Page MenuHomePhabricator

Bawolff (Brian Wolff)
Busy-bodyAdministrator

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Oct 25 2014, 1:53 AM (449 w, 1 d)
Roles
Administrator
Availability
Available
IRC Nick
Bawolff
LDAP User
Brian Wolff
MediaWiki User
Bawolff [ Global Accounts ]

Hi!

Recent Activity

Fri, Jun 2

Bawolff added a comment to T337700: Exception: preg_match_all error 4: Malformed UTF-8 characters, possibly incorrectly encoded.

I meant it's on windows-1252, we run iconv('windows-1252, 'UTF-8//IGNORE', $text) on it (see moveToExternal::resolveLegacyEncoding)

One of them that's causing error is here:
https://sv.wikipedia.org/w/index.php?title=Diskussion:Bardhyl_Londo&action=edit

It looks interesting:

image.png (83×1 px, 19 KB)

Parsing it is fataling.

I can ask for a backup to see what exactly was stored for these entries. I'll do that on Monday.

Fri, Jun 2, 10:54 PM · Wikimedia-database-issue (Bad data), MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Wikimedia-production-error
Bawolff added a comment to T337700: Exception: preg_match_all error 4: Malformed UTF-8 characters, possibly incorrectly encoded.

I dont really understand. If the rows were legacy encoded as windows-1252, why would we convert UTF-8//IGNORE to UTF-8.

Fri, Jun 2, 10:38 PM · Wikimedia-database-issue (Bad data), MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Wikimedia-production-error
Bawolff added a comment to T337700: Exception: preg_match_all error 4: Malformed UTF-8 characters, possibly incorrectly encoded.

When I checked for that page that got deleted in svwiktatiory, they were indeed moved by me. My guess is that they were invalid legacy encoding which would have not caused an error but when moved to utf-8, the check became strict which is fine in some cases but not all. I looked for any mediawiki page in nlwiki to make sure I won't break the wiki: T128154#8899826 I'll go and manually edit those 10 pages to fix their encoding.

Fri, Jun 2, 10:08 PM · Wikimedia-database-issue (Bad data), MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Wikimedia-production-error

Wed, May 31

Bawolff added a comment to T337700: Exception: preg_match_all error 4: Malformed UTF-8 characters, possibly incorrectly encoded.

I think without the patch the error would still happen just much more silently but still just as broken. I dont think its an improvement to show a blank page

Wed, May 31, 7:22 PM · Wikimedia-database-issue (Bad data), MW-1.41-notes (1.41.0-wmf.12; 2023-06-06), Wikimedia-production-error

Tue, May 30

DAlangi_WMF awarded T337695: Security Issue Access Request for Bawolff a Like token.
Tue, May 30, 2:56 PM · SecTeam-Processed, Security-Team, Security
Bawolff added a comment to T337695: Security Issue Access Request for Bawolff.

Happy to sign a new nda if neccessary.

Tue, May 30, 2:49 PM · SecTeam-Processed, Security-Team, Security

Mon, May 29

Legoktm awarded T337695: Security Issue Access Request for Bawolff a Like token.
Mon, May 29, 11:22 PM · SecTeam-Processed, Security-Team, Security
Bawolff created T337695: Security Issue Access Request for Bawolff.
Mon, May 29, 6:18 PM · SecTeam-Processed, Security-Team, Security
Bawolff added a comment to T334940: All Graphs broken on Wikimedia wikis (due to security issue T334895).

That wouldn't work for graphs using custom protocols like wikiraw: (well, it would work, but you'd end up with a specification you can't really render outside MediaWiki). Not sure what fraction of graphs that would affect.

What portion of Wikipedia/Wikimedia is rendered outside of MediaWiki anyways? Sorry if this is a dumb question, but wouldn't that just be downstream users like site mirrors?

Mon, May 29, 12:12 AM · Regression, User-notice, Tech-Ambassadors, MediaWiki-extensions-Graph

Thu, May 25

Bawolff committed rEBOP4fc7f7b77772: Fix the XSS vulnrability in the example extension. Also comment it more… (authored by Bawolff).
Fix the XSS vulnrability in the example extension. Also comment it more (Since…
Thu, May 25, 6:59 PM
Bawolff committed rEPRZ2838d95482e5: Fix phan-taint-check errors (authored by Bawolff).
Fix phan-taint-check errors
Thu, May 25, 6:53 PM

Sun, May 21

Bawolff added a comment to T335073: PHP Fatal error: Declaration of MWCallbackStream::write($string) must be compatible with Psr\Http\Message\StreamInterface::write(string $string): int in /var/www/mediawiki/includes/http/MWCallbackStream.php on line 49 with guzzlehttp/psr7 2.5.0.

In the case of zip downloads, how would it be? I didn't download the core with composer and although I applied the patch that Taavi recommended it doesn't work. Should I include the file "composer.local.json" then?

Sun, May 21, 4:19 PM · MediaWiki-Vendor

Sat, May 20

Bawolff added a comment to T50175: Scribunto/Lua should have a built-in method for retrieving categories used on a page.

There are also opportunistic limk updates of the page is "dynamic", but yes it is limited.

Sat, May 20, 4:49 AM · Patch-For-Review, MediaWiki-extensions-Scribunto

Fri, May 19

Bawolff added a comment to T50175: Scribunto/Lua should have a built-in method for retrieving categories used on a page.

You can definitely already do this - e.g. make the category used depend on the current time or something. It does seem like this might make the problem worse though.

Fri, May 19, 8:00 PM · Patch-For-Review, MediaWiki-extensions-Scribunto
Bawolff added a comment to T276992: Uploads via Lingualibre-Commons are hitting an upload ratelimit.

So I was chatting with @Yug at the hackathon about this. He was hoping this could be reconsidered.

Fri, May 19, 6:29 PM · SecTeam-Processed, Wikimedia-Site-requests, Commons, Lingua Libre
Bawolff added a comment to T50175: Scribunto/Lua should have a built-in method for retrieving categories used on a page.

I dont think it falls afoul of that as long as it is reflecting DB state (current contents of categorylinks) and not currently parsed page.

Fri, May 19, 4:10 PM · Patch-For-Review, MediaWiki-extensions-Scribunto
waldyrious awarded T336632: Experiment with rich media a 100 token.
Fri, May 19, 2:47 PM · Wikimedia-Hackathon-2023
Bawolff updated the task description for T336632: Experiment with rich media.
Fri, May 19, 1:00 PM · Wikimedia-Hackathon-2023
Bawolff awarded T337014: +2 in mediawiki/ for Lucas Werkmeister [volunteer] a Like token.
Fri, May 19, 11:12 AM · MediaWiki-Gerrit-Group-Requests

Thu, May 18

Bawolff added a comment to T336632: Experiment with rich media.

I think a lot of confusion around Graph comes from the fact that it tries to serve two very different use cases:

  • Visualizations based on structured sequential data (as opposed to Wikidata which is structured key-value data). You put the numbers in a data table on Commons, Graph pulls in the data and renders a chart or map. This allows for data sharing across wikis, machine-readability and writeability, separation of article maintenance and data updates etc. etc. It would basically bring the advantages of Wikidata to another domain of data.
  • Rich interactive content - maps or diagrams where you can zoom in, animations explaining how machines work, whatever.

As far as I can tell, neither of these had any appreciable uptake. Most graphs don't use external data and just dump it into the wikitext; most graphs don't include a meaningful level of interactivity, and are very basic data visualizations like bar charts or pie charts. The future of the extension is in doubt because of technical issues (although of course the lack of adoption influences how much effort is spent attempting to fix those technical issues), but its failure at adoption is because of product issues. Using it is just not intuitive enough and not well explained; using it in a non-trivial way (such as actually providing rich media), even more so.

So I think the key question is not what's technically possible (or cool from a hacker's point of view) but what would editors be actually willing to use?

Thu, May 18, 12:07 PM · Wikimedia-Hackathon-2023

Tue, May 16

Bawolff added a comment to T336595: Restrict editing of Vega spec to a small set of users.

Aside the vega and security problems, would there another possibility to call and show directly the result of a wikidata sparql query, for instance, https://w.wiki/6i7n inside a wikiarticle?

Tue, May 16, 5:53 AM · Security, MediaWiki-extensions-Graph
Bawolff added a watcher for VPS-project-Extdist: Bawolff.
Tue, May 16, 4:26 AM
Bawolff added a comment to T336710: Move clients off of gerrit-replica.wikimedia.org back to gerrit.wikimedia.org.

Extdist is also using replica currently.

Tue, May 16, 4:25 AM · VPS-project-Extdist, VPS-project-Codesearch, Gerrit, serviceops-collab
Bawolff added a project to T336710: Move clients off of gerrit-replica.wikimedia.org back to gerrit.wikimedia.org: VPS-project-Extdist.
Tue, May 16, 4:24 AM · VPS-project-Extdist, VPS-project-Codesearch, Gerrit, serviceops-collab
Bawolff added a watcher for ExtensionDistributor: Bawolff.
Tue, May 16, 4:13 AM

Mon, May 15

Bawolff added a comment to T336595: Restrict editing of Vega spec to a small set of users.

The main reason i would argue for iframe sandboxing is that it ties it to the browser same origin policy.

Mon, May 15, 5:34 PM · Security, MediaWiki-extensions-Graph

Sun, May 14

Bawolff created T336632: Experiment with rich media.
Sun, May 14, 6:42 AM · Wikimedia-Hackathon-2023

Sat, May 13

Bawolff added a comment to T66460: Dynamically generate files with Scribunto.

I've been experimenting a little bit in this direction with https://www.mediawiki.org/wiki/Extension:Monstranto

Sat, May 13, 3:21 PM · Patch-Needs-Improvement, MediaWiki-extensions-Scribunto
Bawolff added a comment to T222807: Sandbox Graph extension into an iframe.

It would be the same parser output since it would come from the parser cache

Sat, May 13, 5:26 AM · MediaWiki-extensions-Graph
Bawolff added a comment to T336595: Restrict editing of Vega spec to a small set of users.

That seems much simpler. You'd loose interactivity of graphs, but let's be honest... the interactivity-part has been an 8 year long nightmare. Maybe its time to put that to bed and accept defeat. I'm sure it would piss off many people, but the entire organization is over committed, choices unfortunately have to be made.

Sat, May 13, 4:00 AM · Security, MediaWiki-extensions-Graph

Fri, May 12

Bawolff added a comment to T336595: Restrict editing of Vega spec to a small set of users.

Are they? Something like {{Map with marks}} seems entirely compatible with a specification JSON template approach to me. (Migrating existing graph templates would certainly be unpleasant work, though.)

Fri, May 12, 6:50 PM · Security, MediaWiki-extensions-Graph
Bawolff added a comment to T336595: Restrict editing of Vega spec to a small set of users.

The specification would be less flexible - right now you can use templates or Lua to make the specification dynamically depend on the parameters of the graph, this would become impossible. Other than the data and maybe a few other predefined modification points, specifications would be static. Not sure if this would significantly impact real-world usage.

Fri, May 12, 6:01 PM · Security, MediaWiki-extensions-Graph
Bawolff added a comment to T173955: Allow additional LocalSettings to be overriden by environment variables.

This seems like it would be easy to add as an extension (as long as it is just config and not loading other extensions). I'm not sure that i think it makes sense in core, or at least not until it has a proven track record of people using it.

Fri, May 12, 12:06 AM · User-brennen, Developer-Wishlist (Next), MediaWiki-Configuration

Mon, May 8

Bawolff committed rEDTH3aac2b65f1b5: Update for 1.39 (authored by Bawolff).
Update for 1.39
Mon, May 8, 7:49 AM

Sun, May 7

Bawolff added a comment to T335073: PHP Fatal error: Declaration of MWCallbackStream::write($string) must be compatible with Psr\Http\Message\StreamInterface::write(string $string): int in /var/www/mediawiki/includes/http/MWCallbackStream.php on line 49 with guzzlehttp/psr7 2.5.0.

Pinning indirect dependencies doesn't make a lot of sense for an application which has a plugin system, as the plugins have their own dependencies and pinning might cause unnecessary conflicts Pinning is generally something better performed by the site administrator IMO (e.g. Wikimedia wikis pin versions via mediawiki-vendor).

Sun, May 7, 6:20 AM · MediaWiki-Vendor

Sat, May 6

Bawolff added a comment to T249573: RFC: Remove ability to install extensions and skins with Composer.

I think a simpler solution to the problem of Composer installing compatible extensions is for extensions to increment their major version number when they drop support for a version of core.

Sat, May 6, 3:49 PM · Patch-For-Review, TechCom-RFC, Composer, MediaWiki-General
Bawolff added a comment to T336011: MCR should ignore unknown content handlers for non-main slots.

However, this seems like what FallbackSlotRoleHandler is supposed to do.

Sat, May 6, 6:05 AM · Multi-Content-Revisions
Bawolff added a project to T209923: Surface hidden and "undefined" slots via a single slot view : Multi-Content-Revisions.
Sat, May 6, 5:40 AM · Multi-Content-Revisions, Platform Team Initiatives (MCR), Wikidata

Fri, May 5

Bawolff added a comment to T335770: REST API is not invalidating caches after template and/or module changes.

@akosiaris if I curl it from San Francisco (VPN) I don't see it. If I curl it from Belgium (no VPN) I see it. It's being seen by at least one other experienced editor at Wikivoyage as well. If it's not CDN... what could possibly be up with the geographical discrepancy? s-maxage=1209600, max-age=0??

Fri, May 5, 9:04 PM · SRE, Traffic, RESTBase-API, RESTBase
Bawolff added a comment to T249573: RFC: Remove ability to install extensions and skins with Composer.

Sorry, i just realized i misunderstood how this feature worked, and I don't think it is a viable solution to the problem it is trying to solve. I still stand by my comment about code-owners being a path that we as a community should move forward on. However i no longer object to this feature being removed, as i don't think it is a viable way forward to the versioning problem, since using it means you cannot install the extension independently of composer, which is kind of critical to how the majority of people use composer. So consider my objection withdrawn.

Fri, May 5, 7:13 PM · Patch-For-Review, TechCom-RFC, Composer, MediaWiki-General
Bawolff added a comment to T249573: RFC: Remove ability to install extensions and skins with Composer.

I don't know how technically feasible it is but I think it should be possible but out of core, into a dedicated repo that could have core as a submodule.

Fri, May 5, 7:10 PM · Patch-For-Review, TechCom-RFC, Composer, MediaWiki-General

May 4 2023

Bawolff created T336013: MCR should have a hook so you can atomicly update your slot when the user edits the main slot.
May 4 2023, 8:52 PM · Multi-Content-Revisions
Ciencia_Al_Poder awarded T336011: MCR should ignore unknown content handlers for non-main slots a Like token.
May 4 2023, 8:46 PM · Multi-Content-Revisions
Bawolff created T336011: MCR should ignore unknown content handlers for non-main slots.
May 4 2023, 8:41 PM · Multi-Content-Revisions
Bawolff added a comment to T249573: RFC: Remove ability to install extensions and skins with Composer.

So, I sort of had a change of heart about this task. (To be clear because it is confusing, by this task, i mean removing support for depending on the fake mediawiki/mediawiki dependency in composer)

May 4 2023, 6:11 PM · Patch-For-Review, TechCom-RFC, Composer, MediaWiki-General
Bawolff added a comment to T335770: REST API is not invalidating caches after template and/or module changes.

Other users (@SHB2000, @Bawolff) reported seeing "Anorexia is fun" two days ago when I reported it, although SHB2000 now reports that it's clean. (The vandalism occurred on 28 April; I reported on 2 May)

May 4 2023, 3:22 PM · SRE, Traffic, RESTBase-API, RESTBase

May 3 2023

Bawolff added a comment to T335051: Application Security Review Request : Vega 5 and related dependencies for ext:Graph.

Historically i think the concern was you load a normal page as a csv file, parse out the edit token from the html source, then leak the edit channel via a side channel to an attacker. [Otoh good luck executing csrf style attacks on a modern browser, so maybe that specific scenario is less relavent now, although similar scenarios may still matter]

May 3 2023, 8:06 PM · MediaWiki-extensions-Graph, SecTeam-Processed, user-sbassett, secscrum, Security, Application Security Reviews
Bawolff created T335828: Add option in installer to connect to db using tls ($wgDBssl).
May 3 2023, 4:13 AM · MW-1.41-notes (1.41.0-wmf.10; 2023-05-23), MediaWiki-Installer

May 2 2023

Bawolff updated the task description for T335730: gerrit-replica seems out of date breaking extension distributor.
May 2 2023, 7:20 AM · ExtensionDistributor, Gerrit
Bawolff added a project to T335730: gerrit-replica seems out of date breaking extension distributor: ExtensionDistributor.
May 2 2023, 7:19 AM · ExtensionDistributor, Gerrit
Bawolff created T335730: gerrit-replica seems out of date breaking extension distributor.
May 2 2023, 7:19 AM · ExtensionDistributor, Gerrit

May 1 2023

Bawolff added a comment to T222807: Sandbox Graph extension into an iframe.

I mean, for any dynamic parser function, you'd be kind of hoping that you retrieve the same parser output. {{NUMBEROFARTICLES}} is commonly used as a very bad pseudo-random number generator on enwiki. It seems like you would often retrieve different parser outputs and the graphs wouldn't match if they used dynamic parser functions, unless i misunderstand the plan.

May 1 2023, 8:58 PM · MediaWiki-extensions-Graph
Bawolff added a comment to T332850: Undeploy DoubleWiki Extension from Wikimedia production .

The security team would like to temporarily undeploy this extension due to security concerns. The target date is the week of May 1 for the undeploy.

Do we even have any stats on its use?

May 1 2023, 2:02 AM · User-notice, Patch-For-Review, MediaWiki-extensions-DoubleWiki, Code-Stewardship-Reviews

Apr 29 2023

Bawolff added a comment to T335617: On postgresql $wgDBssl should make sslmode be 'verify-full' not 'required'.

Actually, i just read:

Apr 29 2023, 4:22 AM · Security, PostgreSQL, MediaWiki-libs-Rdbms
Bawolff created T335617: On postgresql $wgDBssl should make sslmode be 'verify-full' not 'required'.
Apr 29 2023, 4:04 AM · Security, PostgreSQL, MediaWiki-libs-Rdbms

Apr 28 2023

Bawolff added a comment to T332850: Undeploy DoubleWiki Extension from Wikimedia production .

What does "temporarily" mean here? It seems unlikely anyone is going to come around and fix the extension any time soon. If its going to be permanent we shouldn't mislead people.

Apr 28 2023, 6:33 AM · User-notice, Patch-For-Review, MediaWiki-extensions-DoubleWiki, Code-Stewardship-Reviews

Apr 27 2023

Bawolff added a comment to T222807: Sandbox Graph extension into an iframe.

I mean, traditional in the sense of loading it via an URL. It would still be sandboxed. That would make it behave as if it were from a different domain on almost all browsers where we actually load Javascript

Apr 27 2023, 4:39 PM · MediaWiki-extensions-Graph
Bawolff added a comment to T222807: Sandbox Graph extension into an iframe.

traditional iframes (results in a bunch of extra requests + need to pass state, which imposes GET length constraints)?

Apr 27 2023, 3:52 PM · MediaWiki-extensions-Graph

Apr 26 2023

Bawolff added a comment to T290686: Code Stewardship Review: EasyTimeline.

The fact that there has been close to no issues in 20 years, where Graph has had many issues even before the current one.

Apr 26 2023, 3:07 AM · EasyTimeline, Code-Stewardship-Reviews

Apr 25 2023

Bawolff added a comment to T335369: Display foreign resources in the extension infobox.

Im not sure we should. This sounds like useful information to people auditing extensions or developing extensions, but im not sure it is useful to average end user.

Apr 25 2023, 10:27 PM · Tool-extjsonuploader
Bawolff added a comment to T290686: Code Stewardship Review: EasyTimeline.

I think recent events further suggest that migrating to graph would probably not be a good maintainability move.

Apr 25 2023, 3:51 PM · EasyTimeline, Code-Stewardship-Reviews

Apr 23 2023

Bawolff added a comment to T320581: Deploy Kaktovik Numerals web font.

It is likely you had a system update, and the font was added to your system. It is likely that this will depend on what operating system you are using. That or you installed the font locally.

Apr 23 2023, 3:20 AM · UniversalLanguageSelector

Apr 21 2023

Bawolff added a comment to T334940: All Graphs broken on Wikimedia wikis (due to security issue T334895).

After all this done, are you going to publish the full explanation about the security breach

Apr 21 2023, 1:16 PM · Regression, User-notice, Tech-Ambassadors, MediaWiki-extensions-Graph

Apr 20 2023

Bawolff added a comment to T334940: All Graphs broken on Wikimedia wikis (due to security issue T334895).

T182536 has been around for more than five years

Apr 20 2023, 7:35 PM · Regression, User-notice, Tech-Ambassadors, MediaWiki-extensions-Graph

Apr 19 2023

Bawolff added a comment to T334895: XSS via Graph extension.

In addition to fixing the underlying issue, i think this bug shows that vega really should be rendered into an iframed sandbox.

Apr 19 2023, 2:36 PM · SecTeam-wikimedia-project-event, SecTeam-Processed, WMDE-TechWish-Sprint-2023-04-05, Editing-team, Vuln-XSS, MediaWiki-extensions-Graph, Security, Security-Team

Apr 18 2023

Bawolff added a comment to T334940: All Graphs broken on Wikimedia wikis (due to security issue T334895).

With all due respect to everyone involved, i really think its not ok to disable something not actively being exploited [i assume, i dont know), and is used in main namespace for real articles, without giving at the bare minimum a day notice (wikitech-l + mass message VP) so users can fix articles. Even if this was actively being exploited (or is likely to be upon announcement, has public PoC, whatever) i would expect comms to fast follow disabling. At least inside of an hour.

Apr 18 2023, 5:10 PM · Regression, User-notice, Tech-Ambassadors, MediaWiki-extensions-Graph
Bawolff created T334933: [MCR] slot role inconsistently lowercased.
Apr 18 2023, 11:37 AM · Multi-Content-Revisions
Bawolff added a comment to T290932: Figure out remoteExtPath/remoteBasePath automatically for the common case.

In addition to this being essentially duplicated info (that is often wrong as in many extensions its only used in debug mode so typos go unnoticed), i feel like this really doesn't make sense to specify in extension.json.

Apr 18 2023, 11:11 AM · Developer Productivity, MediaWiki-ResourceLoader, Performance-Team

Apr 17 2023

Bawolff updated subscribers of T332850: Undeploy DoubleWiki Extension from Wikimedia production .

Has anyone told the affected projects that this will happen?

Apr 17 2023, 6:14 PM · User-notice, Patch-For-Review, MediaWiki-extensions-DoubleWiki, Code-Stewardship-Reviews
Bawolff added a comment to T200915: Allow SlotRoleHandlers to control page layout.

I kind of wish there was basically some sort of hook here where i could combine things in arbitrary ways. I don't think a few predefined options is ever going to be sufficient.

Apr 17 2023, 2:16 AM · Platform Team Initiatives (MCR), Multi-Content-Revisions (New Features)

Apr 14 2023

Bawolff awarded T290759: Undeploy VipsScaler from Wikimedia wikis a Like token.
Apr 14 2023, 6:59 PM · Release-Engineering-Team (Radar), MW-1.37-notes (1.37.0-wmf.23; 2021-09-13), Wikimedia-Extension-setup, Structured-Data-Backlog, Structured Data Engineering, MediaWiki-extensions-VipsScaler

Apr 13 2023

Bawolff added a watcher for MediaWiki-extensions-GoogleNewsSitemap: Bawolff.
Apr 13 2023, 6:39 PM
Bawolff added a comment to T178356: Raise Grade A JavaScript requirement from ES5 (2009) to ES6 (2015).

Note that all browsers on iOS use WebKit engine (Chrome, Opera and even Firefox). So I doubt Puffin Browser can do anything about what they support. This is due to Apple policy which bans browser engines on their store. I guess most devs know that, but every browser on iOS is a skin over Safari (mostly).

Apr 13 2023, 2:35 PM · User-notice-archive, MW-1.41-notes (1.41.0-wmf.10; 2023-05-23), Front-end Modernization, MW-1.38-notes (1.38.0-wmf.2; 2021-09-28), Browser-Support-Internet-Explorer, Performance-Team, JavaScript, MediaWiki-ResourceLoader
Bawolff added a comment to T332971: Shared session with DNS Hackathon 2023 in Rotterdam.

As quite a few Wikimedians experience issues with IP blocks and related it might be useful to have a shared hybrid session about this problem and work on possible paths to advance it.

I'm not sure what this has to do with DNS

Apr 13 2023, 2:22 PM · Stewards-and-global-tools, DNS, Wikimedia-Hackathon-2023
Bawolff added a comment to T332971: Shared session with DNS Hackathon 2023 in Rotterdam.

As quite a few Wikimedians experience issues with IP blocks and related it might be useful to have a shared hybrid session about this problem and work on possible paths to advance it.

Apr 13 2023, 2:15 PM · Stewards-and-global-tools, DNS, Wikimedia-Hackathon-2023

Apr 12 2023

Bawolff added a comment to T173491: Change the extension of source-map files in webpack.config.js.

Why didn't we just add .map to the whitelist?

Apr 12 2023, 6:57 PM · MW-1.30-release-notes (WMF-deploy-2017-09-05 (1.30.0-wmf.17)), Readers-Web-Kanbanana-Board-Old, Technical-Debt, Readers-Web-Backlog, Page-Previews

Apr 10 2023

Bawolff added a comment to T327848: Gerrrit group ownership configuration oddities.

do you need all of these permissions still?

Apr 10 2023, 5:21 AM · Gerrit-Privilege-Requests, Gerrit

Apr 8 2023

Bawolff closed T334336: Create project tag for Historical Editing of all Romanov family linked or related Pages <INSERT HERE> as Invalid.

Some information is public. Private data will not be released.

Apr 8 2023, 10:04 PM · Trash

Apr 7 2023

Bawolff added a comment to T332495: CVE-2023-21036 (Cropped PNG files uploaded from Google Pixel still include cropped image data).

Commons already runs tests on files via bots to detect embedded info, it wouldn't surprise me if they might already detect this - although previous work was more about detecting multi-gb movies embedded in jpg files so maybe not.

Apr 7 2023, 3:10 PM · SecTeam-Processed, UploadWizard, Vuln-Infoleak, Security, Security-Team
Krinkle awarded T333776: Activeuser count never updated unless updateSpecialPages.php is run a Love token.
Apr 7 2023, 6:15 AM · MW-1.39-notes, MW-1.40-notes, MW-1.41-notes (1.41.0-wmf.4; 2023-04-10), MediaWiki-Core-JobQueue

Apr 5 2023

Bawolff added a comment to T325558: Application Security Review Request: Swagger UI.

The webpack vulnerability is pretty silly. It is basically - if an attacker can modify your source code, then they can run arbitrary code.

Apr 5 2023, 8:01 PM · secscrum, Security, Application Security Reviews
Bawolff added a comment to T249573: RFC: Remove ability to install extensions and skins with Composer.

I ran into this when cleaning up includes/ (T321882). You can bring back composer supported functionality via a new repo that uses core as submodule or anything like that. So I'm planning to merge this patch soon.

Apr 5 2023, 7:27 PM · Patch-For-Review, TechCom-RFC, Composer, MediaWiki-General
Bawolff added a comment to T178356: Raise Grade A JavaScript requirement from ES5 (2009) to ES6 (2015).

Just noting because there were some user complaints on project:Support_desk, and it doesn't seem to be mentioned here explicitly - Firefox 52 is the last supported version on windows vista, which is no longer supported.

Apr 5 2023, 12:05 PM · User-notice-archive, MW-1.41-notes (1.41.0-wmf.10; 2023-05-23), Front-end Modernization, MW-1.38-notes (1.38.0-wmf.2; 2021-09-28), Browser-Support-Internet-Explorer, Performance-Team, JavaScript, MediaWiki-ResourceLoader
Bawolff changed the visibility for T331065: Extension:Cargo XSS in Special:CargoQuery using default format.
Apr 5 2023, 11:39 AM · Vuln-XSS, MediaWiki-extensions-Cargo, Security, Security-Team
Bawolff added a comment to T331065: Extension:Cargo XSS in Special:CargoQuery using default format.

[Making public since resolved]

Apr 5 2023, 11:38 AM · Vuln-XSS, MediaWiki-extensions-Cargo, Security, Security-Team
Bawolff changed the visibility for T331311: Cargo allows storing javascript URLs in URL fields, and automatically linking them.
Apr 5 2023, 11:37 AM · MediaWiki-extensions-Cargo, Security, Security-Team
Bawolff added a comment to T331311: Cargo allows storing javascript URLs in URL fields, and automatically linking them.

[marking as public since resolved]

Apr 5 2023, 11:36 AM · MediaWiki-extensions-Cargo, Security, Security-Team
Bawolff closed T333776: Activeuser count never updated unless updateSpecialPages.php is run as Resolved.
Apr 5 2023, 11:07 AM · MW-1.39-notes, MW-1.40-notes, MW-1.41-notes (1.41.0-wmf.4; 2023-04-10), MediaWiki-Core-JobQueue

Apr 4 2023

Bawolff updated subscribers of T333980: GoogleAnalyticsMetrics extension - XSS.

@Mstyles Can this be added to next extension security supplement?

Apr 4 2023, 4:42 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-GoogleAnalyticsMetrics, Security
Bawolff added a comment to T333980: GoogleAnalyticsMetrics extension - XSS.
			return '<strong class="error">' .
				wfMessage( 'googleanalyticsmetrics-invalid-url' )->text() .
				'</strong>';

Doesn’t this need to be ->parse() or ->escaped() to prevent HTML injection from the googleanalyticsmetrics-invalid-url message?

Apr 4 2023, 4:40 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-GoogleAnalyticsMetrics, Security
Bawolff added a comment to T333980: GoogleAnalyticsMetrics extension - XSS.

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/GoogleAnalyticsMetrics/+/905661

Apr 4 2023, 4:14 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-GoogleAnalyticsMetrics, Security
Bawolff added a project to T333980: GoogleAnalyticsMetrics extension - XSS: MediaWiki-extensions-GoogleAnalyticsMetrics.
Apr 4 2023, 4:14 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-GoogleAnalyticsMetrics, Security
Bawolff created T333980: GoogleAnalyticsMetrics extension - XSS.
Apr 4 2023, 4:13 PM · SecTeam-Processed, Vuln-XSS, MediaWiki-extensions-GoogleAnalyticsMetrics, Security
Bawolff awarded T333953: Security Issue Access Request for acooper a Party Time token.
Apr 4 2023, 1:54 PM · SecTeam-Processed, Security-Team, Security

Apr 3 2023

Bawolff created T333793: Page Forms: some input types double escape < and > in values.
Apr 3 2023, 5:08 AM · MediaWiki-extensions-Page_Forms
Bawolff added a comment to T333770: Evaluate Cloudflare Turnstile as a potential alternative to Wikimedia Fancy Captcha.

Cloudfare's business interests do depend on violating privacy; the US DHS has commented that the data it has (vis a vis their MITM proxy, for example) is "valuable" and offered to purchase it (source).

Apr 3 2023, 4:15 AM · Accessibility, ConfirmEdit (CAPTCHA extension), Privacy

Apr 2 2023

Bawolff added a comment to T333776: Activeuser count never updated unless updateSpecialPages.php is run.

I guess b16734996ad55b9463 broke this.

Apr 2 2023, 7:39 PM · MW-1.39-notes, MW-1.40-notes, MW-1.41-notes (1.41.0-wmf.4; 2023-04-10), MediaWiki-Core-JobQueue
Bawolff added a comment to T17666: "Active users" count invalid if updateSpecialPages hasn't been run.

This seems to have regressed, but given how old this bug is, i just created a new one - T333776 instead of reopening this one

Apr 2 2023, 7:35 PM · MediaWiki-Special-pages
Bawolff updated the task description for T333776: Activeuser count never updated unless updateSpecialPages.php is run.
Apr 2 2023, 7:34 PM · MW-1.39-notes, MW-1.40-notes, MW-1.41-notes (1.41.0-wmf.4; 2023-04-10), MediaWiki-Core-JobQueue
Bawolff created T333776: Activeuser count never updated unless updateSpecialPages.php is run.
Apr 2 2023, 7:31 PM · MW-1.39-notes, MW-1.40-notes, MW-1.41-notes (1.41.0-wmf.4; 2023-04-10), MediaWiki-Core-JobQueue