Grunny (Grunny)
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
Oct 7 2014, 10:12 AM (218 w, 1 d)
Availability
Available
LDAP User
Grunny
MediaWiki User
Grunny [ Global Accounts ]

Recent Activity

May 2 2018

Grunny added a comment to T118131: Credit security researchers that identify and disclose vulnerabilities.

@Bawolff this is great. One thought I had from looking at https://www.mediawiki.org/wiki/Reporting_security_bugs and https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Thanks is that they both only mention credit for vulnerabilities found in MediaWiki core or a bundled extension. I feel one missing part will be crediting those who report security issues in Wikimedia-deployed extension. These may not make sense to credit in the MW core CREDITS file as the issues weren't part of the code distributed in the tarballs, but it does seem worthwhile to also find a nice place to credit those who reported security issues that affected Wikimedia wikis such as through a deployed extension, as they're helping keep Wikimedia projects secure even if it's not an issue that is part of core or a bundled extension. What do you think?

May 2 2018, 3:35 PM · Security-team-backlog, Developer-Advocacy

Apr 5 2017

Grunny added a comment to T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.

Thanks, @Reedy! Found one more issue in the patches for MW 1.23. In the patch for T108138, the calls to getUserPermissionsErrorsInternal are passing the undefined variable $rigor as MW 1.23 is still using the boolean $doExpensiveQueries instead. The call to Title::userCan should also probably use a boolean true instead of 'secure' for consistency.

Apr 5 2017, 9:09 AM · Security, Security-Team, MediaWiki-General-or-Unknown

Apr 4 2017

Grunny added a comment to T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.

For the MW 1.23 patch for T108138, it looks like $user is undefined in the Title::userCan call as well, as it currently repeatedly calls $this->getUser() rather than storing it in a $user variable.

Apr 4 2017, 4:36 PM · Security, Security-Team, MediaWiki-General-or-Unknown
Grunny added a comment to T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.

I believe the patch for MW 1.23 related to T48143 will break as it adds the call to parser::normalizeLinkUrl but the Parser::normalizeLinkUrl method does not exist in MW 1.23, as it is still using Parser::replaceUnusualEscapes instead.

Apr 4 2017, 1:40 PM · Security, Security-Team, MediaWiki-General-or-Unknown

Mar 20 2017

Grunny added a comment to T134863: Reflected XSS in GlobalGroupPermissions.

@dpatrick Looks like https://gerrit.wikimedia.org/r/#/c/319055/ was merged in February and is now live, so I think this can be closed and made public once it's announced as part of the fixes released in T134863?

Mar 20 2017, 10:49 AM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security

Jan 18 2017

Grunny added a comment to T134863: Reflected XSS in GlobalGroupPermissions.

@dpatrick looks like the PoC https://www.mediawiki.org/wiki/Special:GlobalGroupPermissions?wpGroup=%3Cscript%3Ealert%28document.domain%29%3C/script%3E works again, did the patch get reverted?

Jan 18 2017, 3:37 PM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security

May 10 2016

Grunny added a comment to T134863: Reflected XSS in GlobalGroupPermissions.

Here's a quick patch to fix the issue:

May 10 2016, 11:37 AM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security
Grunny created T134863: Reflected XSS in GlobalGroupPermissions.
May 10 2016, 11:36 AM · Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions, Security

Apr 25 2016

Grunny added a comment to T133507: Careless use of $wgExternalLinkTarget is insecure.

I dunno, I think we could just set rel="noopener" on external links and document this.

That sounds like a reasonable response to me.

Just something to keep in mind, rel="noopener" only works on Chrome and Opera, and does not work in Firefox, Safari, IE, and Edge.

Apr 25 2016, 9:24 AM · Performance-Team-notice, Performance-Team, Patch-For-Review, Security

Dec 17 2015

Grunny added a comment to T115722: MediaWiki Security release 1.25.4.

LGTM. :)

Dec 17 2015, 5:15 PM · WorkType-NewFunctionality, Security, Release
Grunny added a comment to T119309: User::matchEditToken should use constant-time string comparison.

The backport patches for this to MW 1.23 and 1.24 should also use hash_equals in the check in the return of the method as well, i.e. here: https://github.com/wikimedia/mediawiki/blob/REL1_24/includes/User.php#L3939 and https://github.com/wikimedia/mediawiki/blob/REL1_23/includes/User.php#L3814. And they should both also probably have the same done for User::matchEditTokenNoSuffix.

Dec 17 2015, 1:55 PM · MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2016-01-12_(1.27.0-wmf.10)), MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Patch-For-Review, Security, MediaWiki-General-or-Unknown, Security-Core
Grunny added a comment to T115722: MediaWiki Security release 1.25.4.

The patches for T119309 in MW 1.23 and 1.24 should use hash_equals in the check in the return of the method as well, i.e. here: https://github.com/wikimedia/mediawiki/blob/REL1_24/includes/User.php#L3939 and https://github.com/wikimedia/mediawiki/blob/REL1_23/includes/User.php#L3814. And they should both also probably have the same done for User::matchEditTokenNoSuffix.

Dec 17 2015, 1:54 PM · WorkType-NewFunctionality, Security, Release

Oct 23 2015

Grunny added a watcher for Security: Grunny.
Oct 23 2015, 5:44 PM
Grunny added a comment to T115735: Security bugs access for Grunny.

@Qgil @csteipp signed.

Oct 23 2015, 4:24 PM · WMF-NDA-Requests

Oct 16 2015

Grunny created T115735: Security bugs access for Grunny.
Oct 16 2015, 5:51 PM · WMF-NDA-Requests

Sep 3 2015

Grunny added a comment to T111029: XSS possible in PageTriage toolbar.

Quick patch to URL encode the title:

The problem is not lack of url encoding, it's lack of html encoding. URL encoding was also lacking, and doing that will fix certain current PageTriage bugs (e.g. some pages with quotmarks weren't working properly). But from a security perspective this isn't solved yet.

Sep 3 2015, 5:29 AM · MW-1.27-release (WMF-deploy-2015-11-10_(1.27.0-wmf.6)), Patch-For-Review, Collaboration-Team-Archive-2015-2016, Vuln-XSS, MediaWiki-extensions-PageCuration, Security

Sep 1 2015

Grunny updated the task description for T111029: XSS possible in PageTriage toolbar.
Sep 1 2015, 7:12 PM · MW-1.27-release (WMF-deploy-2015-11-10_(1.27.0-wmf.6)), Patch-For-Review, Collaboration-Team-Archive-2015-2016, Vuln-XSS, MediaWiki-extensions-PageCuration, Security
Grunny updated the task description for T111029: XSS possible in PageTriage toolbar.
Sep 1 2015, 2:38 PM · MW-1.27-release (WMF-deploy-2015-11-10_(1.27.0-wmf.6)), Patch-For-Review, Collaboration-Team-Archive-2015-2016, Vuln-XSS, MediaWiki-extensions-PageCuration, Security
Grunny added a comment to T111029: XSS possible in PageTriage toolbar.

Quick patch to URL encode the title:

Sep 1 2015, 11:24 AM · MW-1.27-release (WMF-deploy-2015-11-10_(1.27.0-wmf.6)), Patch-For-Review, Collaboration-Team-Archive-2015-2016, Vuln-XSS, MediaWiki-extensions-PageCuration, Security
Grunny renamed T111029: XSS possible in PageTriage toolbar from to XSS possible in PageTriage toolbar.
Sep 1 2015, 11:22 AM · MW-1.27-release (WMF-deploy-2015-11-10_(1.27.0-wmf.6)), Patch-For-Review, Collaboration-Team-Archive-2015-2016, Vuln-XSS, MediaWiki-extensions-PageCuration, Security

Jul 14 2015

Grunny committed rMREL9b1433ead38a: Add missing parameters to message call (authored by Grunny).
Add missing parameters to message call
Jul 14 2015, 6:10 PM
Grunny committed rMREL13bdc746ed1a: Add missing message from the edit view for global filters (authored by Grunny).
Add missing message from the edit view for global filters
Jul 14 2015, 6:10 PM

Jun 26 2015

Grunny added a comment to T103391: Reflected XSS vulnerabilities in Semantic Forms.

It looks like the patches were pushed to Gerrit and merged: https://gerrit.wikimedia.org/r/220839

Jun 26 2015, 1:50 PM · Vuln-XSS, Security-Team, MediaWiki-extensions-Page_Forms, Security

Jun 23 2015

Grunny added a comment to T103391: Reflected XSS vulnerabilities in Semantic Forms.

There are some more vulnerable parameters not covered by that patch:

Jun 23 2015, 2:15 AM · Vuln-XSS, Security-Team, MediaWiki-extensions-Page_Forms, Security

Jun 22 2015

Grunny renamed T103391: Reflected XSS vulnerabilities in Semantic Forms from to Reflected XSS vulnerabilities in Semantic Forms.
Jun 22 2015, 5:54 PM · Vuln-XSS, Security-Team, MediaWiki-extensions-Page_Forms, Security

Mar 11 2015

Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT7df66299514d: Updated mediawiki/extensions Project: mediawiki/extensions/PageTriage… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/PageTriage…
Mar 11 2015, 6:16 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT8822798ba487: Updated mediawiki/extensions Project: mediawiki/extensions/Echo… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/Echo…
Mar 11 2015, 6:16 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXTf97ae9c6e8c2: Updated mediawiki/extensions Project: mediawiki/extensions/TextExtracts… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/TextExtracts…
Mar 11 2015, 6:02 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXTa085bcd90cee: Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights…
Mar 11 2015, 6:00 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXTf48b063c18f6: Updated mediawiki/extensions Project: mediawiki/extensions/InputBox… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/InputBox…
Mar 11 2015, 5:54 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT63e906f3bffb: Updated mediawiki/extensions Project: mediawiki/extensions/Translate… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/Translate…
Mar 11 2015, 5:53 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT0eb10bc5306f: Updated mediawiki/extensions Project: mediawiki/extensions/Gadgets… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/Gadgets…
Mar 11 2015, 5:53 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT9ae5ad6eb8ab: Updated mediawiki/extensions Project: mediawiki/extensions/LookupUser… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/LookupUser…
Mar 11 2015, 5:16 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT1a9c99ba0e3b: Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights…
Mar 11 2015, 5:16 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT7688db7a5f55: Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights…
Mar 11 2015, 5:16 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT2b6b38c9843c: Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights…
Mar 11 2015, 5:16 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT2b3b7e9fe6fe: Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights…
Mar 11 2015, 5:13 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT3d751a08ef3b: Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/BatchUserRights…
Mar 11 2015, 5:05 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT1087fd341528: Updated mediawiki/extensions Project: mediawiki/extensions/PageTriage… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/PageTriage…
Mar 11 2015, 4:55 AM
Gerrit Code Review <gerrit@wikimedia.org> committed rMEXT9b5e56164b81: Updated mediawiki/extensions Project: mediawiki/extensions/AbuseFilter… (authored by Grunny).
Updated mediawiki/extensions Project: mediawiki/extensions/AbuseFilter…
Mar 11 2015, 4:48 AM

Mar 4 2015

Grunny committed rPWBO13ee083c7aa9: Update Wikia's MediaWiki version to 1.19.20 (authored by Grunny).
Update Wikia's MediaWiki version to 1.19.20
Mar 4 2015, 8:53 AM
Grunny committed rPWBO77c29a104279: Update Wikia's MediaWiki version to 1.19.18 (authored by Grunny).
Update Wikia's MediaWiki version to 1.19.18
Mar 4 2015, 8:53 AM
Grunny committed rPWBC5b586d29e503: Update Wikia's MediaWiki version to 1.19.20 (authored by Grunny).
Update Wikia's MediaWiki version to 1.19.20
Mar 4 2015, 8:45 AM
Grunny committed rPWBCee7e6710280f: Update Wikia's MediaWiki version to 1.19.19 (authored by Grunny).
Update Wikia's MediaWiki version to 1.19.19
Mar 4 2015, 8:45 AM
Grunny committed rPWBCf8de84cb1ee7: Update Wikia's MediaWiki version to 1.19.18 (authored by Grunny).
Update Wikia's MediaWiki version to 1.19.18
Mar 4 2015, 8:44 AM
Grunny committed rPWBC0bbcb2797e56: Update WoWWiki's MediaWiki version to 1.19.18 (authored by Grunny).
Update WoWWiki's MediaWiki version to 1.19.18
Mar 4 2015, 8:44 AM

Mar 3 2015

Grunny committed rGTWNeaa11c8a3885: Add WikiaNewFiles extension for Wikia (authored by Grunny).
Add WikiaNewFiles extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWNf9587dc80fe5: Add VisualEditor extension for Wikia (authored by Grunny).
Add VisualEditor extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWN2445d65b4138: Add Forum extension for Wikia (authored by Grunny).
Add Forum extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWN65815c2b726c: Add LicensedVideoSwap extension for Wikia (authored by Grunny).
Add LicensedVideoSwap extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWN55e401442336: Re-enable WikiaMobile for Wikia (authored by Grunny).
Re-enable WikiaMobile for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWNfe709375e63f: Add ManageWikiaHome extension for Wikia (authored by Grunny).
Add ManageWikiaHome extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWN704cec52f806: Add WikiaStyleGuide extension for Wikia (authored by Grunny).
Add WikiaStyleGuide extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWNf83945b1acdf: Add AdEngine extension for Wikia (authored by Grunny).
Add AdEngine extension for Wikia
Mar 3 2015, 9:05 PM
Grunny committed rGTWN2f3acd533e49: Add FilePage extension for Wikia (authored by Grunny).
Add FilePage extension for Wikia
Mar 3 2015, 9:04 PM
Grunny committed rMWVAe7a37644e2ea: Install git-review via pip instead of apt (authored by Grunny).
Install git-review via pip instead of apt
Mar 3 2015, 7:45 PM

Dec 31 2014

Grunny committed rAPAC96de1dc54c13: Pipe user link in author field (authored by Grunny).
Pipe user link in author field
Dec 31 2014, 6:20 PM
Grunny committed rAPIC6f0394458516: Better formatting for Information template (authored by Grunny).
Better formatting for Information template
Dec 31 2014, 6:18 PM

Dec 10 2014

Grunny committed rETRA2b89c570e543: Fix typos in API docs (authored by Grunny).
Fix typos in API docs
Dec 10 2014, 6:50 PM
Grunny committed rETEXc56742eb7149: Fix typo in API doc (authored by Grunny).
Fix typo in API doc
Dec 10 2014, 6:18 PM
Grunny committed rESMW112f37240827: Fix typo in release notes (authored by Grunny).
Fix typo in release notes
Dec 10 2014, 6:17 PM
Grunny committed rESMW211750688969: Fix small typo in CONTRIBUTING.md (authored by Grunny).
Fix small typo in CONTRIBUTING.md
Dec 10 2014, 6:17 PM
Grunny committed rEPTRbf310419eafa: Replace deprecated mw.user.name() with mw.user.getName() (authored by Grunny).
Replace deprecated mw.user.name() with mw.user.getName()
Dec 10 2014, 5:39 PM
Grunny committed rEPTR56c20114854e: (bug 37254) Make description text of the filters clickable (authored by Grunny).
(bug 37254) Make description text of the filters clickable
Dec 10 2014, 5:38 PM
Grunny committed rENUKf83cade885d2: Make Nuke pass jshint (authored by Grunny).
Make Nuke pass jshint
Dec 10 2014, 5:31 PM
Grunny committed rELOU7d717216a086: Adding missing message (authored by Grunny).
Adding missing message
Dec 10 2014, 5:07 PM
Grunny committed rEINBb4b70b55d970: Remove cases of double escaping (authored by Grunny).
Remove cases of double escaping
Dec 10 2014, 5:00 PM
Grunny committed rEGADc503247875fb: Fix typo in API doc (authored by Grunny).
Fix typo in API doc
Dec 10 2014, 4:51 PM
Grunny committed rECHO3093c7a69f3f: Remove use of deprecated "hover" pseudo-event (authored by Grunny).
Remove use of deprecated "hover" pseudo-event
Dec 10 2014, 4:18 PM
Grunny committed rECHU04c054e66fb0: (bug 40658) Support query continue in CheckUserLog API (authored by Grunny).
(bug 40658) Support query continue in CheckUserLog API
Dec 10 2014, 4:09 PM
Grunny committed rECHU299af77f15f6: bug 31793 -- let Special:CheckUser/Foo prefill username/IP address field with… (authored by Grunny).
bug 31793 -- let Special:CheckUser/Foo prefill username/IP address field with…
Dec 10 2014, 4:08 PM
Grunny committed rEBURcd0898079385: Migrate to JSON i18n (authored by Grunny).
Migrate to JSON i18n
Dec 10 2014, 3:35 PM
Grunny committed rEBURe2789cc8ac57: Add missing message and tweak user right message (authored by Grunny).
Add missing message and tweak user right message
Dec 10 2014, 3:35 PM
Grunny committed rEBUR536e2089b3d0: Update to use newer logging method (authored by Grunny).
Update to use newer logging method
Dec 10 2014, 3:35 PM
Grunny committed rEBURafd5adba67d7: Cleanup, removing globals and unused methods (authored by Grunny).
Cleanup, removing globals and unused methods
Dec 10 2014, 3:35 PM
Grunny committed rEBUR5f132025413a: Replacing deprecated wfMsg* with $this->msg (authored by Grunny).
Replacing deprecated wfMsg* with $this->msg
Dec 10 2014, 3:35 PM
Grunny committed rEBUR1898b91ffea2: PHP linting (authored by Grunny).
PHP linting
Dec 10 2014, 3:35 PM
Grunny committed rEABF9b1433ead38a: Add missing parameters to message call (authored by Grunny).
Add missing parameters to message call
Dec 10 2014, 3:25 PM
Grunny committed rEABF13bdc746ed1a: Add missing message from the edit view for global filters (authored by Grunny).
Add missing message from the edit view for global filters
Dec 10 2014, 3:11 PM
Grunny committed rEAPX62f2c19fa0a7: Replace deprecated SpecialPage::includable() (authored by siebrand).
Replace deprecated SpecialPage::includable()
Dec 10 2014, 5:00 AM