, 8:26 PM · Security-Extensions, Security-Team, Security
Bawolff triaged T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki as "Normal" priority.
Tue, Mar 21, 8:25 PM · Security-Extensions, Security-Team, Security
Bawolff changed the visibility for T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki.
Tue, Mar 21, 8:25 PM · Security-Extensions, Security-Team, Security
Bawolff added a comment to T160916: Special:AllPages disabled due to performance issues.

Hmm, this is the second time I've heard of using foo = '0' vs foo = 0 in queries adjusting the query plan. Maybe we should just have ints be ints in the db abstraction layer.

Tue, Mar 21, 8:13 PM · MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2017-03-28_(1.29.0-wmf.18)), User-notice, Wikimedia-General-or-Unknown
Bawolff added a comment to T117618: Add restrictive CSP to upload.wikimedia.org.

Recent logs suggest we may need to add "media-src 'self'" for webm files.

Tue, Mar 21, 7:54 PM · Patch-For-Review, Security-Team
Bawolff created T160978: Job queue cannot claim job on sqlite due to db being locked.
Tue, Mar 21, 8:27 AM · MediaWiki-JobQueue
Bawolff changed the visibility for T160914: Databases overflown with connections due to slow query on Special:AllPages.
Tue, Mar 21, 8:13 AM · MediaWiki-Database, Security
Bawolff added a comment to T160914: Databases overflown with connections due to slow query on Special:AllPages.

Does this task need to be private anymore?

Tue, Mar 21, 8:12 AM · MediaWiki-Database, Security

Wed, Mar 15

Bawolff added a comment to T160519: Jenkins Browser tests for Wikibase/Popups etc are failing: Invalid CSRF token in Selenium browser.

Change 342959 had a related patch set uploaded (by Brian Wolff):
[mediawiki/core] Never use CACHE_NONE for CACHE_ANYTHING

https://gerrit.wikimedia.org/r/342959

Wed, Mar 15, 11:04 PM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Authentication-and-authorization, Release-Engineering-Team
Bawolff added a comment to T160519: Jenkins Browser tests for Wikibase/Popups etc are failing: Invalid CSRF token in Selenium browser.

So the console output does say: https://integration.wikimedia.org/ci/job/mwext-mw-selenium-composer-jessie/2083/consoleFull

Warning: Could not find APCu, XCache or WinCache.
11:18:58 Object caching is not enabled.
Wed, Mar 15, 10:45 PM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Authentication-and-authorization, Release-Engineering-Team
Bawolff added a comment to T160519: Jenkins Browser tests for Wikibase/Popups etc are failing: Invalid CSRF token in Selenium browser.

Looking at the code more closely, what might be happening.

Wed, Mar 15, 10:31 PM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Authentication-and-authorization, Release-Engineering-Team
Bawolff added a comment to T160519: Jenkins Browser tests for Wikibase/Popups etc are failing: Invalid CSRF token in Selenium browser.

Specially the debug log of HTTP requests seems to indicate the session cache is EmptyBagOStuff:

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: EmptyBagOStuff, parser: EmptyBagOStuff, session: EmptyBagOStuff

Eg when doing /api.php?action=query&format=json&meta=tokens&type=csrf

I guess the session ends up dismissed between requests and the token is no more valid on the second request.

Might be related to https://gerrit.wikimedia.org/r/#/c/342793/ 1fec847c6b366ab21bb215b94837a186545096f4 ?

Wed, Mar 15, 10:06 PM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Authentication-and-authorization, Release-Engineering-Team
Bawolff added a comment to T152952: CookieSetOnAutoblock for an infinite block would block the computer forever, add expiration to LocalStorage entry.

I wonder if we could add browser tests for this somehow (i dont know much about browser tests).the behaviour seems complex enough that testing would be good.

Wed, Mar 15, 6:40 PM · MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2017-03-28_(1.29.0-wmf.18)), Patch-For-Review, Community-Tech-Sprint, MediaWiki-User-blocking
Bawolff closed T160495: If you press "I'm bored, install wiki already" in installer, you default to wgMainCacheType = CACHE_NONE even if accelerator available as "Resolved".
Wed, Mar 15, 4:50 PM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Installer
Bawolff added a comment to T160495: If you press "I'm bored, install wiki already" in installer, you default to wgMainCacheType = CACHE_NONE even if accelerator available.

(see also T49162)

Wed, Mar 15, 6:40 AM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Installer
Bawolff created T160495: If you press "I'm bored, install wiki already" in installer, you default to wgMainCacheType = CACHE_NONE even if accelerator available.
Wed, Mar 15, 5:17 AM · MW-1.29-release (WMF-deploy-2017-03-21_(1.29.0-wmf.17)), MW-1.29-release-notes, Patch-For-Review, MediaWiki-Installer

Tue, Mar 14

Bawolff edited the description of T53642: Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org.
Tue, Mar 14, 9:17 PM · Labs, wikitech.wikimedia.org
Bawolff added a comment to T53642: Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org.

Ok, so current uses of SMW+friends on Wikitech is:

Tue, Mar 14, 7:54 PM · Labs, wikitech.wikimedia.org
Bawolff closed T110981: SemanticMediaWiki tries to create temporary tables, but can't as wikiuser is restricted as "Declined".

If this was me, I would close it as won't fix

Tue, Mar 14, 7:09 PM · DBA, Labs, wikitech.wikimedia.org

Mon, Mar 13

Bawolff added a comment to T160357: Allow those with CheckUser right to access AbuseLog private information on WMF projects.

To clarify, this is something that's wanted/would be useful to checkusers?

Mon, Mar 13, 11:03 PM · Wikimedia-Site-requests, Stewards-and-global-tools, Security-Team, AbuseFilter
Bawolff added a comment to T160381: Yahoo is blocking mail from wikimedia.

To clarify, paladox was asking for the full address of Wikimedia Foundation on irc, which made it sound like he was filling out some sort of form that is expected to be filled out by an official representantive of the foundation. I don't know if that's actually the case, or what this is really about at all.

Mon, Mar 13, 9:57 PM · Operations, Mail
Bawolff added a comment to T75390: When using MS SQL Server, article links remain red after creation..

This sounds more like a job queue error than a MSSQL server support error. Could you verify that your job queue is working correctly?

Mon, Mar 13, 4:36 AM · MediaWiki-General-or-Unknown
Bawolff added a comment to T113831: Remove MSSQL support from MediaWiki core.

[This bug is pretty dead, so maybe irrelevant now] FWIW, I just attended EMWCon, there was a suprising number of corporate users who use MSSQL support and seem happy with it.

Mon, Mar 13, 3:52 AM · Technical-Debt, MediaWiki-Database

Sun, Mar 12

Bawolff added a project to T160300: UniversalLanguageSelector specifies wrong local() sources for font variants in @font-face rule (Italic text looks non-italic if fonts locally available): MediaWiki-extensions-UniversalLanguageSelector.
Sun, Mar 12, 8:46 PM · MediaWiki-extensions-UniversalLanguageSelector
Bawolff created T160300: UniversalLanguageSelector specifies wrong local() sources for font variants in @font-face rule (Italic text looks non-italic if fonts locally available).
Sun, Mar 12, 8:46 PM · MediaWiki-extensions-UniversalLanguageSelector
Bawolff added a comment to T159386: Make abusefilter on foundationwiki to prevent people accidentally violating our privacy policy.

Hmm. Looks like the testing CSP policy would block the mobile tracking beacon since wikimediafoundation.org is not a valid img-src when viewing from m.wikimediafoundation.org

Sun, Mar 12, 7:30 PM · Privacy, Patch-For-Review, Security
Bawolff added a comment to T108687: Security review for CodeMirror extension branch master.

@kaldari To clarify, what's the status of this bug? Perhaps it should be closed, and someone could file a new bug if/when people actual intend to use this extension.

Sun, Mar 12, 6:22 PM · Community-Tech, Security-Reviews, MediaWiki-extensions-CodeMirror
Bawolff closed T787: Security review of community extensions: Extension:AtomExporter, Extension:DownloadCounter, Extension:PasswordProtected as "Resolved".

@Southparkfan : Do you still want re-review on this?

Sun, Mar 12, 6:02 PM · Security-Team, Security-Reviews
Bawolff moved T155087: Security review for NamespaceRelations from Scheduled to Done on the Security-Reviews board.

Review of 00f527cadfbf (Mon Oct 24, 2016). Overall looks good from a security perspective. My only major concern is potential incompatibility with any other extension which adds a namespace tab. There are some minor coding convention things that need to be fixed. The code is a tad dense, and could perhaps benefit from splitting into finer grained functions and having more comments.

Sun, Mar 12, 5:04 PM · Security-Reviews
Bawolff removed a project from T159085: [Security] Improve data attribute naming to avoid forge: Security-Reviews.

[rm tag security-review. That should only be on the parent bug requesting the security review]

Sun, Mar 12, 5:00 PM · Patch-For-Review, Security-Team, MediaWiki-extensions-Newsletter

Tue, Mar 7

Bawolff added a comment to T158011: Security review for Timeless skin.

Just as a note, since these are all minor non-exploitable issues, they should not prevent putting the skin on betawiki (They should be fixed before deploying to a real wiki).

Tue, Mar 7, 4:26 AM · Timeless, Security-Reviews
Bawolff assigned T158011: Security review for Timeless skin to Isarra.

Review of 9613a9d4bc. Overall this looks good. I'm excited to see this be a skin on Wikimedia wikis. Some very minor issues with double escaping and not escaping "safe" values.

Tue, Mar 7, 2:46 AM · Timeless, Security-Reviews

Mon, Mar 6

Bawolff renamed T159697: Special:NewItem - Create a new item button isn't showing thumbnails on Wikidata from "[Bug] Special: Create a new item button isn't showing thumbnails on Wikidata" to "Special:NewItem - Create a new item button isn't showing thumbnails on Wikidata".
Mon, Mar 6, 1:44 PM · Wikidata
Bawolff added a project to T159697: Special:NewItem - Create a new item button isn't showing thumbnails on Wikidata: Wikidata.
Mon, Mar 6, 1:43 PM · Wikidata
Bawolff closed T153088: Security Review of On This Day Endpoint as "Resolved".

Security review passed. Everything looks good. (For reference, I looked at c9241268d38d)

Mon, Mar 6, 4:56 AM · Reading Epics (New Feed Content), Mobile-Content-Service (Kanban), Security-Reviews
Bawolff closed T153088: Security Review of On This Day Endpoint, a subtask of T143408: Create endpoint for "Anniversaries", as "Resolved".
Mon, Mar 6, 4:56 AM · Services (watching), Patch-For-Review, Reading Epics (New Feed Content), Mobile-Content-Service (Kanban), Wikipedia-iOS-App-Backlog
Bawolff moved T155725: Security review for StopForumSpam from Scheduled to Done on the Security-Reviews board.

Review of 094b110932df of StopForumSpam.

Mon, Mar 6, 4:51 AM · MediaWiki-extensions-StopForumSpam, Stewards-and-global-tools, Security-Reviews

Sun, Mar 5

Bawolff added a project to T159386: Make abusefilter on foundationwiki to prevent people accidentally violating our privacy policy: Privacy.
Sun, Mar 5, 10:19 PM · Privacy, Patch-For-Review, Security
Bawolff changed the visibility for T159386: Make abusefilter on foundationwiki to prevent people accidentally violating our privacy policy.
Sun, Mar 5, 10:10 PM · Privacy, Patch-For-Review, Security

Fri, Mar 3

Bawolff committed rECKT62b8b53172a8: Fix doxygen (Third time is the charm) (authored by Bawolff).
Fix doxygen (Third time is the charm)
Fri, Mar 3, 10:21 PM
Bawolff committed rECKTc57b40667aa5: Attempt to fix doxygen (authored by Bawolff).
Attempt to fix doxygen
Fri, Mar 3, 10:09 PM
Bawolff committed rECKT89c8d432034e: Add Doxyfile to generate php docs (authored by Bawolff).
Add Doxyfile to generate php docs
Fri, Mar 3, 9:39 PM
Bawolff committed rECKT60a85fc15dd2: Fix jsduck (authored by Bawolff).
Fix jsduck
Fri, Mar 3, 9:27 PM
Bawolff committed rECKT54d4380ee7ab: Fix jsduck (authored by Bawolff).
Fix jsduck
Fri, Mar 3, 9:22 PM

Thu, Mar 2

Bawolff added a comment to T158724: Increase size of categorylinks.cl_collation column.

I think there is too much fuss being made over this bug. As a temporary solution until some larger table refactoring takes place (which i assume we want to do all at once) - both the increase field size solution is totally fine and the hash if field size doesnt fit is totally fine. I dont think the drawbacks that either solution hasreally actually matter.

Thu, Mar 2, 4:48 PM · Community-Tech, DBA, Patch-For-Review, MediaWiki-Categories

Wed, Mar 1

Bawolff closed T159386: Make abusefilter on foundationwiki to prevent people accidentally violating our privacy policy as "Resolved".

‎ArielGlenn did this - https://wikimediafoundation.org/wiki/Special:AbuseFilter/1

Wed, Mar 1, 10:56 PM · Privacy, Patch-For-Review, Security
Bawolff closed T159075: Fix character escaping throughout the extension files , a subtask of T115095: Security review of Newsletter extension, as "Resolved".
Wed, Mar 1, 10:23 PM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
Bawolff closed T159075: Fix character escaping throughout the extension files as "Resolved".

Looks good.

Wed, Mar 1, 10:23 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff created T159386: Make abusefilter on foundationwiki to prevent people accidentally violating our privacy policy.
Wed, Mar 1, 10:04 PM · Privacy, Patch-For-Review, Security
Bawolff committed rECKT86a5da7992e4: Fix matchesTag logic + add test. (authored by Bawolff).
Fix matchesTag logic + add test.
Wed, Mar 1, 7:57 PM
Bawolff committed rECKT5989641453b9: rm dead code $itemTags (authored by Bawolff).
rm dead code $itemTags
Wed, Mar 1, 7:17 PM
Bawolff committed rECKTcc45a74843fe: Fix setting column option in transclude hook. (authored by Bawolff).
Fix setting column option in transclude hook.
Wed, Mar 1, 7:14 PM
Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

Why 255 bytes for the ip address? If that represents a number, ipv4 and ipv6 have, respectively, 32 and 128 bits. If with hexadecimal you mean a string with the hexadecimal representation (and you need to be inefficient because manipulation needs, which is ok but please explicitly say so, it should be enough with 13 (18 with useless separators) bytes for ipv4 and 33 (40 with separators) for ipv6 (more with scope identifier, etc., but the point really is much less than 255 bytes). If you want to store something else there, like ranges, please specify, or any other format, please clarify. It looks like you put varchar(255) arbitrarily, which is a really bad idea, specially for old versions of mysql, that we sadly have to support.

Wed, Mar 1, 6:40 PM · Community-Tech, DBA, MediaWiki-User-blocking

Tue, Feb 28

Bawolff added a comment to T159075: Fix character escaping throughout the extension files .

Sorry folks I think I made a mistake here. The h4 does indeed appear to already be properly escaped (since Html::element escapes things).

Tue, Feb 28, 10:48 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff edited the description of T159076: General CR and cleanup of CollaborationKit.
Tue, Feb 28, 10:42 PM · MediaWiki-extensions-CollaborationKit
Bawolff committed rECKTb2bf17e20ef8: Kill unused cur variable (authored by Bawolff).
Kill unused cur variable
Tue, Feb 28, 10:31 PM
Bawolff committed rECKT3a1fc1259667: Kill unused variable $context (authored by Bawolff).
Kill unused variable $context
Tue, Feb 28, 10:27 PM
Bawolff moved T153088: Security Review of On This Day Endpoint from Scheduled to In Progress on the Security-Reviews board.
Tue, Feb 28, 9:33 PM · Reading Epics (New Feed Content), Mobile-Content-Service (Kanban), Security-Reviews
Bawolff added a comment to T158724: Increase size of categorylinks.cl_collation column.

I'm not worried about collisions. I'm worried about bloating an already huge table with more data for no practical reason.

Tue, Feb 28, 8:45 PM · Community-Tech, DBA, Patch-For-Review, MediaWiki-Categories

Sun, Feb 26

Bawolff added a comment to T158986: Migrate SHA-1 hashes to SHA-256 (tracking).

Im not an expert on crypto so its possible im misinterpreting the paper, but I believe that https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf suggests such constructions arent really much more secure then just using sha256.

That paper talks about iterating hashes, e.g. "hashing twice", something that for me is quite logical [that doesn't work]. I am not suggesting that, I am suggesting maintaining the current hash and adding another, checking both, with AND logic, not chaining them.

I also mentioned that there are some downsides, like adding or being tempted to continue using code with the old hash, so I will let the right people decide :-).

Sun, Feb 26, 7:47 PM · Security-General, Technical-Debt, MediaWiki-General-or-Unknown
scfc awarded T29884: enotif doesn't send email if page on watchlist edited following a minor edit and enotif not configured to send minor edits. a Like token.
Sun, Feb 26, 6:28 PM · MediaWiki-Email

Sat, Feb 25

Bawolff added a comment to T158986: Migrate SHA-1 hashes to SHA-256 (tracking).

Im not an expert on crypto so its possible im misinterpreting the paper, but I believe that https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf suggests such constructions arent really much more secure then just using sha256.

Sat, Feb 25, 5:13 PM · Security-General, Technical-Debt, MediaWiki-General-or-Unknown

Fri, Feb 24

Bawolff added a comment to T158986: Migrate SHA-1 hashes to SHA-256 (tracking).

Thoughts on if its worth it to ban the prefix of the shattered files on upload? The attack scenario seems very minor at this point, but it might help put users' minds at ease.

Fri, Feb 24, 11:10 PM · Security-General, Technical-Debt, MediaWiki-General-or-Unknown
Bawolff added a comment to T158724: Increase size of categorylinks.cl_collation column.

I guess theres always the question of what happens when someone makes an even longer collation name.

Fri, Feb 24, 1:30 AM · Community-Tech, DBA, Patch-For-Review, MediaWiki-Categories
Bawolff added a comment to T158871: Enable editmyoptions right for all users on loginwiki.

As more and more issues come up related to which wiki the notification is generated on (also things like the user would have to alter their pref on every wiki to be effective) I wonder if the design decision of where to generate the notice should be revisited. Maybe it should be jobqueued away to the user's home wiki.

Fri, Feb 24, 12:23 AM · Community-Tech, Patch-For-Review

Wed, Feb 22

Bawolff added a comment to T158724: Increase size of categorylinks.cl_collation column.

We could just hash only in the case that the key is too long.

Wed, Feb 22, 9:44 PM · Community-Tech, DBA, Patch-For-Review, MediaWiki-Categories
Bawolff added a comment to T156477: Resolve GapFinder security issues.

@Bawolff I have a question regarding the following code and comment from the security review:

https://github.com/wikimedia/research-recommendation-api/blob/bbb9e2d35612c9e1bbff70e2dbe719ebf6cdd11e/recommendation/web/static/gf-preview.tag#L111-L121

This doesn't put the html text inside quote marks (And also doesn't escape quotes). This will cause the page to be executed as javascript, which is not what is desired.

When setting the attribute using jQuery $(iframe).attr("srcdoc", data), the html text (data) is escaped. From what I can tell, setting the src attribute to the javascript URI is an established (https://www.github.com/jugglinmike/srcdoc-polyfill) method of adding support to browsers that don't support the srcdoc attribute, since it just returns the already-escaped value of the srcdoc attribute.

Are there other security implications that I'm not accounting for? Thanks!

The code as it currently exists for the fallback looks good.

Wed, Feb 22, 9:15 PM · Recommendation-API
Bawolff added a comment to T108360: Create "security pre-announce" group.

Are we still giving pre-release notice to third parties? I don't think we remembered to do that last release.

Wed, Feb 22, 9:09 PM · Project-Admins, Phabricator
Bawolff added a comment to T158661: Security review for FileExporter extension.

btw, https://www.mediawiki.org/wiki/Extension:FileExporter is a 404. Did you mean to link to somewhere else?

Wed, Feb 22, 9:05 PM · Patch-For-Review, Security-Reviews, User-Addshore, WMDE-QWERTY-Team-Board
Bawolff added a comment to T158803: Include Wikidata image transclusions in GlobalUsage.

So is the image just not being added to normal image links? Because global image links should be automatic on any image usage.

Wed, Feb 22, 8:59 PM · GLAM-Tech, Multimedia, GlobalUsage
Bawolff placed T157990: Replace or delete labs instance mediahandler-tests-static up for grabs.

I have no idea what that project is. I don't believe I had any involvement with that project at any point in time. With that in mind I'd like to unassign from self

Wed, Feb 22, 8:57 PM · MediaWiki-extensions-MolHandler, Labs
Bawolff added a comment to T158724: Increase size of categorylinks.cl_collation column.

Security does not matter here (no user input but configuration) and collisions are non-existing for such a small set of values.

Wed, Feb 22, 8:55 PM · Community-Tech, DBA, Patch-For-Review, MediaWiki-Categories

Feb 22 2017

Bawolff added a comment to T158724: Increase size of categorylinks.cl_collation column.

If there are issues with changing the field size, we could potentially just hash it if it doesnt fit.

Feb 22 2017, 2:20 AM · Community-Tech, DBA, Patch-For-Review, MediaWiki-Categories

Feb 21 2017

Bawolff added a comment to T156477: Resolve GapFinder security issues.

@Bawolff I have a question regarding the following code and comment from the security review:

https://github.com/wikimedia/research-recommendation-api/blob/bbb9e2d35612c9e1bbff70e2dbe719ebf6cdd11e/recommendation/web/static/gf-preview.tag#L111-L121

This doesn't put the html text inside quote marks (And also doesn't escape quotes). This will cause the page to be executed as javascript, which is not what is desired.

When setting the attribute using jQuery $(iframe).attr("srcdoc", data), the html text (data) is escaped. From what I can tell, setting the src attribute to the javascript URI is an established (https://www.github.com/jugglinmike/srcdoc-polyfill) method of adding support to browsers that don't support the srcdoc attribute, since it just returns the already-escaped value of the srcdoc attribute.

Are there other security implications that I'm not accounting for? Thanks!

Feb 21 2017, 3:41 PM · Recommendation-API

Feb 16 2017

Bawolff added a comment to T158315: Nemo_bis has admin (!= contentadmin) rights on wikitech.

@Aklapper: Because I set it to that priority. If you question or disagree with my action, please do so explicitly. Your choice of language is not helpful for a productive collaboration. (JFTR: 28 months.)

I don't doubt that Nemo_bis is well known and trusted, I do so myself; but there are a lot of well-known and trusted (by me) persons who are not admin on wikitech.wikimedia.org or do not have similar privileges in other venues because those rights aren't given out freely by WMF, and in this environment IMHO when someone appears to have/has rights that they should not have, this should be investigated and, when necessary, remedied immediately.

Feb 16 2017, 4:37 PM · User-bd808, Labs, wikitech.wikimedia.org, Security
Bawolff lowered the priority of T158315: Nemo_bis has admin (!= contentadmin) rights on wikitech from "Unbreak Now!" to "Normal".
Feb 16 2017, 3:51 PM · User-bd808, Labs, wikitech.wikimedia.org, Security
Bawolff updated subscribers of T158315: Nemo_bis has admin (!= contentadmin) rights on wikitech.

Nemo_bis is a well known trusted person. While the other rights may be more appropriate, this should be resolved through normal channels as we have no reason to believe nemo would abuse his access or otherwise is a security risk.

Feb 16 2017, 3:50 PM · User-bd808, Labs, wikitech.wikimedia.org, Security

Feb 15 2017

Bawolff added a comment to T158230: Automatically convert to wildcard searches when applicable.

I'll run some more tests... but from the little bit of querying I did before it seemed like wildcards were faster. E.g. https://en.wikipedia.org/w/api.php?action=query&list=usercontribs&uclimit=50&ucdir=older&ucuserprefix=2607:FB90

Feb 15 2017, 8:10 PM · IPv6, Community-Tech
Bawolff added a comment to T158230: Automatically convert to wildcard searches when applicable.

Actual, thinking about this further, its not clear that this would be faster than the dedicated table + query. They may have similar performance.

Feb 15 2017, 7:58 PM · IPv6, Community-Tech
Bawolff changed the visibility for T158216: tool labs should filter out the Service-Worker-Allowed: header to prevent tools from setting it..
Feb 15 2017, 7:40 PM · Tool-Labs, Labs, Security
Bawolff closed T158216: tool labs should filter out the Service-Worker-Allowed: header to prevent tools from setting it. as "Resolved".
Feb 15 2017, 7:40 PM · Tool-Labs, Labs, Security
Bawolff added a comment to T158216: tool labs should filter out the Service-Worker-Allowed: header to prevent tools from setting it..

For reference, yuvipanda just submitted: https://gerrit.wikimedia.org/r/#/c/337898

Feb 15 2017, 7:31 PM · Tool-Labs, Labs, Security
Bawolff added a comment to T158212: Transcode fails with Exitcode 139 - SIGSEGV.

For reference 139-128 = 11 which means segmenatation fault.

Feb 15 2017, 7:26 PM · TimedMediaHandler-Transcode
Bawolff added a comment to T158216: tool labs should filter out the Service-Worker-Allowed: header to prevent tools from setting it..

Some background at: https://stackoverflow.com/questions/35780397/understanding-service-worker-scope

Feb 15 2017, 7:13 PM · Tool-Labs, Labs, Security
Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

Actually, for the above example, the most efficient thing to do (for ipv6 when the cidr range is a multiple of 16) would be just rev_user_text like "2602:306:%" dito for any ipv4 multiple of 8.

We plan to support wildcard searches as well, which indeed go lightning fast when querying revision by itself. I don't think I'll use our new table at all if the user requests a wildcard search.

Feb 15 2017, 6:53 PM · Community-Tech, DBA, MediaWiki-User-blocking
Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

I'm guessing this used the cuc_ip_hex_time timestamp, on cuc_ip_hex and cuc_timestamp. Here's the EXPLAIN:

Feb 15 2017, 6:51 PM · Community-Tech, DBA, MediaWiki-User-blocking
Bawolff added a project to T158216: tool labs should filter out the Service-Worker-Allowed: header to prevent tools from setting it.: Tool-Labs.
Feb 15 2017, 6:00 PM · Tool-Labs, Labs, Security
Bawolff created T158216: tool labs should filter out the Service-Worker-Allowed: header to prevent tools from setting it..
Feb 15 2017, 5:59 PM · Tool-Labs, Labs, Security

Feb 14 2017

Bawolff awarded T158119: Add Security.md to MediaWiki Core? a Like token.
Feb 14 2017, 9:39 PM · MediaWiki-Documentation, Documentation, Security-Team, Security

Feb 12 2017

Bawolff closed T153087: Security Review of Trending Edits Endpoint as "Resolved".

This looks good. Review passed.

Feb 12 2017, 1:09 PM · Reading Epics (Trending Edits), Reading-Web-Trending-Service, Security-Reviews

Feb 11 2017

Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

So maybe, just maybe, we could get away with replicating rev_timestamp in our table, too?

Feb 11 2017, 9:10 AM · Community-Tech, DBA, MediaWiki-User-blocking
Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

Id actually be suprised if the index on cuc_timestamp came into play. That should only happen if the time range was small enough that filtering by timestamp was more efficient than filtering by ip address (mysql can only use indexes for one range in a query except in certain obscure circumstances that dont apply here). In any case you can check which index was used by running EXPLAIN.

Feb 11 2017, 7:57 AM · Community-Tech, DBA, MediaWiki-User-blocking

Feb 9 2017

Bawolff added a comment to T157105: Enable Echo on loginwiki.

I have no objections for what its worth, although I'm not sure what the details are behind it not being enabled in the first place.

Feb 9 2017, 7:44 PM · Community-Tech, Collaboration-Team-Triage (Collab-Team-Q3-Jan-Mar-2017), Patch-For-Review, Notifications, MediaWiki-extensions-LoginNotify
Bawolff added a comment to T157699: Compare using recentchanges table against fully using the cu_changes table for range contribution queries.

The problem is ultimately about doing a range query in 2-dimensions (time and ip space). If you truly need it to scale well with widely varying ranges in both dimensions, consider looking into full text indexes (e.g.elastic search), maybe, or perhaps whatever we do for gps coordinates. But that makes actually making the feature much more complicated.

Feb 9 2017, 6:22 PM · Community-Tech, IPv6
Bawolff renamed T157671: Account recovery for Aaa839 from "Account recovery" to "Account recovery for Aaa839".
Feb 9 2017, 2:11 PM · Wikimedia-General-or-Unknown, Security
Bawolff updated subscribers of T157671: Account recovery for Aaa839.
Feb 9 2017, 2:10 PM · Wikimedia-General-or-Unknown, Security
Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

Actually, for the above example, the most efficient thing to do (for ipv6 when the cidr range is a multiple of 16) would be just rev_user_text like "2602:306:%" dito for any ipv4 multiple of 8.

Feb 9 2017, 3:20 AM · Community-Tech, DBA, MediaWiki-User-blocking
Bawolff added a comment to T156318: Do test queries for range contributions to gauge performance of using different tables.

For the query you have above:

SELECT rev_id,rev_page,rev_text_id,rev_timestamp,rev_comment,rev_user_text,rev_minor_edit,rev_deleted,rev_len,rev_parent_id,rev_sha1,rev_content_format,rev_content_model,page_namespace,page_title,page_is_new,page_latest,page_is_redirect,page_len,(SELECT GROUP_CONCAT(ct_tag SEPARATOR ',') FROM `change_tag` WHERE ct_rev_id=rev_id) AS `ts_tags` FROM cu_changes LEFT JOIN `revision` ON (cuc_this_oldid = rev_id) INNER JOIN `page` ON (page_id = rev_page) WHERE (cuc_ip_hex BETWEEN 'v6-26020306000000000000000000000000' AND 'v6-26020306FFFFFFFFFFFFFFFFFFFFFFFF') AND (rev_timestamp > '20161101212048') ORDER BY rev_timestamp DESC LIMIT 51;
Feb 9 2017, 2:49 AM · Community-Tech, DBA, MediaWiki-User-blocking