Bawolff (Brian Wolff)
Security

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Wednesday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (186 w, 2 d)
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff

I work on the MediaWiki Security Team.

Recent Activity

Today

Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

Checking other wikis for possible affectedness by looking at users who are close (88 edits) to the rate limit (This excludes blocked users to try to exclude vandals as not being legitemently affected. Does not exclude globally locked users. It counts each user only once per wiki where they hit the rate limit):

bawolff@stat1005:~$ for i in `cat all.dblist`; do echo 'SELECT "'$i'",count(distinct user) from (SELECT substr( rc_timestamp, 1, 12 ) "ts", rc_user_text "user", count(distinct rc_id) "#", group_concat( distinct ug_group ) "group" from recentchanges left join user_groups on rc_user = ug_user  where  rc_type <= 1 and NOT EXISTS( select 1 from user_groups where ug_user = rc_user and ug_group in ( "sysop", "bot", "accontcreator" ) ) AND not exists( select 1 from ipblocks where ipb_user = rc_user limit 1 ) group by 1,2 HAVING count(distinct rc_id) > 88 order by 3 desc ) t;' | mysql -h analytics-store.eqiad.wmnet $i --skip-column-names; done > ratelimitviolations-user.txt
Mon, May 21, 9:24 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

I am concerned that there may have been a mistake on some of my queries (It appears that sometimes the group by is grouping by the full timestamp instead of the prefix of the timestamp up to 1 minute. But only when I run on toolforge, not when I run on analytics-store.eqiad.wmnet)

Mon, May 21, 3:08 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

Edit: It should be noted that Artix is a vandal, but some of these aren't

Artix wasn't a vandal, most, if not all of his actions were done in good faith.

Mon, May 21, 1:57 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

This is live now.

Mon, May 21, 1:23 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons

Yesterday

Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

Meh, changing some categories is not exactly the crime of the decade, especially considering it only takes a few seconds to swap the entire lot back. If these are the only example of misuse, it's a really, really, weak case for breaking standard tools for good faith contributors.

As for the auto-patrolled point, if a past sysop like INC wants to vandalise the project, limiting them to auto-patrolled accounts is like a sticking plaster to stop a flood.

Sun, May 20, 3:08 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff awarded T195172: Remove CologneBlue skin from appearance choice in Special:Preferences a Heartbreak token.
Sun, May 20, 2:56 PM · Wikimedia-General-or-Unknown

Sat, May 19

Bawolff renamed T195109: login rate limitter triggered if you log in using correct password in parallel to > 5 sites at once from Logging in to multiple sites (10+) simultaneously using API locks up user account even if all passwords are correct to login rate limitter triggered if you log in using correct password in parallel to > 5 sites at once.
Sat, May 19, 7:03 PM · MediaWiki-Authentication-and-authorization
Bawolff added a comment to T195109: login rate limitter triggered if you log in using correct password in parallel to > 5 sites at once.

maybe its because its being done in parallel, and ThrottlePreAuthenticationProvider::postAuthentication isn't called, before > 5 auths have been started.

Sat, May 19, 7:01 PM · MediaWiki-Authentication-and-authorization
Bawolff added a comment to T195082: Create a CLI wrapper for MediaWiki's Maintenance scripts..

Just fyi, see also:

Sat, May 19, 6:26 PM · Wikimedia-Hackathon-2018, MediaWiki-General-or-Unknown, Composer
Bawolff changed the visibility for T100448: [Migrated] Subset regex.
Sat, May 19, 6:05 PM · WorkType-NewFunctionality, AutoWikiBrowser
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

So I ran a further test of since beginning of 2018, and we definitely have some high edit rates

+--------------+------------------------+------+-------------------------------------+
| ts           | user                   | #    | group                               |
+--------------+------------------------+------+-------------------------------------+
| 201803041833 | Artix Kreiger 2        | 3904 | NULL                                |
| 201803201704 | Elisfkc                | 3014 | Image-reviewer,filemover,rollbacker |
| 201804060120 | Jarnsax                | 2852 | NULL                                |
| 201804060226 | Jarnsax                | 2721 | NULL                                |
| 201804060119 | Jarnsax                | 2704 | NULL                                |
| 201802061326 | Artix Kreiger 2        | 2687 | NULL                                |
Sat, May 19, 6:00 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

If what has happened here is a single smart troll/vandal has misused our systems, that is not a reason for knee jerk reactions that make incredibly useful tools like cat-a-lot unusable for many helpful and collegiate volunteers.

Sat, May 19, 3:14 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

For reference:

MariaDB [commonswiki_p]> SELECT substr( rc_timestamp, 1, 12 ) 'ts', rc_user_text 'user', count(distinct rc_id) '#', group_concat( distinct ug_group ) 'group' from recentchanges left join user_groups on rc_user = ug_user  where  rc_type <= 1 and NOT EXISTS( select 1 from user_groups where ug_user = rc_user and ug_group in ( 'sysop', 'bot', 'accontcreator' ) ) group by 1,2 order by 3 desc limit 40;
+--------------+------------------------+-----+------------------------------------+
| ts           | user                   | #   | group                              |
+--------------+------------------------+-----+------------------------------------+
| 201804270018 | Chabe01                | 470 | autopatrolled                      |
| 201804281116 | Ymnes                  | 458 | autopatrolled                      |
| 201804300528 | Ser Amantio di Nicolao | 410 | filemover,patroller,rollbacker     |
| 201804260947 | Perumalism             | 378 | autopatrolled,filemover,rollbacker |
| 201805070219 | Tm                     | 377 | Image-reviewer,filemover           |
| 201805031529 | Ser Amantio di Nicolao | 372 | filemover,patroller,rollbacker     |
| 201805031529 | Ser Amantio di Nicolao | 343 | filemover,patroller,rollbacker     |
| 201804260952 | Perumalism             | 337 | autopatrolled,filemover,rollbacker |
| 201804291403 | Perumalism             | 326 | autopatrolled,filemover,rollbacker |
| 201804300528 | Ser Amantio di Nicolao | 323 | filemover,patroller,rollbacker     |
| 201804300938 | I99pema                | 323 | autopatrolled,filemover            |
| 201805070222 | JotaCartas             | 323 | filemover,patroller,rollbacker     |
| 201804302248 | Hiàn                   | 316 | autopatrolled                      |
| 201804270018 | Chabe01                | 302 | autopatrolled                      |
| 201804301624 | Ser Amantio di Nicolao | 298 | filemover,patroller,rollbacker     |
| 201805011455 | Ser Amantio di Nicolao | 298 | filemover,patroller,rollbacker     |
| 201804281116 | Ymnes                  | 297 | autopatrolled                      |
| 201804261146 | Perumalism             | 295 | autopatrolled,filemover,rollbacker |
| 201804261153 | Perumalism             | 285 | autopatrolled,filemover,rollbacker |
| 201804221543 | Chabe01                | 283 | autopatrolled                      |
| 201804261338 | Chabe01                | 275 | autopatrolled                      |
| 201804271105 | Perumalism             | 275 | autopatrolled,filemover,rollbacker |
| 201804211856 | Chabe01                | 270 | autopatrolled                      |
| 201804261147 | Perumalism             | 268 | autopatrolled,filemover,rollbacker |
| 201804260948 | Perumalism             | 264 | autopatrolled,filemover,rollbacker |
| 201804211856 | Chabe01                | 261 | autopatrolled                      |
| 201804261157 | Perumalism             | 261 | autopatrolled,filemover,rollbacker |
| 201804301624 | Ser Amantio di Nicolao | 251 | filemover,patroller,rollbacker     |
| 201804251914 | Perumalism             | 241 | autopatrolled,filemover,rollbacker |
| 201804261135 | Perumalism             | 241 | autopatrolled,filemover,rollbacker |
| 201805080723 | Cobatfor               | 240 | filemover,patroller                |
| 201804261200 | Perumalism             | 239 | autopatrolled,filemover,rollbacker |
| 201804261338 | Chabe01                | 239 | autopatrolled                      |
| 201805031529 | Ser Amantio di Nicolao | 238 | filemover,patroller,rollbacker     |
| 201804261131 | Perumalism             | 237 | autopatrolled,filemover,rollbacker |
| 201804220833 | Ser Amantio di Nicolao | 233 | filemover,patroller,rollbacker     |
| 201804211856 | Chabe01                | 231 | autopatrolled                      |
| 201804281908 | Perumalism             | 222 | autopatrolled,filemover,rollbacker |
| 201804240520 | Ser Amantio di Nicolao | 221 | filemover,patroller,rollbacker     |
| 201804240520 | Ser Amantio di Nicolao | 221 | filemover,patroller,rollbacker     |
+--------------+------------------------+-----+------------------------------------+
40 rows in set (30.16 sec)
Sat, May 19, 3:12 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons
Bawolff added a comment to T194954: Wikispeech: Text-To-Speech technology for accessibility.

Are any of the wikispeech people still here? Maria Noguera was looking for wikispeech folks

Sat, May 19, 11:50 AM · Wikimedia-Hackathon-2018

Fri, May 18

Bawolff committed rEWLEac1d0c3638b5: samwilson Krenair JustBerry Sagan NotASpy paladox (authored by Bawolff).
samwilson Krenair JustBerry Sagan NotASpy paladox
Fri, May 18, 6:55 PM
Bawolff committed rEWLE283391224664: Revert "Lemma validation: language covered in deserializer" (authored by Bawolff).
Revert "Lemma validation: language covered in deserializer"
Fri, May 18, 6:55 PM
Bawolff added a reverting change for rEWLE583b79b62ed6: Lemma validation: language covered in deserializer: rEWLE283391224664: Revert "Lemma validation: language covered in deserializer".
Fri, May 18, 6:55 PM
Bawolff committed rEWLE0833c9d2b8a8: Revert "Lemma validation: language covered in deserializer" (authored by Bawolff).
Revert "Lemma validation: language covered in deserializer"
Fri, May 18, 6:53 PM
Bawolff added a reverting change for rEWLE583b79b62ed6: Lemma validation: language covered in deserializer: rEWLE0833c9d2b8a8: Revert "Lemma validation: language covered in deserializer".
Fri, May 18, 6:53 PM
Bawolff committed rEWLE484fe29dac8f: samwilson Krenair JustBerry Sagan NotASpy paladox (authored by Bawolff).
samwilson Krenair JustBerry Sagan NotASpy paladox
Fri, May 18, 6:53 PM
Bawolff committed rEWLEad12e5bb75e1: samwilson Krenair JustBerry Sagan NotASpy paladox (authored by Bawolff).
samwilson Krenair JustBerry Sagan NotASpy paladox
Fri, May 18, 6:53 PM
Bawolff created T194985: consider getting rid of $wgTwoButtonsSearchForm.
Fri, May 18, 5:53 PM · MonoBook, CologneBlue, Modern, MediaWiki-Interface
Bawolff added a comment to T166956: Cannot use Composer's CLI to manage a project's dependencies.

Just my personal opinion, but I am also strongly opposed to using mediawiki/mediawiki, wikimedia/mediawiki etc as that implies its official, and we'll start getting support questions about it, etc.

Fri, May 18, 3:21 PM · TechCom, Wikimedia-Hackathon-2018, MediaWiki-General-or-Unknown, Composer
Bawolff added a comment to T194864: Raise the rate limit for autopatrollers on Commons.

Hi. Im the one who added the limit.

Fri, May 18, 12:05 PM · Patch-For-Review, User-Urbanecm, Wikimedia-Site-requests, Commons

Thu, May 17

Bawolff added a comment to T194713: Security training session at hackathon for MediaWiki extension developers and gadget authors..

Yes if possible

Thu, May 17, 7:29 PM · Wikimedia-Hackathon-2018

Wed, May 16

Bawolff added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

It probably means that some extension hasnt been updated for makeInlineScript() new arguments. (I guess this is a deprecation in a sense and i should email wikitech-l). Im travelling today and cant really look into it today...

Wed, May 16, 3:32 PM · MediaWiki-Platform-Team, Security-Team, TechCom-RFC

Tue, May 15

Aklapper awarded T194714: Make doc pages on mediawiki.org auto-update based on source code a Like token.
Tue, May 15, 12:51 PM · MediaWiki-Documentation, Wikimedia-Hackathon-2018, Documentation
Bawolff moved T194714: Make doc pages on mediawiki.org auto-update based on source code from Backlog to Project on the Wikimedia-Hackathon-2018 board.
Tue, May 15, 2:09 AM · MediaWiki-Documentation, Wikimedia-Hackathon-2018, Documentation
Bawolff created T194714: Make doc pages on mediawiki.org auto-update based on source code.
Tue, May 15, 2:08 AM · MediaWiki-Documentation, Wikimedia-Hackathon-2018, Documentation
Bawolff moved T194713: Security training session at hackathon for MediaWiki extension developers and gadget authors. from Backlog to Session on the Wikimedia-Hackathon-2018 board.
Tue, May 15, 1:58 AM · Wikimedia-Hackathon-2018
Bawolff created T194713: Security training session at hackathon for MediaWiki extension developers and gadget authors..
Tue, May 15, 1:58 AM · Wikimedia-Hackathon-2018

Mon, May 14

Bawolff added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

This is probably more of an epic task. Just because the patch is merged doesnt mean we can fully put CSP in enforce mode tomorrow (indeed initial rollout plan wont include removing unsafe-inline)

Mon, May 14, 8:26 PM · MediaWiki-Platform-Team, Security-Team, TechCom-RFC
Bawolff added a comment to T194577: Deploy MontserratFont extension to Wikimania2018 wiki.

Personally i like the idea of an extension instead of noc, as that way we dont have weird cross dependencies that someone might unknowingly accidentally break

Mon, May 14, 3:11 AM · MontserratFont, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
Bawolff updated subscribers of T194614: amwikimedia is loading external resources (webfonts) from Google and rawgit.com.
Mon, May 14, 3:09 AM · Security, Wikimedia-General-or-Unknown
Bawolff updated subscribers of T194614: amwikimedia is loading external resources (webfonts) from Google and rawgit.com.

This is not a UBN as that means the site is down.

Mon, May 14, 3:08 AM · Security, Wikimedia-General-or-Unknown

Sun, May 13

Bawolff added a comment to T194580: Design review for MontserratFont extension.

FWIW, there are short-to-medium term plans to ban loading any external resources on Wikimedia sites. The definition of "external" is yet to be defined, but it may exclude tool labs.

Sun, May 13, 9:22 PM · User-Urbanecm, Design
Bawolff added a comment to T194580: Design review for MontserratFont extension.

Technical question: how’s that really different from using an @import declaration from WMF Labs fontcdn for any fonts they want? It should be already WMF privacy policy-compatible, have they considered that option instead?

@import url(https://tools-static.wmflabs.org/fontcdn/css?family=Montserrat);
Sun, May 13, 8:36 PM · User-Urbanecm, Design
Bawolff edited projects for T131541: Tools bastions are often unreliable, added: Toolforge; removed Cloud-Services.
Sun, May 13, 4:54 AM · Toolforge, Patch-For-Review
Bawolff edited projects for T131541: Tools bastions are often unreliable, added: Cloud-Services; removed Toolforge.
Sun, May 13, 4:21 AM · Toolforge, Patch-For-Review
Bawolff edited projects for T131541: Tools bastions are often unreliable, added: Toolforge; removed Cloud-Services, Security.
Sun, May 13, 4:20 AM · Toolforge, Patch-For-Review
Bawolff edited projects for T131541: Tools bastions are often unreliable, added: Cloud-Services; removed Security, Toolforge.
Sun, May 13, 4:20 AM · Toolforge, Patch-For-Review

Sat, May 12

Bawolff added a comment to T194580: Design review for MontserratFont extension.

(I dont really have the authority to declare that it doesnt need one, more just my opinion - so im hesitant to mark wontfix)

Sat, May 12, 7:53 PM · User-Urbanecm, Design
Bawolff added a comment to T194580: Design review for MontserratFont extension.

I dont really think this needs a design review - its not going on an actual wiki project like wikipedia, doesnt by itself change any of the interface (only gives editors the option to use a different font in content - our official design font at that) and the requirement for design reviews has been applied incredibly inconsistently at the best of times.

Sat, May 12, 7:29 PM · User-Urbanecm, Design
Bawolff closed T194578: Security review for MontserratFont as Resolved.

Approved

Sat, May 12, 7:20 PM · User-Urbanecm, Security-Reviews
Bawolff closed T194578: Security review for MontserratFont, a subtask of T194577: Deploy MontserratFont extension to Wikimania2018 wiki, as Resolved.
Sat, May 12, 7:20 PM · MontserratFont, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
Bawolff updated subscribers of T194561: noindex tag dropped on Archived "wiki/Talk" pages on Wikipedia.

@Brandtdaniel: Thanks for reporting this and welcome to Wikimedia Phabricator. Could you elaborate why this is a security issue? Thanks!

Sat, May 12, 4:48 PM · Pywikibot-core, Pywikibot-archivebot.py

Fri, May 11

Nemo_bis awarded T193572: Make mediawiki-l archives indexed by search engines a Mountain of Wealth token.
Fri, May 11, 4:48 AM · Patch-For-Review, Wikimedia-Mailing-lists

Thu, May 10

Bawolff closed T193572: Make mediawiki-l archives indexed by search engines as Resolved.
Thu, May 10, 4:23 PM · Patch-For-Review, Wikimedia-Mailing-lists
Bawolff added a project to T194398: Require elevated session security for giving elevated permissions: Security-Team.
Thu, May 10, 4:08 PM · Security-Team, Security-Extensions, MediaWiki-extensions-OAuth
Bawolff added a comment to T194398: Require elevated session security for giving elevated permissions.

FWIW, the main one that I'm worried about are grants containing the "userrights" right and grants containing "editinterface"

Thu, May 10, 4:08 PM · Security-Team, Security-Extensions, MediaWiki-extensions-OAuth
Bawolff added a comment to T194393: Implement PSR-15 in MediaWiki.

What's the usecase here? Are we trying to reimplement fastcgi in PHP or something?

Thu, May 10, 2:23 PM · MediaWiki-General-or-Unknown, Developer-Wishlist
Bawolff added a comment to T194385: Reword notification of failed logins to avoid unnecessary password changes.

It was interesting to see the amount of people independently reporting this after just getting one email too...

Thu, May 10, 12:49 PM · Voice & Tone, Security-Team, MediaWiki-extensions-LoginNotify
Bawolff added a project to T194385: Reword notification of failed logins to avoid unnecessary password changes: Security-Team.

I agree, we certainly saw a lot of people unnecessarily panicking.

Thu, May 10, 12:44 PM · Voice & Tone, Security-Team, MediaWiki-extensions-LoginNotify

Wed, May 9

Bawolff added a comment to T194125: [RFC] Future of charset and collation for mediawiki on mysql.

I fully support killing the "Do you want to use UTF-8 collation" option (aka the BMP only utf8 collation) in the installer. Its is poorly explained option that I'm sure 99% of our users misunderstand, and just increases the diversity of things that can go wrong.

Wed, May 9, 1:49 AM · MediaWiki-Platform-Team, MediaWiki-Database

Tue, May 8

Bawolff added a comment to T194160: Unlock the login of bot user TaxonBot@TaxonBot to dewiki.

Throttle is now clear.

Tue, May 8, 5:02 PM · Wikimedia-Site-requests
Bawolff added a comment to T194160: Unlock the login of bot user TaxonBot@TaxonBot to dewiki.

I am going to clear the throttle, but please make sure your bot is working as well (It would also be good for it to not repetitively try to login during errors), or it will just get throttled again.

Tue, May 8, 4:46 PM · Wikimedia-Site-requests
Bawolff added a comment to T194160: Unlock the login of bot user TaxonBot@TaxonBot to dewiki.

Also weirdly, we are not seeing the throttle message in the logs. Perhaps the throttle doesn't get logged in the botpasssword case. Something to look into later.

Tue, May 8, 4:42 PM · Wikimedia-Site-requests
Bawolff added a comment to T194160: Unlock the login of bot user TaxonBot@TaxonBot to dewiki.

This definitely has nothing to do with the attack (Except possibly you changed your password which resulted in your bot giving the wrong password)

Tue, May 8, 4:40 PM · Wikimedia-Site-requests
Bawolff updated the task description for T193909: update phan-taint-check to 1.2.0.
Tue, May 8, 1:10 AM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T188160: Investigation: Block by combination of hashed identifiable information (e.g. user agent, screen resolution, etc.) in addition to IP range. .
Ideally we will use enough parameters to create very unique fingerprints making it harder to "brute force" the hash
Tue, May 8, 12:41 AM · Anti-Harassment (AHT Sprint 16)

Mon, May 7

Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

Hi everyone. While the attacker continues to try and login, we are currently blocking his/her login attempts. At this time, there is no need to panic or do anything. We of course encourage all users to always use a strong password.

Mon, May 7, 6:11 PM · Security-Team
Bawolff committed rELGNd738842b4293: Do not send email notice for throttled login attempts (authored by Bawolff).
Do not send email notice for throttled login attempts
Mon, May 7, 5:16 PM
Bawolff committed rELGN4a88e8375bd1: Do not send email notice for throttled login attempts (authored by Bawolff).
Do not send email notice for throttled login attempts
Mon, May 7, 4:39 PM
Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

Can I please be added to T193762 ? Thanks.

Mon, May 7, 4:02 PM · Security-Team
Bawolff added a comment to T155029: MediaWiki.org: Generate infoboxes from extension.json in git.

I got bored of waiting for this to exist, and figured perfect is the enemy of good (or at least the enemy of acceptable for the moment but kind of crappy).

Mon, May 7, 12:55 AM · User-Tgr, MediaWiki-Stakeholders-Group, Developer-Wishlist (2017), MediaWiki-Documentation, Documentation

Fri, May 4

Bawolff updated the task description for T193909: update phan-taint-check to 1.2.0.
Fri, May 4, 9:21 PM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T193909: update phan-taint-check to 1.2.0.

CategoryTree also has some potentially false positives from the new version:

./includes/CategoryTreeHooks.php:113 SecurityCheck-XSS Outputting user controlled HTML from Parser function hook \CategoryTreeHooks::parserFunction (Caused by: ./includes/CategoryTreeHooks.php +112)
./includes/CategoryTreeHooks.php:168 SecurityCheck-XSS Outputting user controlled HTML from Parser tag hook \CategoryTreeHooks::parserHook (Caused by: ./includes/CategoryTree.php +386; ./includes/CategoryTreeHooks.php +144; ./includes/CategoryTreeHooks.php +155)
./includes/CategoryTreePage.php:119 SecurityCheck-XSS Calling method \OutputPage::addHTML() in \CategoryTreePage::execute that outputs using tainted argument $[arg #1]. (Caused by: ./includes/CategoryTree.php +556)
Fri, May 4, 8:44 PM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T193909: update phan-taint-check to 1.2.0.

Fails on extension Cite:

Fri, May 4, 8:20 PM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff added a project to T193909: update phan-taint-check to 1.2.0: phan-taint-check-plugin.
Fri, May 4, 8:20 PM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff created T193909: update phan-taint-check to 1.2.0.
Fri, May 4, 8:19 PM · MW-1.32-release-notes (WMF-deploy-2018-05-08 (1.32.0-wmf.3)), Patch-For-Review, phan-taint-check-plugin
Bawolff closed T187377: Get taint info from docblock comments instead of having a hardcoded list as Resolved.
Fri, May 4, 8:12 PM · Patch-For-Review, phan-taint-check-plugin
Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

Or they gave up (temporarily)? Don't jump to conclusions so quickly :)

Fri, May 4, 5:53 PM · Security-Team
Bawolff added a subtask for T193769: Thousands of failed login attempts (wrong password): Unknown Object (Task).
Fri, May 4, 5:21 PM · Security-Team
Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

Since the crack started, the CAPTCHA error rate was high.
However, at about 5/3 18:30 UTC, the CAPTCHA error rate suddenly falls (from almost 100% to a normal rate).
Guess: the cracker find a way to bypass the CAPTCHA check (e.g. proxies, fake IP's).

Fri, May 4, 3:18 PM · Security-Team
Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

Is there any matters to worry?.

Fri, May 4, 2:53 PM · Security-Team

Thu, May 3

Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

For reference this is a dupe of private bug T193762. Not marking as dupe as i dont want to dupe public bug to private.

Thu, May 3, 10:31 PM · Security-Team
Bawolff added a comment to T193769: Thousands of failed login attempts (wrong password).

We are aware of the situation and are monitoring it and introducing mitigations.

Thu, May 3, 10:23 PM · Security-Team

Wed, May 2

Bawolff added a comment to T118131: Credit security researchers that identify and disclose vulnerabilities.

@Bawolff this is great. One thought I had from looking at https://www.mediawiki.org/wiki/Reporting_security_bugs and https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks is that they both only mention credit for vulnerabilities found in MediaWiki core or a bundled extension. I feel one missing part will be crediting those who report security issues in Wikimedia-deployed extension. These may not make sense to credit in the MW core CREDITS file as the issues weren't part of the code distributed in the tarballs, but it does seem worthwhile to also find a nice place to credit those who reported security issues that affected Wikimedia wikis such as through a deployed extension, as they're helping keep Wikimedia projects secure even if it's not an issue that is part of core or a bundled extension. What do you think?

Wed, May 2, 4:56 PM · Security-Team, Developer-Relations, Security-General
Bawolff added a comment to T169964: Counter of the numbers of the pages on a category shows negative result.

@Bencemac can you confirm this is fixed now

Wed, May 2, 4:42 PM · MediaWiki-Categories, MediaWiki-General-or-Unknown
Bawolff added a comment to T169964: Counter of the numbers of the pages on a category shows negative result.

And done.

Wed, May 2, 4:39 PM · MediaWiki-Categories, MediaWiki-General-or-Unknown
Bawolff added a comment to T169964: Counter of the numbers of the pages on a category shows negative result.

We need to run recountCategories.php on huwiki.

Wed, May 2, 3:45 PM · MediaWiki-Categories, MediaWiki-General-or-Unknown

Tue, May 1

Bawolff added a comment to T193222: Error: 1071 Specified key was too long; max key length is 767 bytes.

Personally, I think we should just make everything varbinary(), or be more explicit about what fields are charset configurable.

Tue, May 1, 11:30 PM · Patch-For-Review, Release-Engineering-Team (Kanban), Quibble
Bawolff added a project to T193573: Consider allowing mailing lists to be indexed by archive.org: Wikimedia-Mailing-lists.
Tue, May 1, 9:46 PM · Wikimedia-Mailing-lists, Internet-Archive
Bawolff created T193573: Consider allowing mailing lists to be indexed by archive.org.
Tue, May 1, 9:46 PM · Wikimedia-Mailing-lists, Internet-Archive
Bawolff created T193572: Make mediawiki-l archives indexed by search engines.
Tue, May 1, 9:31 PM · Patch-For-Review, Wikimedia-Mailing-lists
Bawolff added a comment to T118131: Credit security researchers that identify and disclose vulnerabilities.

Ah, forgot about this bug.

Tue, May 1, 9:08 PM · Security-Team, Developer-Relations, Security-General
Bawolff awarded T193408: SPF record for canonical domains a Love token.
Tue, May 1, 8:11 PM · Patch-For-Review, Mail, Operations
Bawolff updated the task description for T193552: Make installer grant only needed rights to db user.
Tue, May 1, 7:37 PM · Security-Core, MediaWiki-Installer, Security
Bawolff created T193552: Make installer grant only needed rights to db user.
Tue, May 1, 7:33 PM · Security-Core, MediaWiki-Installer, Security
Bawolff added a comment to T193222: Error: 1071 Specified key was too long; max key length is 767 bytes.

Note, that the installer will normally set either $wgDBTableOptions = 'ENGINE=InnoDB,DEFAULT CHARSET=binary'; or $wgDBTableOptions = 'ENGINE=InnoDB,DEFAULT CHARSET=utf8; depending on option selection (eww, i think we should kill utf8 from the installer but that's a separate issue),

Tue, May 1, 7:27 PM · Patch-For-Review, Release-Engineering-Team (Kanban), Quibble
Bawolff created T193521: Consider adding expect-CT: header to enforce certificate transparency.
Tue, May 1, 6:28 PM · Traffic, Operations
Bawolff added a comment to T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.

As for attr()-based CSRF-token-stealing attacks, those don't work in any browser today. OTOH looking at the relevant feature requests it does not seem like browser vendors feel it will be their job to prevent them...

Tue, May 1, 5:30 PM · User-Tgr, Trust-and-Safety, TechCom, Wikimedia-General-or-Unknown, Patch-For-Review, Security, JavaScript, Security-Core
Bawolff added a watcher for Security-Data-Mapping: Bawolff.
Tue, May 1, 4:32 PM
Bawolff added a watcher for Security-Core: Bawolff.
Tue, May 1, 4:31 PM
Bawolff added a comment to T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default.

Changed to add separate editsitejs, editsitecss, editsitejson permissions per code review discussion (and recent changes to user subpage permissions). Admins are left with editsitecss and editsitejson (and same for user subpages), on the hypothesis that CSS is used somewhat more than JS (styling infoboxes etc) and there is more security benefit in keeping the JS editor group as small as possible than in limiting access to the (relatively harmless) CSS/JSON edit rights. I am not sure about that and would welcome feedback (especially from @Bawolff or others on the security team).

Tue, May 1, 4:31 PM · User-Tgr, Trust-and-Safety, TechCom, Wikimedia-General-or-Unknown, Patch-For-Review, Security, JavaScript, Security-Core

Mon, Apr 30

Bawolff updated the task description for T151735: SVG filter evasion using default attribute values in DTD declaration.
Mon, Apr 30, 1:17 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Patch-For-Review, Vuln-XSS, Multimedia, Security
Bawolff updated the task description for T144845: XSS in SearchHighlighter::highlightText() [requires non-default config].
Mon, Apr 30, 1:12 PM · MW-1.27-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)), MW-1.29-release-notes, MW-1.28-release-notes, Vuln-XSS, Discovery, MediaWiki-Search, Security
Bawolff added a comment to T57548: Html::expandAttributes can be tricked into omitting necessary quotes.

Can this be made public now?

Mon, Apr 30, 12:56 PM · Patch-For-Review, Security, Security-Core
Bawolff changed the visibility for T57548: Html::expandAttributes can be tricked into omitting necessary quotes.
Mon, Apr 30, 12:56 PM · Patch-For-Review, Security, Security-Core

Sun, Apr 29

Bawolff moved T181660: Experiment using phan for static analysis from Backlog to Other codebases/deploying on the phan-taint-check-plugin board.
Sun, Apr 29, 3:28 PM · phan-taint-check-plugin, Security-Team