I work on the MediaWiki Security Team.
Sounds good to me. Even as far as timing attacks this is extremely minor (read impossible) as its only comparing the entered password not actual. But i think its good to use hash_equals for any comparison involving a password just in case
One thing that was confusing me was why timeout in limit.sh wasnt killing the process eventually. But after reading docs i guess that is because it didnt have a -k flag
Can you link to which image is being returned as webp?
So looking in the logs, it seems like a log event is generated for importing the key into gpg, but there is no log event for actually encrypting the voting record (The next step after importing the key). This makes me wonder if its an issue with shelling out to gpg.
As an aside, telling x-wikimedia-debug to send me to a php7 seemed to make it work, so definitely seems hhvm related.
Sun, Nov 18
From what I understand (This is bit beyond my expertise), for things like watchlist where a large number of rows are potentially scanned, its important to keep the tables narrow, so that more of it fits into a page of memory. (Assuming that's true... Which i have no idea. This is beyond my db knowledge) perhaps it makes sense to instead of adding more fields to the watchlist table, instead have a watchlist_info table in a 1:1 relationship which can have more information field (also move wl_notificationtimestamp over there).
Sat, Nov 17
Those two patches, well good things, probably dont fix whatever is causing fastCGI to explode.
Fri, Nov 16
Fwiw: im of the opinion that date magic words should reduce varnish cache to at least 24 hours, maybe six hours. Im doubtful that super long cache times for all pages in varnish are really that worth it...
Good work :)
[You should probably include the name of the mailing list in the task title]
[Making public is blocks work again]
Definitely sounds partial block related. Cc'ing some AHT people.
Thu, Nov 15
Oh i found some varnish/apache errors:
I don't see anything obvious in logstash logs for votewiki. A bunch of:
Can you include the date and full url accessed? (To narrow it down in log files)
Its kind of unclear to me if just earnings should be copied over, or if it should loop through all the returned data and copy everything there over
This task already is public.
Well that's odd. My test change didn't trigger any errors: https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/SecurePoll/+/473726/
Did https://gerrit.wikimedia.org/r/#/c/integration/config/+/473724 to make it non-voting until kinks are worked out
The api-auth one is likely because the mime type is not text/html but the script still thinks it is (Thought i already suppressed that)
Wait, so how can oauth create a user with no password? Should this sort of thing require a password reset via email instead?
Wed, Nov 14
@MaxBioHazard CSP is in test only mode - which means it puts errors in the console, but doesn't actually do anything (yet). Any issues you are having is not caused by the CSP warnings.
If I go to html source view-source:https://meta.wikimedia.org/wiki/Special:Log?type=&user=Bawolff&page=&wpdate=0000-00-00&tagfilter=
Tue, Nov 13
Ok looks good. thanks for your patience on this, I know i was a bit delayed.
Can we add to the "and in addition must" criteria, something along the lines of, have someone responsible for fixing any security issues that come up. Particularly for things we make ourselves, they don't just need to pass security review now, there also needs to be someone responsible for responding to security issues over the long-term, possibly long after development is done. (Things like the lack of response on T207222 are making me concerned about this point)
I've split out the stuff i feel are valid bugs to separate tasks
This could potentially be a good Google-Code-in-2018 task once we figure out how we actually want to do it.
Mon, Nov 12
So i guess everyone who updated who didnt get the constraint error now have messed up link tables. That's pretty unfortunate, although i guess at least its slowly self-correcting.
[If i actually treat this more as a bug report asking for better error handling than a support request]:
[Technically this is not a bug but a support request].
Sun, Nov 11
This is more a political issue than a technical one. Phabricator is the place to discuss technical bugs not political/social problems.
I'm not really sure what the expected usecase is for this feature. If it is expected that the majority of people who consume this data using spreadsheets, than I agree that CSV may make sense, regardless of my distaste for it as a data interchange format.
Sat, Nov 10
nevermind, i misunderstood
If we must use csv, please be careful about issues like https://www.owasp.org/index.php/CSV_Injection
Fri, Nov 9
FYI (per request): bot source is at https://www.mediawiki.org/wiki/User:Bawolff_bot/source
Not sure what happened with the bot, but i tried just running it manually, and it seemed to work.
Special:RecentChanges filtered to JS pages