Page MenuHomePhabricator

Bawolff (Brian Wolff)
SecurityAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (246 w, 3 d)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

I work on the MediaWiki Security Team.

Recent Activity

Today

Bawolff added a comment to T228081: $wgSpamRegex - wrong default value?.

Looking at the code, what you're describing can't really happen. Are you sure you didn't just set $wgSpamRegex to something else in LocalSettings.php, and the problem went away when you added $wgSpamRegex = false; at the end of LocalSettings.php because it overrided the previous code in LocalSettings.php?

Tue, Jul 16, 4:10 AM · MW-1.31-release
Bawolff added a comment to T228081: $wgSpamRegex - wrong default value?.

Note, the default has been an array since 2008 - 06e3d0e3777

Tue, Jul 16, 4:04 AM · MW-1.31-release
Bawolff added a comment to T227733: Draft: Masking IP addresses for increased privacy.

Where SESSION_ID is the users session id. This would create a new mask every time the user's session was generated (i.e. each new device and browser, etc.). This would, of course, break the social contract of what the mask represents, but would be technically trivial to implement as the masks would function identically to the IP masks.

Tue, Jul 16, 1:03 AM · Privacy, MediaWiki-User-management, Anti-Harassment
Bawolff added a comment to T227733: Draft: Masking IP addresses for increased privacy.

From a Wikipedia anti-vandal perspective, I suspect the hardest sell would be not being able to see patterns related to ranges/ip-distance, at a glance.

Tue, Jul 16, 12:55 AM · Privacy, MediaWiki-User-management, Anti-Harassment

Sat, Jul 6

Bawolff added a project to T223840: Can/should *.wmflabs.org be added to the default-src Content Security Policy?: Privacy.
Sat, Jul 6, 6:20 PM · Cloud-Services, Privacy, Security, Wikimedia-Site-requests

Tue, Jul 2

Bawolff added a comment to T216682: Switch WMF production to Argon2 password hashes.

Unfortunately, Argon2 will most likely be broken in a backwards-incompatible way in PHP 7.4: https://wiki.php.net/rfc/sodium.argon.hash
Can't trust it right now.

Tue, Jul 2, 9:41 AM · Security-Team, MediaWiki-User-login-and-signup

Tue, Jun 25

Bawolff placed T201492: Security review for FormWizard extension up for grabs.
Tue, Jun 25, 2:18 PM · Security-Team-Reviews, FormWizard
Bawolff added a comment to T201492: Security review for FormWizard extension.

So yeah, I guess this counts as passes security review as none of those issues were security related. May need additional security review if the extension changes significantly. Should still get approval from Rel engineering before deploy.

Tue, Jun 25, 2:15 PM · Security-Team-Reviews, FormWizard

Fri, Jun 21

Bawolff added a comment to T226282: Don't require changecontentmodel right to create CollaborationHub and CollaborationList content models.

Main reason its restricted is it used to be autoconfirm but enwiki got mad (if i recall)

Fri, Jun 21, 10:29 PM · MediaWiki-ContentHandler, MediaWiki-extensions-CollaborationKit

Jun 12 2019

Bawolff renamed T225643: Schema change to oathauth_users from Schema change to oath to Schema change to oathauth_users.
Jun 12 2019, 4:34 PM · MediaWiki-Database, DBA, MediaWiki-extensions-OATHAuth
Bawolff created T225643: Schema change to oathauth_users.
Jun 12 2019, 4:34 PM · MediaWiki-Database, DBA, MediaWiki-extensions-OATHAuth
Reedy empowered Bawolff as an administrator.
Jun 12 2019, 3:30 PM

May 22 2019

Volans defrocked Bawolff.
May 22 2019, 10:29 AM

May 17 2019

Bawolff added a comment to T101631: rev_len should be available also for deleted revisions in database replicas.

If I can get a thumbs up from @Bawolff, perhaps?
The current logic expressly filters rev_len on deleted revisions: if(rev_deleted&1,null,rev_len) as rev_len. I don't know if that's just for consistency or if someone thinks that really should be kept out of the replicas. As stated above, it does seem to be available online, though I'm not sure if that's all versions of the deleted field, since that's an integer, I think.

May 17 2019, 1:39 PM · cloud-services-team (Kanban), Data-Services, Cloud-VPS

May 14 2019

Bawolff claimed T223307: Security review libraries used by WebAuthn extension.
May 14 2019, 5:12 PM · Security-Team-Reviews, MediaWiki-extensions-OATHAuth
Bawolff created T223307: Security review libraries used by WebAuthn extension.
May 14 2019, 5:12 PM · Security-Team-Reviews, MediaWiki-extensions-OATHAuth

May 10 2019

Bawolff placed T201492: Security review for FormWizard extension up for grabs.
May 10 2019, 10:46 PM · Security-Team-Reviews, FormWizard
Bawolff added a comment to T201492: Security review for FormWizard extension.

So I guess this isn't quite ready for a security review given previous comment, but some thoughts

May 10 2019, 10:46 PM · Security-Team-Reviews, FormWizard
Bawolff changed the visibility for T142314: Null byte in old versions of Replace Text may cause arbitrary execution.
May 10 2019, 10:03 PM · MediaWiki-extensions-ReplaceText, Security
Bawolff closed T142314: Null byte in old versions of Replace Text may cause arbitrary execution as Declined.

This is old enough now to no longer be relevant.

May 10 2019, 10:02 PM · MediaWiki-extensions-ReplaceText, Security
Bawolff added a comment to T222849: OATHAuth disable 2fa doesn't properly check getLoginSecurityLevel().

Ah, that's confusing. Thanks.

May 10 2019, 4:56 AM · MediaWiki-extensions-OATHAuth
Bawolff added a comment to T221887: Ignore css in displaytitle when $wgRestrictDisplayTitle is enabled.

The threat model here is kind of debatable. Its unclear what security goals we are trying to accomplish with the displaytitle restrictions, and thus I'm unsure (unsure in the sense of actually do not know, not unsure in the sense of disagreeing) if further restrictions on it are justified.

May 10 2019, 4:51 AM · Security-Team, User-notice, Patch-For-Review, MediaWiki-Parser

May 9 2019

Bawolff awarded T127640: Re-evaluate our use of Phabricator Conpherence chat a Doubloon token.
May 9 2019, 9:57 PM · Developer-Advocacy (Jul-Sep 2019), Phabricator

May 8 2019

Bawolff created T222849: OATHAuth disable 2fa doesn't properly check getLoginSecurityLevel().
May 8 2019, 10:42 PM · MediaWiki-extensions-OATHAuth
Bawolff added a comment to T182536: Fix security issues found in Graphs extension during review of vega 2.

wikititle:/// is supposed to prevent query paramters from being used, however it could probably be bypassed if they are percent encoded due to T96274 (e.g. https://en.wikipedia.org/wiki/Main_Page%3faction=history%26curid=2120 is interpreted by our servers incorrectly )

May 8 2019, 5:45 PM · Patch-For-Review, Security, Graphs
Bawolff changed the visibility for T182536: Fix security issues found in Graphs extension during review of vega 2.
May 8 2019, 5:37 PM · Patch-For-Review, Security, Graphs
Bawolff created T222807: Sandbox Graph extension into an iframe.
May 8 2019, 4:26 PM · Graphs
Bawolff created T222806: Security Review for Vega 5 and Vega-Lite JavaScript Libraries.
May 8 2019, 4:24 PM · Security-Team-Reviews, Upstream, JavaScript, Maps, Graphs
Bawolff changed the visibility for T172938: Security review new version of the Vega lib.
May 8 2019, 3:45 PM · Security, Security-Team-Reviews, Graphs, Graphoid

May 7 2019

Bawolff created T222681: WikidataPageBanner uses a blacklist of skin names to decide 'prebodyhtml' support instead of sane feature detection.
May 7 2019, 4:52 AM · patch-welcome, Readers-Web-Backlog (Tracking), User-Jdlrobson, Technical-Debt, Wikidata-Page-Banner, Timeless, Wikidata
Bawolff added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

Re: privacy, the sites reference the standard Wikimedia PP. And while most resources seem to come from internal Wikimedia sites, some definitely do not (e.g. images within the Shocking tales from ornithology post on en.planet.wikimedia.org and a few others.)

May 7 2019, 4:13 AM · Security-Team-Reviews

May 6 2019

Bawolff added a comment to T207246: Do a security audit of *.planet.wikimedia.org.

I think the main things we want to check:

May 6 2019, 6:46 AM · Security-Team-Reviews

May 2 2019

Bawolff added a comment to T222324: Unable to perform revision deletion on Commons.

Yup, triggered on GET to https://commons.wikimedia.org/w/index.php?title=User%3AJdforrester_%28WMF%29%2Fsandbox&action=revisiondelete&type=revision&ids%5B348296966%5D=1:
[ XMpRwApAMFQAAE8PXE0AAAAQ ] 2019-05-02 02:12:33: Fatal exception of type "WMFTimeoutException"
This is on a trivial page (two revisions, one editor); possibly this is caused by actor changes?

May 2 2019, 2:34 AM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Performance, MediaWiki-Revision-deletion, Security
Bawolff added a comment to T222324: Unable to perform revision deletion on Commons.

Note security did some minor adjustments to the revdel process on tuesday but nothing that should cause this.

May 2 2019, 2:11 AM · MW-1.34-notes (1.34.0-wmf.4; 2019-05-07), Performance, MediaWiki-Revision-deletion, Security

Apr 30 2019

Bawolff added a comment to T222038: Exposed suppressed log in RevisionDelete page.

Apr 30 2019, 7:10 PM · MW-1.31-release-notes, MW-1.32-notes, MW-1.33-notes, MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), MW-1.30-release-notes, MW-1.27-release-notes, User-Rxy, Patch-For-Review, MediaWiki-Logging, MediaWiki-Revision-deletion, Security
Bawolff added a comment to T222036: Exposed suppressed username or log in Special:EditTags.


This is security fix patch for Case 1

Apr 30 2019, 7:01 PM · MW-1.31-release-notes, MW-1.32-notes, MW-1.33-notes, MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), MW-1.30-release-notes, MW-1.27-release-notes, User-Rxy, Patch-For-Review, MediaWiki-Logging, MediaWiki-Revision-deletion, MediaWiki-General-or-Unknown, Security
Bawolff updated the task description for T222036: Exposed suppressed username or log in Special:EditTags.
Apr 30 2019, 5:38 PM · MW-1.31-release-notes, MW-1.32-notes, MW-1.33-notes, MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), MW-1.30-release-notes, MW-1.27-release-notes, User-Rxy, Patch-For-Review, MediaWiki-Logging, MediaWiki-Revision-deletion, MediaWiki-General-or-Unknown, Security
Bawolff added a comment to T222036: Exposed suppressed username or log in Special:EditTags.

Just FYI I tested this on history pages, and the bug is not present on history pages.

Apr 30 2019, 4:17 PM · MW-1.31-release-notes, MW-1.32-notes, MW-1.33-notes, MW-1.34-notes (1.34.0-wmf.10; 2019-06-18), MW-1.30-release-notes, MW-1.27-release-notes, User-Rxy, Patch-For-Review, MediaWiki-Logging, MediaWiki-Revision-deletion, MediaWiki-General-or-Unknown, Security

Apr 29 2019

Bawolff added a comment to T220440: GSoC 2019 Proposal: Integrate SVG Translate with Content Translation.

My understanding is that the content translation tool is optimized for the use case where the two translations are independent (e.g. between wikis), where E:Translate is optimized for the use case of translating documents where one of the languages are controlling (e.g. Like software translation). Admittedly I don't follow translation stuff very closely, so I may just be mistaken, but assuming that assumption is correct, may I ask what the rationale is for integrating into ContentTranslation over E:Translate is?

Apr 29 2019, 8:42 AM · Google-Summer-of-Code (2019)

Apr 26 2019

Bawolff added a comment to T221998: Create comprehensive global account action log for all CentralAuth wikis.

For what you are literally asking for: https://tools.wmflabs.org/guc/

Apr 26 2019, 10:32 PM · MediaWiki-extensions-CentralAuth

Apr 23 2019

Bawolff closed T172938: Security review new version of the Vega lib as Resolved.

so I think we've done everything on our end. See my comment above for my comments on the library - please address those things before using vega 3. Let me know if you have any questions.

Apr 23 2019, 5:11 PM · Security, Security-Team-Reviews, Graphs, Graphoid
Bawolff closed T172938: Security review new version of the Vega lib, a subtask of T165118: Support Vega 3.0+ and Vega Lite 2.0+, as Resolved.
Apr 23 2019, 5:11 PM · Outreach-Programs-Projects, Graphs
Bawolff created T221576: Password length requirement error shown twice.
Apr 23 2019, 7:35 AM · MediaWiki-User-login-and-signup, Security-Team, Anti-Harassment

Apr 22 2019

Bawolff added a comment to T219728: Support for new Japanese era name "Reiwa".

The patch should be deployed to Japanese language sites until May 1 JST..

Apr 22 2019, 3:24 AM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.27-release-notes, MW-1.32-notes, MW-1.31-release-notes, MW-1.33-notes, MW-1.33-release, Patch-For-Review, MediaWiki-Internationalization, User-Rxy, I18n

Apr 20 2019

Bawolff changed the visibility for T221499: Disable TLS 1.0 and 1.1 in apache for gerrit.wikimedia.org.
Apr 20 2019, 4:15 PM · Patch-For-Review, Gerrit, Security
Bawolff added a comment to T221499: Disable TLS 1.0 and 1.1 in apache for gerrit.wikimedia.org.

https://www.ssllabs.com/ssltest/analyze.html?d=gerrit.wikimedia.org&s=2620%3a0%3a861%3a3%3a208%3a80%3a154%3a85&latest suggests ssl3 is already disabled

Apr 20 2019, 4:15 PM · Patch-For-Review, Gerrit, Security

Apr 18 2019

Bawolff added a comment to T221347: PHP7 opcache sometimes corrupts when cleared (was: Fatal ConfigException, undefined InitialiseSettings variable).

Hmm, L and K having a hamming distance of 3 - Could this possibly be a memory error that wasn't detectable by ECC as a 3 bit error?

Apr 18 2019, 6:06 PM · PHP 7.2 support, Operations, Wikimedia-production-error

Apr 16 2019

Bawolff added a comment to T220657: Establish Architecture Principles as a policy.

There is no formal definition, but in practice, it means anything that is maintained by WMF staff

Apr 16 2019, 12:22 AM · TechCom-RFC (TechCom-Approved), TechCom

Apr 9 2019

Bawolff added a comment to T172938: Security review new version of the Vega lib.

@Bawolff are there any CSP issues with srcdoc? In my example, parent can have a different CSP rules than iframe. This way you can enable unsafe-eval in the frame, without allowing it in the parent.

Apr 9 2019, 5:27 PM · Security, Security-Team-Reviews, Graphs, Graphoid

Apr 8 2019

Bawolff added a comment to T107069: Convert HistoryAction.php to use OOUI and MW's new DateInputWidget.

Screenshot. Note that not a single row of the history page shows up. (Note: My font size may be mildly above normal. Some of us like big letters to help our eyes. Notwithstanding that, I would consider this an unreasonable amount of screen real-estate being taken up).

Apr 8 2019, 10:11 PM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.33-notes (1.33.0-wmf.24; 2019-04-02), UI-Standardization-Kanban, User-Jdlrobson, Advanced Mobile Contributions, MediaWiki-History-and-Diffs, UI-Standardization
Bawolff added a comment to T107069: Convert HistoryAction.php to use OOUI and MW's new DateInputWidget.

Just fyi, I would describe half as an underexageration. Screenshot incoming

Apr 8 2019, 10:07 PM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.33-notes (1.33.0-wmf.24; 2019-04-02), UI-Standardization-Kanban, User-Jdlrobson, Advanced Mobile Contributions, MediaWiki-History-and-Diffs, UI-Standardization
Bawolff created T220321: restart installation warning has a newline after warning icon that looks a little weird.
Apr 8 2019, 2:49 AM · MediaWiki-Installer

Apr 7 2019

Bawolff created T220312: categories are broken on sqlite as a result of calling beginMasterChanges() prior to the job insert being comitted.
Apr 7 2019, 10:54 PM · SQLite, MediaWiki-Database
Bawolff added a comment to T219429: Special:log displays viewer IP address instead of log_user_text when log_user is non-zero and associated account does not exist.

Note, @RhinosF1 is also complaining about this issue in #mediawiki irc about the site https://thelostjewel.com/index.php?title=Special:Log&dir=prev&type=newusers&user=&page=&wpdate=&tagfilter=

Apr 7 2019, 7:30 PM · MediaWiki-Logging, Privacy

Apr 5 2019

Bawolff changed the visibility for T151687: Insecure CORS access control of JS in Wikipedia.org.
Apr 5 2019, 4:03 PM · Discovery, Wikimedia-Portals, Security

Apr 4 2019

Bawolff added a comment to T220023: Ajax request to external URL from wikimedia website.

@Bawolff I will explain how hijri date is calculated.
In hijri date, there are 12 months. Each month has days between 29-30 days. And we can't know whether the number of days are 29, or 30 except if we look to the moon move. So in middle east countries they look to the moon in 28th night to see what is the status of the moon. If it's new moon, then this means that a new month will start.
For example, today is 28 Regeb 1440 (hijri date), and today night each middle eastern country will look at the moon at night (Most countries followed Saudi Arabia decision), and determine if tomorrow will be start of new month, or not. If it's the start of new month then this means that the current hijri month number of days will be 29, else it will be 30 days.
The difference between 29, or 30 cause all the mistakes and the differences. All the tools in the internet depends on mathematical calculations to determine the length of each month (To my knowledge). Except the two websites I've listed before. The advantage of these websites is that it's updated each day, very trusted, and it's operated by special institutions that focus on hijri date calendars, pray times...etc.
The problem with MW is in Language.php file. Specially the tsToHijri function. This is where hijri date is calculated.

Apr 4 2019, 5:08 PM · Privacy
Bawolff added a comment to T220064: Update RandomInCategory to meet current standards.

Honestly, probably better to use the extension if it still works, uncyclomedia probably doesn't have big enough categories to matter.

Apr 4 2019, 4:39 AM · Uncyclomedia, MediaWiki-extensions-Other
Bawolff added a comment to T220023: Ajax request to external URL from wikimedia website.

@Reedy Unfortunately the website seems that it depends on PHP code. There is no evidence that it depends on JavaScript code to calculate the date. I've made a lot of research about this problem, and The only way in my opinion to solve this problem is by depending on 3rd party website.

Apr 4 2019, 4:34 AM · Privacy

Apr 3 2019

Bawolff added a project to T220023: Ajax request to external URL from wikimedia website: Privacy.
Apr 3 2019, 9:30 PM · Privacy
Bawolff added a comment to T220023: Ajax request to external URL from wikimedia website.

The error is only a warning so it doesnt actually block things yet. But will soon. It is a violation of the privacy policy unless the user has specificly opted in.

Apr 3 2019, 9:30 PM · Privacy

Apr 2 2019

Bawolff closed T219827: Proposal: Make centralauth db replicate to all the analytics dbstores as Declined.

That's not possible cause it would require setting up multi-source replication on all the instances that are not s7 (where centralauth database lives).
We are not supporting multi-source anymore on new deployments for a number of reasons. It is only living on labsdb hosts and we have already communicated to WMCS that long term that doesn't scale and we need to find a way to workaround it.
Sorry :-(

Apr 2 2019, 7:07 AM · Analytics

Apr 1 2019

Bawolff created T219832: checkComposerLockUpToDate.php doesn't handle non-exact version constraints properly.
Apr 1 2019, 7:54 PM · MediaWiki-Installer, MediaWiki-Maintenance-scripts
Bawolff added a comment to T219689: Undeprecate User::setPassword().

Going to un-deprecate, though we are in favor of eventually deprecating the User Object. That is a while off.

Apr 1 2019, 7:25 PM · MW-1.34-notes (1.34.0-wmf.8; 2019-06-04), Core Platform Team, MediaWiki-Authentication-and-authorization
Bawolff added a comment to T219827: Proposal: Make centralauth db replicate to all the analytics dbstores.

(e.g. Checking what percentage of enwiki admins have 2FA enabled).

Apr 1 2019, 6:58 PM · Analytics
Bawolff created T219827: Proposal: Make centralauth db replicate to all the analytics dbstores.
Apr 1 2019, 6:54 PM · Analytics
Bawolff added a comment to T219745: Checking contributions on mobile and shows error when usernames containing Japanese chracters.

For reference, the english translation of the error seems to be:

Bad username given
Cannot look for contributions without a user or with a user that does not exist.
Apr 1 2019, 5:54 AM · MobileFrontend
Bawolff added a comment to T219728: Support for new Japanese era name "Reiwa".

If I understand correctly this will require CLDR 35.1, ICU 64.2 and Unicode 12.1 planned for 2019-05-07.

Apr 1 2019, 5:38 AM · MW-1.34-notes (1.34.0-wmf.1; 2019-04-16), MW-1.27-release-notes, MW-1.32-notes, MW-1.31-release-notes, MW-1.33-notes, MW-1.33-release, Patch-For-Review, MediaWiki-Internationalization, User-Rxy, I18n
Bawolff added a comment to T219541: performance optimize timeless.

So reading a bit about client side performance [This is not my area of expertise] - the best thing (all other things being equal) to do is transfer less bytes. But that's easier said then done.

Apr 1 2019, 5:11 AM · Timeless

Mar 31 2019

Bawolff added a project to T219738: PHP Warning: Array key should be either a string or an integer: EventBus.
Mar 31 2019, 8:53 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Workboards (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, Analytics, EventBus, Wikimedia-production-error
Bawolff added a comment to T219738: PHP Warning: Array key should be either a string or an integer.

"EventFactory.php" line 144 also seems kind of wrong. Its passing the wiki name to self::getDomain, but the docs for self::getDomain indicate that that parameter is a boolean for whether or not the wiki display name is used, not as a value to pass the wikiid

Mar 31 2019, 8:53 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Workboards (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, Analytics, EventBus, Wikimedia-production-error
Bawolff updated subscribers of T219738: PHP Warning: Array key should be either a string or an integer.
Mar 31 2019, 8:50 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Workboards (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, Analytics, EventBus, Wikimedia-production-error
Bawolff added a comment to T219738: PHP Warning: Array key should be either a string or an integer.

I think there might be more than one thing going wrong here, but primarily:

Mar 31 2019, 8:49 PM · Core Platform Team (Security, stability, performance and scalability (TEC1)), Core Platform Team Workboards (Done with CPT), MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Beta-Cluster-reproducible, Analytics, EventBus, Wikimedia-production-error
Bawolff updated the task description for T219736: ttmserver/ElasticSearchTTMServer.php: Call to a member function getAggregations() on null.
Mar 31 2019, 6:10 PM · Language-Team (Language-2019-April-June), MW-1.34-notes (1.34.0-wmf.3; 2019-04-30), User-abi_, Wikimedia-production-error, MediaWiki-extensions-Translate
Bawolff created T219725: Setup Fresnel to work with timeless.
Mar 31 2019, 6:21 AM · MW-1.33-notes (1.33.0-wmf.25; 2019-04-09), Timeless
Bawolff added a comment to T219541: performance optimize timeless.

So I think we should do some research into how much different CSS footprints affect performance before actually doing anything, but some initial thoughts on CSS in timeless:

Mar 31 2019, 6:13 AM · Timeless
Bawolff added a comment to T217883: Use the "Timeless" skin by default on frwiktionary.

Thank you for your detailed response.

Mar 31 2019, 1:55 AM · Wikimedia-Site-requests

Mar 30 2019

Bawolff updated the task description for T219541: performance optimize timeless.
Mar 30 2019, 9:15 PM · Timeless

Mar 28 2019

Bawolff updated the task description for T219541: performance optimize timeless.
Mar 28 2019, 11:38 PM · Timeless
Bawolff updated the task description for T219541: performance optimize timeless.
Mar 28 2019, 11:23 PM · Timeless
Bawolff created P8306 Percent recent changes using timeless.
Mar 28 2019, 6:56 PM
Bawolff created T219541: performance optimize timeless.
Mar 28 2019, 5:53 PM · Timeless

Mar 27 2019

Bawolff updated subscribers of T219429: Special:log displays viewer IP address instead of log_user_text when log_user is non-zero and associated account does not exist.

I'm cc'ing @Anomie as I'm not 100% sure, but this sounds very much like a regression from the actor migration.

Mar 27 2019, 6:09 PM · MediaWiki-Logging, Privacy
Bawolff added a comment to T219289: Security Review For viewing Special:Homepage as rendered for other users.

FWIW, given how much press https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/ has been getting, view-as-other-people features make me nervous.

Mar 27 2019, 6:00 PM · Security-Team-Reviews, Growth-Team (Current Sprint)

Mar 26 2019

Bawolff closed T218588: Security Issue Access Request for DLynch as Declined.

We're a little worried about the ever expanding size of the security group in phabricator. There are very few visual editor related tasks in Security (You should be able to see them all now). For the moment we would like to just add you to the relevant tasks but not to the security group in general (Please ask if there is ever one you need to see that you can't). Please note this is not about you, we just needed to draw the line somewhere lest the security group becomes a total slippery slope.

Mar 26 2019, 3:14 PM · Security-Team, Security
Bawolff changed the visibility for T199178: TemplateData doesn't sanitize descriptions etc..
Mar 26 2019, 3:02 PM · User-Ryasmeen, VisualEditor, TemplateData, Security
Bawolff closed T199178: TemplateData doesn't sanitize descriptions etc. as Resolved.

I don't think there's anything to do here.

Mar 26 2019, 3:02 PM · User-Ryasmeen, VisualEditor, TemplateData, Security

Mar 25 2019

Bawolff added a comment to T218210: SO878 Step 1: Refactor OATHAuth extension.

In regards to API modules, you may want to consider making it similar to the authmanager login module, as during the normal login process people will be prompted for the 2FA stuff, so it will have to work with that flow anyways.

Mar 25 2019, 4:46 PM · Core Platform Team Workboards (Contractor Workboard), MW-1.34-notes (1.34.0-wmf.13; 2019-07-09), Patch-For-Review, Core Platform Team (Security, stability, performance and scalability (TEC1)), MediaWiki-extensions-OATHAuth
Bawolff added a comment to T218210: SO878 Step 1: Refactor OATHAuth extension.

The user should be able to choose between enabled modules and maybe use them in parallel. But this will be put to the end of the project, as it may require some more work.

Mar 25 2019, 4:31 PM · Core Platform Team Workboards (Contractor Workboard), MW-1.34-notes (1.34.0-wmf.13; 2019-07-09), Patch-For-Review, Core Platform Team (Security, stability, performance and scalability (TEC1)), MediaWiki-extensions-OATHAuth
Bawolff added a watcher for MediaWiki-extensions-OATHAuth: Bawolff.
Mar 25 2019, 4:28 PM

Mar 22 2019

Bawolff changed the visibility for T218608: OAuth doesn't work when $wgBlockDisablesLogin is true.
Mar 22 2019, 1:08 AM · cloud-services-team (Kanban), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-OAuth, Security

Mar 21 2019

Mill <mill@mail.com> committed rERSE6637779a6ae0: %26jbaaaaaaaaaaa (authored by Bawolff).
%26jbaaaaaaaaaaa
Mar 21 2019, 12:37 AM

Mar 20 2019

Bawolff added a subtask for T206676: 1.33.0-wmf.22 deployment blockers: T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22.
Mar 20 2019, 10:48 PM · Release-Engineering-Team (Kanban), User-zeljkofilipin, Release, Train Deployments
Bawolff added a parent task for T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22: T206676: 1.33.0-wmf.22 deployment blockers.
Mar 20 2019, 10:48 PM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), MediaWiki-General-or-Unknown, Regression
Bawolff created T218830: selectandother widget broken, particular on Special:GlobalBlock since 1.33.0-wmf.22.
Mar 20 2019, 10:46 PM · MW-1.33-notes (1.33.0-wmf.22; 2019-03-19), MediaWiki-General-or-Unknown, Regression
Bawolff added a comment to T218775: ru wikisource is loading external web fonts in violation of privacy policy.

The rules of ru.Wikisource has a permission to add texts written in Russian Church Slavonic, Old Church Slavonic, and Glagolitic script.
These are fonts for the ability to display them, otherwise they not shows. This site https://sci.ponomar.net/fonts.html is main source of fonts.
Although, seems on ru.Wikisource no texts using these fonts. They are transferred to the common Wikisource, where the text headers there have the link to this site for downloading fonts (example).

Mar 20 2019, 10:24 PM · Wikimedia-General-or-Unknown, Privacy, Security
Bawolff updated subscribers of T217883: Use the "Timeless" skin by default on frwiktionary.

So this is a bit of a grey area of if this change is within the realm of things that a community can request. The foundation may feel it wants a consistent feel to all the projects that it hosts.

Mar 20 2019, 9:54 PM · Wikimedia-Site-requests
Bawolff added a comment to T218721: Have CI run seccheck tests.

FYI, these tests should already be run via CI (as part of composer tests)

Mar 20 2019, 1:43 PM · Patch-For-Review, phan-taint-check-plugin, Continuous-Integration-Config
Bawolff added a project to T218775: ru wikisource is loading external web fonts in violation of privacy policy: Privacy.
Mar 20 2019, 12:51 PM · Wikimedia-General-or-Unknown, Privacy, Security
Bawolff created T218775: ru wikisource is loading external web fonts in violation of privacy policy.
Mar 20 2019, 12:50 PM · Wikimedia-General-or-Unknown, Privacy, Security

Mar 18 2019

Bawolff added a comment to T207344: Phan-taint-check-plugin not available for PHP > 7.0.

yeah, its tied pretty heavily to phan 0.8, which in turn is tied to php 7. There's an upcoming goal to move it the plugin to a modern version of phan.

Mar 18 2019, 2:38 PM · Release-Engineering-Team-TODO (201907), Security-Team, phan-taint-check-plugin