Page MenuHomePhabricator

Dylsss
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Jan 28 2021, 2:41 PM (50 w, 5 d)
Availability
Available
LDAP User
Dylsss
MediaWiki User
Dylsss [ Global Accounts ]

Recent Activity

Sun, Jan 16

Dylsss closed T184537: Special:EntityData results in Internal Server Error on revision IDs of non-entity pages as Resolved.

Looks like this was fixed at some point, example link returns 404 Not Found.

Sun, Jan 16, 10:44 PM · MediaWiki-extensions-WikibaseRepository, Wikidata
Dylsss added a comment to T68606: Media viewer fails to give credit to all people in specific circumstances.

https://en.wikipedia.org/wiki/Battle_of_Spotsylvania_Court_House#/media/File:Battle_of_Spottsylvania_by_Thure_de_Thulstrup.jpg

Little followup. Here we see Media Viewer turning a CC-by image that requires crediting me into a Public Domain image that does not credit me.

That’s because that attribution template isn’t a license template. At least not technically.

Sun, Jan 16, 6:49 PM · Multimedia, CommonsMetadata, MediaViewer

Sat, Jan 15

Dylsss added a comment to T299282: All search results on afwikibooks redirect to invalid URL (due to code in MediaWiki:Common.js).

The issue appears to be in the MediaWiki:Common.js page, the issue doesn't happen in with safemode=1, specifically line 276 in Common.js seems to be the offending line causing the malformed redirects

Sat, Jan 15, 3:22 PM · WMF-General-or-Unknown

Fri, Jan 14

Dylsss merged T299230: Incorrect attribution in Mediawiki Image viewer into T68606: Media viewer fails to give credit to all people in specific circumstances.
Fri, Jan 14, 7:28 PM · Multimedia, CommonsMetadata, MediaViewer
Dylsss merged task T299230: Incorrect attribution in Mediawiki Image viewer into T68606: Media viewer fails to give credit to all people in specific circumstances.
Fri, Jan 14, 7:28 PM · MediaViewer

Sun, Jan 2

Dylsss claimed T298453: Upload protection shown as an applicable restriction for non-existent files.
Sun, Jan 2, 9:10 PM · Patch-For-Review, MediaWiki-Page-protection
Dylsss created T298453: Upload protection shown as an applicable restriction for non-existent files.
Sun, Jan 2, 9:10 PM · Patch-For-Review, MediaWiki-Page-protection

Mon, Dec 27

Dylsss merged T298330: Avatars don't work with private wikis using image_auth.php into T163529: SocialProfile does not allow access to avatar images when using img_auth.php.
Mon, Dec 27, 2:58 AM · Social-Tools, SocialProfile
Dylsss merged task T298330: Avatars don't work with private wikis using image_auth.php into T163529: SocialProfile does not allow access to avatar images when using img_auth.php.
Mon, Dec 27, 2:58 AM · Social-Tools, SocialProfile

Sat, Dec 25

Dylsss removed Due Date on T247221: Special:Nearby should allow users to input their location (coordinates) manually too.
Sat, Dec 25, 10:43 PM · Maps (Kartographer), NearbyPages

Dec 19 2021

Dylsss merged T293980: Deleting a redirect page goes to redirect target page instead into T295435: Deleting redirects in file: namespace tries to delete the redirect target, not the redirect.
Dec 19 2021, 12:00 AM · Community-Tech (CommTech-Sprint-15), MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Commons, MediaWiki-Page-deletion
Dylsss merged task T293980: Deleting a redirect page goes to redirect target page instead into T295435: Deleting redirects in file: namespace tries to delete the redirect target, not the redirect.
Dec 19 2021, 12:00 AM · MediaWiki-Redirects, MediaWiki-Page-deletion
Dylsss added a comment to T293980: Deleting a redirect page goes to redirect target page instead.

Merging to task where this was fixed.

Dec 19 2021, 12:00 AM · MediaWiki-Redirects, MediaWiki-Page-deletion

Dec 18 2021

Dylsss added a comment to T297574: CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action.

@Dylsss I'm curious how you're finding these issues - are you just going through each endpoint and looking at possible vulnerable parameters? Or do you have some tool to help with finding them?

Hi @Dylsss I'd be happy to set up a call or some other type of meeting at your convenience if that is something you'd be interested in sharing. Either way, thank you for everything you do!

Dec 18 2021, 1:14 AM · MW-1.37-notes, MW-1.36-notes, MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), MW-1.35-notes, Patch-For-Review, MediaWiki-General, Vuln-Infoleak, Security, Security-Team

Dec 17 2021

Dylsss reopened T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history) as "Open".

Boldly reopening because the actual issue of usernames being leaked isn't truly fixed, and the exact same information is still available in other ways, e.g. via diffs and old revisions. All that needs to be done is append ?diff=next to the URL to access usernames, comments and older revisions.

Dec 17 2021, 10:49 PM · Security, Vuln-Infoleak, MediaWiki-General
Dylsss reopened T34716: $wgWhitelistRead leaks username data (Because it allows viewing ?action=history), a subtask of T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1, as Open.
Dec 17 2021, 10:48 PM · MediaWiki-Releasing, Security

Dec 15 2021

Dylsss updated the task description for T297541: Publish FAQ for undo security bug.
Dec 15 2021, 12:49 PM · SecTeam-Processed, MediaWiki-Documentation, Security, Security-Team

Dec 13 2021

Dylsss added a comment to T297570: XSS in Wikibase using formatter URL (CVE-2021-45472).

Someone seems to have noticed this before me as you can see at https://test.wikidata.org/wiki/Property:P95266. So either this is a duplicate task or it just wasn't reported, or it's some sort of regression.

Dec 13 2021, 9:03 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Wikidata-Campsite (Team A Hearth 🏰🔥), SecTeam-Processed, Wikidata, wdwb-tech, MediaWiki-extensions-WikibaseRepository, Vuln-XSS, Security
Dylsss added projects to T297574: CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action: Vuln-Infoleak, MediaWiki-General.
Dec 13 2021, 12:02 AM · MW-1.37-notes, MW-1.36-notes, MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), MW-1.35-notes, Patch-For-Review, MediaWiki-General, Vuln-Infoleak, Security, Security-Team
Dylsss created T297574: CVE-2021-45038: Unauthorized users can access private wiki contents using rollback action.
Dec 13 2021, 12:01 AM · MW-1.37-notes, MW-1.36-notes, MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), MW-1.35-notes, Patch-For-Review, MediaWiki-General, Vuln-Infoleak, Security, Security-Team

Dec 12 2021

Dylsss added projects to T297570: XSS in Wikibase using formatter URL (CVE-2021-45472): Vuln-XSS, MediaWiki-extensions-WikibaseRepository, wdwb-tech, Wikidata.
Dec 12 2021, 7:31 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Wikidata-Campsite (Team A Hearth 🏰🔥), SecTeam-Processed, Wikidata, wdwb-tech, MediaWiki-extensions-WikibaseRepository, Vuln-XSS, Security
Dylsss created T297570: XSS in Wikibase using formatter URL (CVE-2021-45472).
Dec 12 2021, 7:25 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Wikidata-Campsite (Team A Hearth 🏰🔥), SecTeam-Processed, Wikidata, wdwb-tech, MediaWiki-extensions-WikibaseRepository, Vuln-XSS, Security

Dec 10 2021

Dylsss added a comment to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .
Dec 10 2021, 10:55 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss added a comment to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .

Going to request 2 different CVE's for this issue, as there are two different issues underneath, even though they both happen via action=mcrundo

Tweaked:

CVE 1:

It is possible to use action=edit&undo=, action=mcrundo, action=mcrrestore to view private pages on a private wiki that has at least one page set in $wgWhitelistRead. MediaWiki 1.23+

CVE 2:

It is possible to use action=mcrundo, action=mcrrestore to replace the content of any arbitrary page (that the user doesn't have edit rights for) on a wiki if it is public, or is private and has at least one page set in $wgWhitelistRead. MediaWiki 1.32+

In CVE 1, I would change "view private pages" to "view private revisions" to be more specific, although the exploit will not work when the revision is part of a deleted page or revision deleted as far as I can tell, not sure if that needs to be emphasized. In CVE 2 you need to gain edit rights in some form to replace pages with arbitrary content, without edit rights you can't replace Common.js with malicious JS for example, without first creating a revision to restore (which you can't do without edit rights). Thus without already having edit rights on the wiki, the risk of CVE 2 is decreased (eliminates arbitrary JavaScript execution) and the exploit is limited to replacing page content with revisions that already exist.

Dec 10 2021, 8:07 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team

Dec 8 2021

Dylsss added a comment to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .

This causes arbitrary JavaScript execution as well, users can create malicious JavaScript in their sandbox and restore it to MediaWiki:Common.js.

Dec 8 2021, 11:07 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss triaged T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo as Unbreak Now! priority.

Given the unbelievable severity

Dec 8 2021, 9:51 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss renamed T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo from Unauthorized users can undo edits on any protected page using mcrundo to Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .
Dec 8 2021, 9:48 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss added a project to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo : Vuln-Infoleak.

And this leaks data as well. https://checkuser.wikimedia.org/w/index.php?title=Main_Page&action=mcrundo&undo=39108&undoafter=32677

Dec 8 2021, 9:47 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss added a comment to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .

Not going to try it, but it looks like this would also allow you to undo edits on private wikis as well, e.g. https://checkuser.wikimedia.org/w/index.php?title=Main_Page&action=mcrundo&undo=39108&undoafter=32678

Dec 8 2021, 9:46 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss added a comment to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .

err, it looks like I was mistaken, this seems to be part of core actually, so this affects all Wikimedia wikis.

Dec 8 2021, 9:32 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss renamed T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo from Unauthorized Commons users can undo edits on any protected page using WikibaseMediaInfo undo to Unauthorized users can undo edits on any protected page using mcrundo.
Dec 8 2021, 9:32 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss added a project to T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo : WikibaseMediaInfo.
Dec 8 2021, 9:22 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team
Dylsss created T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .
Dec 8 2021, 9:22 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Patch-For-Review, MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MediaWiki-General, Platform Team Initiatives (MCR), Wikimedia-Incident, Vuln-Infoleak, Security, Security-Team

Dec 7 2021

Dylsss merged T297241: OOUI PHP examples are down into T297035: Demos page for OOUI in php is broken.
Dec 7 2021, 9:44 PM · Continuous-Integration-Infrastructure, OOUI
Dylsss merged task T297241: OOUI PHP examples are down into T297035: Demos page for OOUI in php is broken.
Dec 7 2021, 9:44 PM · OOUI

Dec 6 2021

Dylsss added projects to T269130: Cross-Site Scripting (XSS) in Commons.wikipedia.org: Vuln-XSS, WikibaseMediaInfo, Commons.

Given the above comment and that it is not invalid. Feel free to revert/change if you feel it is inappropriate.

Dec 6 2021, 12:21 AM · Commons, WikibaseMediaInfo, Vuln-XSS, Structured-Data-Backlog, Structured Data Engineering, Security
Dylsss merged T269130: Cross-Site Scripting (XSS) in Commons.wikipedia.org into T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).
Dec 6 2021, 12:19 AM · Structured-Data-Backlog (Current Work), SecTeam-Processed, Patch-For-Review, WikibaseMediaInfo, Vuln-XSS, Commons, Security, Security-Team
Dylsss merged task T269130: Cross-Site Scripting (XSS) in Commons.wikipedia.org into T293556: Stored XSS via WikibaseMediaInfo caption fields at commons.wikimedia.org (CVE-2021-46146).
Dec 6 2021, 12:18 AM · Commons, WikibaseMediaInfo, Vuln-XSS, Structured-Data-Backlog, Structured Data Engineering, Security

Dec 5 2021

Dylsss added a comment to T269130: Cross-Site Scripting (XSS) in Commons.wikipedia.org.

Noting that this is the same as T293556, this was not invalid and was a real vulnerability... which means we made a high risk XSS public and unfixed for 10 months.

Dec 5 2021, 11:39 PM · Commons, WikibaseMediaInfo, Vuln-XSS, Structured-Data-Backlog, Structured Data Engineering, Security

Dec 2 2021

Dylsss created T296897: Eqiad Geosearch API queries return errors on Commons.
Dec 2 2021, 12:14 AM · Discovery-Search (Current work), CirrusSearch, Commons, GeoData

Nov 29 2021

Dylsss added a comment to T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471).

That being said, looking at further usages of PermissionManager::isBlockedFrom, I think there are more places that might have similar issues, including the NewEntitySchema special page, some of EntitySchema's actions, and SpecialMergeLexemes. And also several places in core look suspicious?

Yep, I was able to create a new EntitySchema item with Special:NewEntitySchema at https://test.wikidata.org/wiki/EntitySchema:E17 as a globally blocked IP.

Nov 29 2021, 10:51 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), wdwb-tech, Wikibase Release Strategy, SecTeam-Processed, Wikidata-Campsite (Team A Hearth 🏰🔥), Stewards-and-global-tools, Wikidata, Shape Expressions, Security, Security-Team
Dylsss updated the task description for T296605: XSS in Special:ImportFile URL (CVE-2021-45474).
Nov 29 2021, 3:04 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), WMDE-TechWish-Sprint-2021-11-24, SecTeam-Processed, Move-Files-To-Commons, Vuln-XSS, Security, Security-Team
Dylsss updated the task description for T296605: XSS in Special:ImportFile URL (CVE-2021-45474).
Nov 29 2021, 2:50 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), WMDE-TechWish-Sprint-2021-11-24, SecTeam-Processed, Move-Files-To-Commons, Vuln-XSS, Security, Security-Team
Dylsss updated the task description for T296605: XSS in Special:ImportFile URL (CVE-2021-45474).
Nov 29 2021, 2:47 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), WMDE-TechWish-Sprint-2021-11-24, SecTeam-Processed, Move-Files-To-Commons, Vuln-XSS, Security, Security-Team
Dylsss updated the task description for T296605: XSS in Special:ImportFile URL (CVE-2021-45474).
Nov 29 2021, 2:45 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), WMDE-TechWish-Sprint-2021-11-24, SecTeam-Processed, Move-Files-To-Commons, Vuln-XSS, Security, Security-Team
Dylsss added projects to T296605: XSS in Special:ImportFile URL (CVE-2021-45474): Vuln-XSS, Move-Files-To-Commons.
Nov 29 2021, 2:44 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), WMDE-TechWish-Sprint-2021-11-24, SecTeam-Processed, Move-Files-To-Commons, Vuln-XSS, Security, Security-Team
Dylsss created T296605: XSS in Special:ImportFile URL (CVE-2021-45474).
Nov 29 2021, 2:42 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), WMDE-TechWish-Sprint-2021-11-24, SecTeam-Processed, Move-Files-To-Commons, Vuln-XSS, Security, Security-Team

Nov 28 2021

Dylsss merged T296589: Captions: quotation mark " is shown as " into T293760: [M] Escaped characters shown while editing captions.
Nov 28 2021, 3:47 PM · MW-1.38-notes (1.38.0-wmf.18; 2022-01-17), Structured-Data-Backlog (Current Work), WikibaseMediaInfo
Dylsss merged task T296589: Captions: quotation mark " is shown as " into T293760: [M] Escaped characters shown while editing captions.
Nov 28 2021, 3:47 PM · Wikidata, SDC General, Regression
Dylsss updated the task description for T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471).
Nov 28 2021, 3:00 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), wdwb-tech, Wikibase Release Strategy, SecTeam-Processed, Wikidata-Campsite (Team A Hearth 🏰🔥), Stewards-and-global-tools, Wikidata, Shape Expressions, Security, Security-Team
Dylsss added projects to T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471): Shape Expressions, Wikidata.
Nov 28 2021, 2:39 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), wdwb-tech, Wikibase Release Strategy, SecTeam-Processed, Wikidata-Campsite (Team A Hearth 🏰🔥), Stewards-and-global-tools, Wikidata, Shape Expressions, Security, Security-Team
Dylsss created T296578: Globally blocked IPs can edit EntitySchema items (CVE-2021-45471).
Nov 28 2021, 2:34 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), wdwb-tech, Wikibase Release Strategy, SecTeam-Processed, Wikidata-Campsite (Team A Hearth 🏰🔥), Stewards-and-global-tools, Wikidata, Shape Expressions, Security, Security-Team

Nov 18 2021

Dylsss closed T294561: Impossible to reach certain Japanese Wikipedia pages about Cyrillic characters in Firefox; returns zero bytes (due to protectionIndicator gadget) as Resolved.

The gadget was fixed in https://ja.wikipedia.org/w/index.php?title=MediaWiki%3AGadget-protectionLog.js%2Fcore.js&type=revision&diff=86550511&oldid=86266493 and re-added as a default gadget. The issue no longer seems producible.

Nov 18 2021, 4:54 PM · Browser-Support-Firefox

Nov 17 2021

Dylsss merged T295895: New Vector doesn't autocomplete special pages into T277363: New search widget API doesn't work in "Special:" and "File:" namespace.
Nov 17 2021, 4:24 PM · Readers-Web-Backlog, Platform Team Workboards (Clinic Duty Team), Vector, Design-Systems-team (Vue.js Search Experience (Vector modern)), Desktop Improvements
Dylsss merged task T295895: New Vector doesn't autocomplete special pages into T277363: New search widget API doesn't work in "Special:" and "File:" namespace.
Nov 17 2021, 4:24 PM · Readers-Web-Backlog, Desktop Improvements, Vector

Nov 10 2021

Dylsss added a comment to T295478: Searching on Special:Search and MediaSearch on Commons returns error.

Note, it seems searching for files on Commons is currently impossible. I've created T295480 for that.

Nov 10 2021, 3:38 PM · Discovery-Search (Current work), Commons, Structured-Data-Backlog (Current Work), SDAW-MediaSearch
Dylsss added projects to T295480: Searching for files on Commons returns error: MediaWiki-Search, Commons.
Nov 10 2021, 3:31 PM · Commons, Discovery-Search
Dylsss created T295480: Searching for files on Commons returns error.
Nov 10 2021, 3:28 PM · Commons, Discovery-Search
Dylsss updated the task description for T295478: Searching on Special:Search and MediaSearch on Commons returns error.
Nov 10 2021, 3:22 PM · Discovery-Search (Current work), Commons, Structured-Data-Backlog (Current Work), SDAW-MediaSearch
Dylsss updated the task description for T295478: Searching on Special:Search and MediaSearch on Commons returns error.
Nov 10 2021, 3:21 PM · Discovery-Search (Current work), Commons, Structured-Data-Backlog (Current Work), SDAW-MediaSearch
Dylsss created T295478: Searching on Special:Search and MediaSearch on Commons returns error.
Nov 10 2021, 3:21 PM · Discovery-Search (Current work), Commons, Structured-Data-Backlog (Current Work), SDAW-MediaSearch

Nov 4 2021

Dylsss created T295096: Character encoding issues on daily-image-l.
Nov 4 2021, 11:10 PM · SRE, Commons, Tools, Wikimedia-Mailing-lists
Dylsss merged T295069: Vue Search doesn't display suggestions for results in the Special namespace into T277363: New search widget API doesn't work in "Special:" and "File:" namespace.
Nov 4 2021, 6:28 PM · Readers-Web-Backlog, Platform Team Workboards (Clinic Duty Team), Vector, Design-Systems-team (Vue.js Search Experience (Vector modern)), Desktop Improvements
Dylsss merged task T295069: Vue Search doesn't display suggestions for results in the Special namespace into T277363: New search widget API doesn't work in "Special:" and "File:" namespace.
Nov 4 2021, 6:28 PM · Desktop Improvements

Oct 30 2021

Dylsss added a project to T294693: XSS on page information Wikibase central description (CVE-2021-45473): Vuln-XSS.
Oct 30 2021, 8:13 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Wikibase Release Strategy, SecTeam-Processed, wdwb-tech, MediaWiki-extensions-WikibaseClient, User-Urbanecm, Wikidata, Vuln-XSS, Security, Security-Team
Dylsss created T294693: XSS on page information Wikibase central description (CVE-2021-45473).
Oct 30 2021, 8:06 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), Wikibase Release Strategy, SecTeam-Processed, wdwb-tech, MediaWiki-extensions-WikibaseClient, User-Urbanecm, Wikidata, Vuln-XSS, Security, Security-Team
Dylsss added a comment to T294675: Some global preference values will not save.

I cannot reproduce simply following those steps, I can enable and set a new global preference field and toggle it on/off fine, however if I then edit any local preference, those global preferences I just edited become in a stuck state like observed in this task.

Oct 30 2021, 12:17 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), MediaWiki-extensions-GlobalPreferences, Community-Tech, Regression, MediaWiki-User-preferences

Oct 28 2021

Dylsss added a comment to T294561: Impossible to reach certain Japanese Wikipedia pages about Cyrillic characters in Firefox; returns zero bytes (due to protectionIndicator gadget).

I can reproduce this in Firefox safemode.

Oct 28 2021, 10:11 PM · Browser-Support-Firefox

Oct 19 2021

Dylsss added a comment to T293768: FileImporter inserts "Suppressed comment removed by FileImporter." to a file revision comment when the comment is left blank and is not hidden.

Seems to be caused by T293783, which I've created, not sure if this should be merged into it.

Oct 19 2021, 3:01 PM · Move-Files-To-Commons
Dylsss updated the task description for T293783: ImageInfo iiprop=comment query returns empty comment as hidden.
Oct 19 2021, 3:00 PM · MW-1.38-notes (1.38.0-wmf.5; 2021-10-19), MW-1.37-notes, Patch-For-Review, Platform Team Workboards (MW Expedition), MW-1.37-release, Regression, MediaWiki-API
Dylsss created T293783: ImageInfo iiprop=comment query returns empty comment as hidden.
Oct 19 2021, 2:55 PM · MW-1.38-notes (1.38.0-wmf.5; 2021-10-19), MW-1.37-notes, Patch-For-Review, Platform Team Workboards (MW Expedition), MW-1.37-release, Regression, MediaWiki-API
Dylsss created T293768: FileImporter inserts "Suppressed comment removed by FileImporter." to a file revision comment when the comment is left blank and is not hidden.
Oct 19 2021, 2:30 PM · Move-Files-To-Commons

Oct 17 2021

Dylsss updated the task description for T293554: Switching tabs in MediaSearch does not re-query the search.
Oct 17 2021, 11:35 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.4; 2021-10-12), Structured-Data-Backlog (Current Work), SDAW-MediaSearch, Commons
Dylsss removed a project from T293554: Switching tabs in MediaSearch does not re-query the search: MediaWiki-Categories.
Oct 17 2021, 11:30 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.4; 2021-10-12), Structured-Data-Backlog (Current Work), SDAW-MediaSearch, Commons
Dylsss updated the task description for T293554: Switching tabs in MediaSearch does not re-query the search.
Oct 17 2021, 11:27 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.4; 2021-10-12), Structured-Data-Backlog (Current Work), SDAW-MediaSearch, Commons
Dylsss added a comment to T293554: Switching tabs in MediaSearch does not re-query the search.

I've updated the task description to better describe the bug, which is not specifically to do with categories and more to do with the fact that switching to any different tab does not re-query the search in that tab. Hope that is ok.

Oct 17 2021, 11:25 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.4; 2021-10-12), Structured-Data-Backlog (Current Work), SDAW-MediaSearch, Commons
Dylsss renamed T293554: Switching tabs in MediaSearch does not re-query the search from Search by category is broken, requires many steps and howto to Switching tabs in MediaSearch does not re-query the search.
Oct 17 2021, 11:24 AM · Patch-For-Review, MW-1.38-notes (1.38.0-wmf.4; 2021-10-12), Structured-Data-Backlog (Current Work), SDAW-MediaSearch, Commons

Oct 16 2021

Dylsss renamed T293561: Translation quality should not apply to disambiguation pages from Translation quality should not apply to disambiguation palges to Translation quality should not apply to disambiguation pages.
Oct 16 2021, 8:11 PM · ContentTranslation

Oct 15 2021

Restricted Application added a project to T248676: Literal HTML <ul><li> shown in case of an error while saving (here: page protected): Structured-Data-Backlog.

This no longer seems like an issue. This particular case is not reproducible because it is no longer possible to attempt to edit captions/structured data when the file itself is protected, the edit button does not appear. And editing captions when the file is cascade protected results in the error correctly rendering as actual HTML.

Cascade protected error from editing captions (415×904 px, 22 KB)

Oct 15 2021, 10:32 PM · Structured-Data-Backlog, WikibaseMediaInfo
Dylsss created T293537: Editing items on a cascade protected file results in an error duplicating for each individual edit.
Oct 15 2021, 10:19 PM · Structured-Data-Backlog, WikibaseMediaInfo
Dylsss created T293535: Deleting statements from a cascade protected file results in a raw text HTML error from the API.
Oct 15 2021, 10:07 PM · WikibaseMediaInfo, Structured-Data-Backlog
Dylsss merged T293429: CSS in the summary of a mention when creating a page with {{RFCSubpage}} on Wikidata into T219138: TemplateStyles CSS appears in notification text.
Oct 15 2021, 1:32 AM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), Growth-Team-Filtering, Growth-Team, Notifications, TemplateStyles
Dylsss merged task T293429: CSS in the summary of a mention when creating a page with {{RFCSubpage}} on Wikidata into T219138: TemplateStyles CSS appears in notification text.
Oct 15 2021, 1:32 AM · Mention-Notification
Dylsss created T293427: Toolhub agree-terms message states "You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license" even though the license is CC0 and attribution is irrelevant.
Oct 15 2021, 12:17 AM · Toolhub

Oct 12 2021

Dylsss claimed T279436: Clarify that CC0 on Wikidata only applies to the Item, Property, Lexeme and EntityScheme namespaces on https://dumps.wikimedia.org/legal.html.
Oct 12 2021, 11:35 PM · Datasets-General-or-Unknown
Dylsss closed T293153: Opening Special:Contributions/Jules* on en.wp automatically begins searching contributions (due to contribsrange.js gadget) as Invalid.

This is caused by a gadget (https://en.wikipedia.org/wiki/MediaWiki:Gadget-contribsrange.js) and issues should be discussed on its talk page.

Oct 12 2021, 9:58 PM
Dylsss updated the task description for T293136: VideoJS embedded player: Black screen, no video, controls in middle of screen.
Oct 12 2021, 7:44 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), VideoJS player
Dylsss added a comment to T100106: Replace Kaltura player with Video.js.

See T293136, it looks like Iframe embed support blocker should be unticked as it looks broken currently.

Oct 12 2021, 7:42 PM · MW-1.36-notes (1.36.0-wmf.11; 2020-09-29), VideoJS player, Performance-Team (Radar), MW-1.34-notes (1.34.0-wmf.13; 2019-07-09), Epic, Multimedia, Wikimedia-Video, Wikimedia-Hackathon-2015
Dylsss created T293139: Phabricator should not embed videos from Wikimedia Commons when the file is deleted.
Oct 12 2021, 7:30 PM · Phabricator
Dylsss created T293136: VideoJS embedded player: Black screen, no video, controls in middle of screen.
Oct 12 2021, 7:24 PM · MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), VideoJS player
Dylsss updated the task description for T293045: Regression: Hidden file revisions are no longer styled.
Oct 12 2021, 8:03 AM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), CSS, Commons, MediaWiki-File-management, MediaWiki-Revision-deletion, Regression

Oct 11 2021

Dylsss created T293045: Regression: Hidden file revisions are no longer styled.
Oct 11 2021, 9:22 PM · MW-1.38-notes (1.38.0-wmf.12; 2021-12-06), CSS, Commons, MediaWiki-File-management, MediaWiki-Revision-deletion, Regression

Oct 7 2021

Dylsss added projects to T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis: Vector, Desktop Improvements.
Oct 7 2021, 5:19 PM · MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MW-1.38-notes (1.38.0-wmf.6; 2021-10-26), SecTeam-Processed, Vuln-Infoleak, API Platform, SRE, Platform Engineering, MediaWiki-REST-API, Desktop Improvements, Vector, Security, Security-Team
Dylsss created T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis.
Oct 7 2021, 4:58 PM · MW-1.37-notes, MW-1.36-notes, MW-1.35-notes, MW-1.38-notes (1.38.0-wmf.6; 2021-10-26), SecTeam-Processed, Vuln-Infoleak, API Platform, SRE, Platform Engineering, MediaWiki-REST-API, Desktop Improvements, Vector, Security, Security-Team

Sep 27 2021

Dylsss created T291891: Special:OrphanedTimedText lists all main space pages.
Sep 27 2021, 9:28 PM · TimedMediaHandler-TimedText

Sep 24 2021

Dylsss created T291678: "Did you mean" on MediaSearch displays HTML.
Sep 24 2021, 12:23 AM · Structured-Data-Backlog (Current Work), Regression, SDAW-MediaSearch

May 22 2021

Dylsss closed T283108: TypeError on Special:NewPagesFeed Articles for Creation filter: "Cannot read property 'stats' of undefined" and "Cannot read property 'pages' of undefined" as Resolved.

Interestingly, disabling all gadgets, beta features, and other settings, did not fix this issue. However, I used the "Restore all default settings" which did fix this issue. So I still do not know exactly what in my configuration was causing this, but it is no longer occurring.

May 22 2021, 5:14 PM · Growth-Team, PageCuration

May 18 2021

Dylsss updated the task description for T283108: TypeError on Special:NewPagesFeed Articles for Creation filter: "Cannot read property 'stats' of undefined" and "Cannot read property 'pages' of undefined".
May 18 2021, 8:38 PM · Growth-Team, PageCuration
Dylsss created T283108: TypeError on Special:NewPagesFeed Articles for Creation filter: "Cannot read property 'stats' of undefined" and "Cannot read property 'pages' of undefined".
May 18 2021, 8:34 PM · Growth-Team, PageCuration

Apr 6 2021

ToBeFree awarded T278904: [Regression 1.36.0-wmf.36] On enwiki, new edits are being marked as quality instead of "accepted" after manual pending changes review a Like token.
Apr 6 2021, 12:05 PM · User-Ladsgroup, MediaWiki-extensions-FlaggedRevs