Bawolff (Brian Wolff)
User

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Monday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (131 w, 9 h)
Availability
Available
LDAP User
Brian Wolff
MediaWiki User
Bawolff

Recent Activity

Yesterday

Bawolff added a comment to T164045: PDF thumbnails fail to render on newly-uploaded PDF files.

+1 to just reverting the pdfhandler config change

Fri, Apr 28, 9:51 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Regression, MediaWiki-extensions-PdfHandler, Multimedia, MediaWiki-File-management, Wikisource, Commons
Bawolff added a comment to T164045: PDF thumbnails fail to render on newly-uploaded PDF files.

The character encoding thing looks like its related to colours. Presumably the escape control character is being stripped by the logs

Fri, Apr 28, 9:46 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Regression, MediaWiki-extensions-PdfHandler, Multimedia, MediaWiki-File-management, Wikisource, Commons
Bawolff added a comment to T164047: Captchas sent with wrong mime type on beta.

I mean its being sent as Content-Type: application/x-www-form-urlencoded

Fri, Apr 28, 2:08 AM · Beta-Cluster-Infrastructure
Bawolff created T164047: Captchas sent with wrong mime type on beta.
Fri, Apr 28, 1:55 AM · Beta-Cluster-Infrastructure

Thu, Apr 27

Bawolff added a comment to T163409: Creating CollaborationListContent features does not work on Beta Cluster.

Whats the error in question?

Thu, Apr 27, 7:23 AM · MW-1.30-release-notes (WMF-deploy-2017-05-09_(1.30.0-wmf.1)), Patch-For-Review, MediaWiki-extensions-CollaborationKit

Tue, Apr 25

Bawolff created P5332 spam users needing to be locked.
Tue, Apr 25, 11:55 PM
Bawolff changed the visibility for T163310: I couldn't find a way to log out of Pivot.
Tue, Apr 25, 9:09 PM · Security
Bawolff closed T163310: I couldn't find a way to log out of Pivot as "Declined".

This is more a browser UI issue (This is the same for anything else protected by basic http auth e.g https://logstash.wikimedia.org )

Tue, Apr 25, 9:09 PM · Security
Bawolff created P5327 spam users on frwiki.
Tue, Apr 25, 5:05 PM

Sat, Apr 22

Bawolff added a comment to T163618: remove the field names from the metadata-fields message.

I agree with @Umherirrender. It doesnt make sense to split the message. If its confusing to translators maybe we should just tell them not to translate the message at all.

Sat, Apr 22, 6:19 PM · Patch-For-Review, Commons, Multimedia, MediaWiki-File-management, I18n
Bawolff added a comment to T159081: [Non-security] General improvements for the Newsletter extension.

Note that although not part of the security review, some of the more serious of these may still block deployment (lack of copyright notice. The db queries that are more severely unperformant listed at T159083). Those things arent may area, so if for example someone from legal (for the lack of copyright notice) or jcrespo (for the db queries from T159083) said they were ok, then itd be ok, but as it stands those things should be considered deployment blockers

Sat, Apr 22, 5:16 PM · Wikimedia-Hackathon-2017, MediaWiki-extensions-Newsletter
Bawolff moved T133408: Security review of TemplateStyles from Scheduled to In Progress on the Security-Reviews board.
Sat, Apr 22, 1:31 AM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles

Fri, Apr 21

Bawolff closed T159709: Security review for WikibaseMediaInfo extension as "Resolved".

Sorry for the delay in reviewing this one.

Fri, Apr 21, 3:04 AM · Wikidata, Structured-Multimedia-Data, Security-Reviews
Bawolff closed T159709: Security review for WikibaseMediaInfo extension, a subtask of T159708: Deploy WikibaseMediaInfo extension to production, as "Resolved".
Fri, Apr 21, 3:04 AM · Wikidata, Structured-Multimedia-Data, Wikimedia-Extension-setup
Bawolff added a comment to T163260: Security Issue Access Request for matanya.

Process note, we review requests for security access during our team meeting. Normally that would be today, but this week that's going to be on Thursday.

Fri, Apr 21, 1:33 AM · Security

Thu, Apr 20

Bawolff created T163487: Newsletter extension should use phpcs to enforce mediawiki coding standards..
Thu, Apr 20, 7:32 PM · Patch-For-Review, MediaWiki-extensions-Newsletter
Bawolff added a project to T163486: Newsletter::fillParserOutput might have slave lag issues: MediaWiki-extensions-Newsletter.
Thu, Apr 20, 7:31 PM · MediaWiki-extensions-Newsletter
Bawolff created T163486: Newsletter::fillParserOutput might have slave lag issues.
Thu, Apr 20, 7:31 PM · MediaWiki-extensions-Newsletter
Bawolff updated subscribers of T163415: Mailing list for Marathi Wikipedia social network.

Arent list administrator emails generally public?

Thu, Apr 20, 4:11 PM · Wikimedia-Mailing-lists

Wed, Apr 19

Bawolff committed rECKT62df456c49f9: Set path globals in phpunit tests. Use span for new oojs (authored by Bawolff).
Set path globals in phpunit tests. Use span for new oojs
Wed, Apr 19, 8:01 PM
Bawolff committed rECKTcd1ff8dfc422: Set path globals in phpunit tests (authored by Bawolff).
Set path globals in phpunit tests
Wed, Apr 19, 7:51 PM
Bawolff closed T163244: Wikipedia zero should not host official documents on dropbox as "Resolved".

Done. They are now at https://wikimediafoundation.org/wiki/File:WikipediaZeroPartnerOverview-1-2-5.pdf and https://wikimediafoundation.org/wiki/File:Wikipedia_Zero_Partner_Specs_Form_v5a.xls (zero.wikimedia.org links directly to the file and not to the description page).

Wed, Apr 19, 6:46 PM · Zero
Bawolff added a comment to T161647: RFC: Deprecate using php serialization inside MediaWiki.

is this just asking for a policy like "new code should/must not use php serialization"?

Wed, Apr 19, 4:55 AM · Services (watching), ArchCom-RfC, Security
Bawolff added a comment to T159405: Use $wgUrlProtocols for URL validation in forms.

I'm not 100% sure how this function is used, so i might be wrong, but I think you'd want to anchor the regex (Start it with a ^ and end it with a $) so that the user can't insert non-url things before or after the url. As of the commit above, it only verifies that the field has a url in it, not that it only contains a url.

Wed, Apr 19, 4:17 AM · Patch-For-Review, MediaWiki-extensions-Page_Forms

Tue, Apr 18

Bawolff added a comment to T163260: Security Issue Access Request for matanya.

Process note, we review requests for security access during our team meeting. Normally that would be today, but this week that's going to be on Thursday.

Tue, Apr 18, 8:45 PM · Security
Bawolff updated subscribers of T163244: Wikipedia zero should not host official documents on dropbox.

@DFoy Would it be ok to move those documented to https://wikimediafoundation.org ?

Tue, Apr 18, 8:20 PM · Zero
Bawolff closed T159422: zero.wikimedia.org references bits.wikimedia.org as "Resolved".

I fixed this when I was removing raw html usages. https://zero.wikimedia.org/w/index.php?title=Template:PortalFooter-1&diff=prev&oldid=9981

Tue, Apr 18, 8:16 PM · ZeroPortal, Zero
Bawolff created T163244: Wikipedia zero should not host official documents on dropbox.
Tue, Apr 18, 7:29 PM · Zero
Bawolff added a comment to T162847: Refreshed should allow custom group avatars without SocialProfile.

However, it seems like pretty bad form/security to be performing these sort of checks outside the main PHP file, which would be necessary if we want the checks to be customizable.

Tue, Apr 18, 7:10 PM · Technical-Debt, Social-Tools, SocialProfile, Refreshed
Bawolff added a comment to T118131: Credit security researchers that identify and disclose vulnerabilities.

Here, i created a page. Maybe that's the only way to move this forward :)

https://www.mediawiki.org/wiki/Guardians_of_Security

Tue, Apr 18, 6:57 PM · Security-Team, Developer-Relations, Security-General

Sun, Apr 16

Bawolff added a comment to T162823: Changing the alphabetical sorting (collation) @ ba.wikipedia.org.

Yes, getting it into cldr is the first step. Be prepared for this being a super-long time before the change gets to wikimedia.

Sun, Apr 16, 3:45 PM · Patch-For-Review, Upstream, MediaWiki-Internationalization, I18n

Sat, Apr 15

Bawolff added a comment to T163019: Allow tool's maintainers to force HTTPS for their tool.

Slightly off topic to this bug, but why do we even allow non secure http on tool labs? Https-only (+hsts) is quickly becoming the norm for major websites

Sat, Apr 15, 11:13 PM · User-Urbanecm, Labs, Tool-Labs
He7d3r awarded T71061: Show patrol marks on Special:Contributions a Love token.
Sat, Apr 15, 5:49 PM · MediaWiki-Special-pages, Patch-For-Review, MediaWiki-Patrolling

Fri, Apr 14

Bawolff renamed T162997: php and apache version disclosure from "Information Disclouser." to "php and apache version disclosure".
Fri, Apr 14, 6:11 PM · Security
Bawolff closed T162997: php and apache version disclosure as "Declined".

This is not something we consider to be security sensitive in a wikimedia context due to transparency reasons.

Fri, Apr 14, 6:10 PM · Security

Thu, Apr 13

Dsfjdsfj awarded T32640: EXIF orientation tag use broken in 1.18 - skewed display a Like token.
Thu, Apr 13, 3:54 PM · Commons, Multimedia, MediaWiki-File-management

Wed, Apr 12

Bawolff added a comment to T161647: RFC: Deprecate using php serialization inside MediaWiki.

I believe the problem is more __destruct()

Wed, Apr 12, 11:03 PM · Services (watching), ArchCom-RfC, Security
Bawolff added a comment to T160094: Investigation: Config settings for LoginNotify in production.

Yeah, the idea for that setting is that high priv users should in theory default enabled since their account security can affect other users, but we shouldnt auto-annoy normal users who dont matter unless they opt in

Wed, Apr 12, 10:07 PM · Patch-For-Review, Community-Tech-Sprint, MediaWiki-extensions-LoginNotify
Bawolff renamed T161647: RFC: Deprecate using php serialization inside MediaWiki from "Try to use json instead of php serialize whenever possible" to "RFC: Deprecate using php serialization inside MediaWiki".
Wed, Apr 12, 6:52 PM · Services (watching), ArchCom-RfC, Security
Bawolff added a project to T161647: RFC: Deprecate using php serialization inside MediaWiki: ArchCom-RfC.
Wed, Apr 12, 6:51 PM · Services (watching), ArchCom-RfC, Security
Bawolff changed the visibility for T161647: RFC: Deprecate using php serialization inside MediaWiki.
Wed, Apr 12, 6:45 PM · Services (watching), ArchCom-RfC, Security

Tue, Apr 11

Bawolff added a comment to T161952: Have a Private Sandbox for drafts.

... I dont think this is a the right place to discuss it. It should probably be an rfc on enwiki or something (im assuming we are talking about english here)
...
As an aside, I suspect the phrasing of the rationale - using the possesive pronoun "their" in the sentence "They didn't like that other people had access to their work" is probably significantly more controversial than the actual feature request itself.
...

I'm on the Norwegian Wikipedias and this question was first raised there. I've talked to Wikipedians from other Scandinavian Wikipedias and English Wikipedia that also liked this idea.

When already existing functionality ( https://www.mediawiki.org/wiki/Extension:Drafts ) solves this issue, isn't the politics also handled already?

Then the technical question is: Is it possible to create a button for doing this:

{{TNT|ExtensionInstall

db-update=Yes

}}
As in https://www.mediawiki.org/wiki/Extension:Drafts#Installation

Tue, Apr 11, 4:15 PM · Privacy, Anti-Harassment, MediaWiki-General-or-Unknown

Thu, Apr 6

Bawolff added a comment to T161952: Have a Private Sandbox for drafts.

To clarify, instead of foundation I should have wrote technical community/phabricator/etc. This would be a not insignificant social change, but a relatively minor technical change (whether via drafts or some on wiki gadget, etc). I dont think this is a the right place to discuss it. It should probably be an rfc on enwiki or something (im assuming we are talking about english here)

Thu, Apr 6, 10:40 PM · Privacy, Anti-Harassment, MediaWiki-General-or-Unknown
Bawolff added a comment to T162096: Potential abuse of MW Cookie Blocks.

This is f***ing unbelievable!

Thu, Apr 6, 12:55 PM · Community-Tech, MediaWiki-General-or-Unknown, Security

Wed, Apr 5

Bawolff added a comment to T161647: RFC: Deprecate using php serialization inside MediaWiki.

May I shamelessly plug my desire to kill serialize as an API format here? This is definitely ugly and unsafe but it also requires a long deprecation process, so why not start with it sooner rather than later?

Wed, Apr 5, 7:27 PM · Services (watching), ArchCom-RfC, Security
Bawolff closed T162096: Potential abuse of MW Cookie Blocks as "Declined".

Hi, I'm going to close this bug because we do not believe that the there are any new threats with cookie blocking, and having this discussion in private isn't helpful for settling down people's fears.

Wed, Apr 5, 6:35 PM · Community-Tech, MediaWiki-General-or-Unknown, Security
Bawolff changed the visibility for T162096: Potential abuse of MW Cookie Blocks.
Wed, Apr 5, 6:34 PM · Community-Tech, MediaWiki-General-or-Unknown, Security
Bawolff triaged T161647: RFC: Deprecate using php serialization inside MediaWiki as "Normal" priority.
Wed, Apr 5, 6:22 PM · Services (watching), ArchCom-RfC, Security
Bawolff added a comment to T161647: RFC: Deprecate using php serialization inside MediaWiki.

So it seems like this should perhaps be an RFC

Wed, Apr 5, 6:22 PM · Services (watching), ArchCom-RfC, Security
Bawolff changed the visibility for T154299: Investigate if calling git from GitInfo.php is secure.
Wed, Apr 5, 5:56 PM · Security
Bawolff closed T154299: Investigate if calling git from GitInfo.php is secure as "Invalid".

Yeah, I agree. People who could modify the git directory stuff might as well just modify the php files.

Wed, Apr 5, 5:55 PM · Security

Tue, Apr 4

Bawolff awarded T162077: User::pingLimiter always fails to limit when $wgMainCacheType is CACHE_NONE a Like token.
Tue, Apr 4, 3:10 PM · MediaWiki-Cache
Bawolff added a comment to T161934: Add support for JP2 files.

I believe thumbnail conversion is what is wanted (Commons doesn't like formats they can't actually preview for vandalism. Most (all?) browsers do not have native jpeg2000 support).

Tue, Apr 4, 3:07 PM · MediaWiki-File-management, Commons, Multimedia
Bawolff added a comment to T161952: Have a Private Sandbox for drafts.

I think this is a political question that should be decided by the communities. It is a cultural change, and I do not believe it is the foundation's place to dictate culture to the community.

Tue, Apr 4, 3:03 PM · Privacy, Anti-Harassment, MediaWiki-General-or-Unknown
Bawolff added a comment to T162096: Potential abuse of MW Cookie Blocks.

The session should guard against changed IP-address, if it is not, then it is an implementation error. If it does not guard aginst this, then it allows cookie theft. Just checked by switching to a mobile hotspot and reloading, and it does not guard against this.

Tue, Apr 4, 2:06 PM · Community-Tech, MediaWiki-General-or-Unknown, Security
Bawolff added a comment to T162096: Potential abuse of MW Cookie Blocks.

Also i dont think cookie blocks spread autoblocks (might be wrong) (?)

Tue, Apr 4, 12:42 AM · Community-Tech, MediaWiki-General-or-Unknown, Security
Bawolff added a comment to T162096: Potential abuse of MW Cookie Blocks.

You could probably already do the same attack by forging session cookies. I dont think this change increaseses the risk of this attack scenario.

Tue, Apr 4, 12:27 AM · Community-Tech, MediaWiki-General-or-Unknown, Security

Sat, Apr 1

Bawolff edited the description of T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Sat, Apr 1, 10:47 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff closed T156184: Make rawHTML mode not apply to system messages as "Resolved".
Sat, Apr 1, 10:46 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.23-release, Patch-For-Review, MW-1.29-release-notes, MediaWiki-Interface, Security
Bawolff closed T156184: Make rawHTML mode not apply to system messages, a subtask of T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release, as "Resolved".
Sat, Apr 1, 10:46 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff edited the description of T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Sat, Apr 1, 10:15 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff added a comment to T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.

@Bawolff What's the other "secret" patch to be associated with T156184 ?

Sat, Apr 1, 9:51 PM · Security, Security-Team, MediaWiki-General-or-Unknown

Fri, Mar 31

Bawolff created T161934: Add support for JP2 files.
Fri, Mar 31, 9:13 PM · MediaWiki-File-management, Commons, Multimedia
Krinkle awarded T156184: Make rawHTML mode not apply to system messages a Orange Medal token.
Fri, Mar 31, 8:12 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.23-release, Patch-For-Review, MW-1.29-release-notes, MediaWiki-Interface, Security
Bawolff updated subscribers of T144100: Pageview dumps incorrectly formatted, looks like a result of possibly malicious activity.
Fri, Mar 31, 11:16 AM · Datasets-General-or-Unknown, Security, Analytics
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Can someone give me a TLDR for the CVE bug over at T160876

What the Flaw is, and how it can be exploited. Thanks

Fri, Mar 31, 6:54 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.

In T140591#3113328, @Reedy wrote:

For consistency/due diligence/best practices, review of current core patches on tin:

reedy@tin:/srv/patches/1.29.0-wmf.16/core$ ls -al
total 44
drwxrwxr-x 2 twentyafterfour wikidev  4096 Mar 13 21:30 .
drwxrwxr-x 4 twentyafterfour wikidev  4096 Feb 28 18:06 ..
-rw-rw-r-- 1 twentyafterfour wikidev 14245 Feb 28 18:06 01-T109140.patch
-rw-r--r-- 1 twentyafterfour wikidev  1679 Feb 28 18:06 02-T127114-master_1.28wmf2.patch
-rw-rw-r-- 1 twentyafterfour wikidev  6903 Feb 28 18:06 03-T125177.patch
-rw-rw-r-- 1 twentyafterfour wikidev  1505 Feb 28 18:06 04-T150044.patch
-rw-rw-r-- 1 twentyafterfour wikidev  1318 Mar 13 21:30 05-T160266.patch
reedy@tin:/srv/patches/1.29.0-wmf.16/core$

5 patches on master

1 is a prevention, but maybe not the best fix for T160266. It'd be nice if we could include it in the release, if ready in time, but if it's not ready, it's not ready.

Fri, Mar 31, 6:45 AM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff added a parent task for T156184: Make rawHTML mode not apply to system messages: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Fri, Mar 31, 6:42 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.23-release, Patch-For-Review, MW-1.29-release-notes, MediaWiki-Interface, Security
Bawolff added a subtask for T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release: T156184: Make rawHTML mode not apply to system messages.
Fri, Mar 31, 6:42 AM · Security, Security-Team, MediaWiki-General-or-Unknown

Mar 28 2017

Bawolff added a parent task for T161453: Having LocalisationCache directory default to system tmp directory is insecure: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Mar 28 2017, 10:03 PM · MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)), MW-1.29-release-notes, MediaWiki-Internationalization, Vuln-Infoleak, Security
Bawolff added a subtask for T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release: T161453: Having LocalisationCache directory default to system tmp directory is insecure.
Mar 28 2017, 10:03 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff created T161647: RFC: Deprecate using php serialization inside MediaWiki.
Mar 28 2017, 8:53 PM · Services (watching), ArchCom-RfC, Security

Mar 27 2017

Bawolff moved T151735: SVG filter evasion using default attribute values in DTD declaration from Backlog to Pending release on the Security board.
Mar 27 2017, 10:04 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Patch was deployed to Wikimedia March 27 2017 22:00

Mar 27 2017, 10:03 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Ok, my script completed checking it. It ran against all SVGS < 10 mb uploaded between now and October 1, 2016 to commos.wikimedia.org (91646 files in total). None of them triggered the filter, so I call this a success.

Mar 27 2017, 9:15 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff edited the description of T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Mar 27 2017, 1:45 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Backports of this version of the patch:

Mar 27 2017, 1:42 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a parent task for T151735: SVG filter evasion using default attribute values in DTD declaration: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
Mar 27 2017, 1:17 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a subtask for T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release: T151735: SVG filter evasion using default attribute values in DTD declaration.
Mar 27 2017, 1:17 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Ok, revised version of patch:

Mar 27 2017, 1:11 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

So, my script checked the most recent 59,500 files (until it died for some unknown reason, possibly some sort of memory leak, but this seems like a good enough sample size. This covers all svg files less than 10 mb uploaded between yesterday and December 11, 2016).

Mar 27 2017, 10:45 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T158011: Security review for Timeless skin.

Still dunno what to do about the js, but we can come back to that later, or something.

Mar 27 2017, 3:34 AM · Patch-For-Review, Timeless, Security-Reviews
Bawolff created T161476: Commons File:Assemblea_Costituente_1946_(2).svg missing after file move.
Mar 27 2017, 3:17 AM · Commons, Operations, media-storage
Bawolff added a comment to T160713: Replicate babel db table on Labs.

All this is public info (available already via API action=query&meta=babel, or just user page). It is totally ok to make this public from a security perspective.

Mar 27 2017, 2:40 AM · Security-Team, WMF-Legal, Labs, DBA, MediaWiki-extensions-Babel

Mar 26 2017

Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Is this fix targeted for any specific release of mediawiki?

Mar 26 2017, 9:50 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

I am now running this new code over all the svgs uploaded to commons in the last three months (I'm not sure how long that will take, so if its going on and on, I might cut the test short), to see if this has any likely false positives.

Mar 26 2017, 9:48 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff created T161453: Having LocalisationCache directory default to system tmp directory is insecure.
Mar 26 2017, 8:18 AM · MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)), MW-1.29-release-notes, MediaWiki-Internationalization, Vuln-Infoleak, Security
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

New version (rebased on to master):

Mar 26 2017, 6:09 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff added a comment to T151735: SVG filter evasion using default attribute values in DTD declaration.

Do we care that the 'external_dtd_handler' result hides the 'dtd_handler' result if both hit?

I guess it would be more technically correct to call both handlers. I'll upload a new patch.

Mar 26 2017, 5:55 AM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security

Mar 21 2017

Bawolff merged Unknown Object (Task) into T151735: SVG filter evasion using default attribute values in DTD declaration.
Mar 21 2017, 11:41 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff committed rECKTe62401dea3d4: Avoid logs about unexpected writes from special page. (authored by Bawolff).
Avoid logs about unexpected writes from special page.
Mar 21 2017, 9:59 PM
Bawolff committed rECKT87014f0d3f60: Be more defensive about checking revision is present (authored by Bawolff).
Be more defensive about checking revision is present
Mar 21 2017, 9:25 PM
Bawolff changed the visibility for T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki.
Mar 21 2017, 8:26 PM · Security-Extensions, Security-Team, Security
Bawolff triaged T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki as "Normal" priority.
Mar 21 2017, 8:25 PM · Security-Extensions, Security-Team, Security
Bawolff changed the visibility for T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki.
Mar 21 2017, 8:25 PM · Security-Extensions, Security-Team, Security
Bawolff added a comment to T160916: Special:AllPages disabled due to performance issues.

Hmm, this is the second time I've heard of using foo = '0' vs foo = 0 in queries adjusting the query plan. Maybe we should just have ints be ints in the db abstraction layer.

Mar 21 2017, 8:13 PM · MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2017-03-28_(1.29.0-wmf.18)), User-notice, Wikimedia-General-or-Unknown
Bawolff added a comment to T117618: Add restrictive CSP to upload.wikimedia.org.

Recent logs suggest we may need to add "media-src 'self'" for webm files.

Mar 21 2017, 7:54 PM · Patch-For-Review, Security-Team
Bawolff created T160978: Job queue cannot claim job on sqlite due to db being locked.
Mar 21 2017, 8:27 AM · MediaWiki-JobQueue
Bawolff changed the visibility for T160914: Databases overflown with connections due to slow query on Special:AllPages.
Mar 21 2017, 8:13 AM · MediaWiki-Database, Security
Bawolff added a comment to T160914: Databases overflown with connections due to slow query on Special:AllPages.

Does this task need to be private anymore?

Mar 21 2017, 8:12 AM · MediaWiki-Database, Security