Page MenuHomePhabricator
People MarkusRost

MarkusRost
User

Projects (1)
View All

Calendar

Today

  • No visible events.

Tomorrow

  • No visible events.

Friday

  • No visible events.

User Details

User Since
Apr 9 2019, 9:07 PM (357 w, 11 h)
Availability
Available
LDAP User
MarkusRost
MediaWiki User
MarkusRost [ Global Accounts ]

Recent Activity
View All

Sep 2 2025

MarkusRost added a watcher for affects-Kiwix-and-openZIM: MarkusRost.
Sep 2 2025, 12:22 PM

Aug 24 2025

MarkusRost created T402753: Add WikimediaMessages styles to action=parse API output.
Aug 24 2025, 11:32 PM · MW-1.45-notes (1.45.0-wmf.18; 2025-09-09), MW-Interfaces-Team, affects-Kiwix-and-openZIM, MediaWiki-Action-API, WikimediaMessages
Restricted Application added a project to T274911: Allow users to be partially blocked from marking edits as minor: Trust and Safety Product Team.
Aug 24 2025, 9:09 PM · Trust and Safety Product Team, MediaWiki-Blocks

Jun 30 2025

MarkusRost added a comment to T86611: API does not fail gracefully when data is too large.

Getting this error in https://github.com/openzim/mwoffliner/issues/2401 trying to parse https://de.wikipedia.org/wiki/Liste_der_Schlangenarten using Parsoid:
https://de.wikipedia.org/w/api.php?action=parse&format=json&prop=text&parsoid=1&page=Liste_der_Schlangenarten

Jun 30 2025, 10:09 PM · Content-Transform-Team, MW-Interfaces-Team, Commons, All-and-every-Wikisource, MediaWiki-Action-API

May 29 2025

MarkusRost added a comment to T395525: API generator random loses order of random pages.
In T395525#10866731, @Umherirrender wrote:

There is no way to preserve the random value from generator to the output.

May 29 2025, 10:52 AM · MW-Interfaces-Team, MediaWiki-Action-API
MarkusRost updated the task description for T395525: API generator random loses order of random pages.
May 29 2025, 10:50 AM · MW-Interfaces-Team, MediaWiki-Action-API
MarkusRost created T395525: API generator random loses order of random pages.
May 29 2025, 12:36 AM · MW-Interfaces-Team, MediaWiki-Action-API

Feb 18 2025

MarkusRost added a comment to T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.

The typo should actually be rest.php/oauth2?grant_type=

Feb 18 2025, 2:33 AM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth

Jan 21 2025

MarkusRost updated subscribers of T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.
Jan 21 2025, 2:31 PM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth
MarkusRost added a comment to T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.

I have just tested it and this issue exists for mwoauth-authonlyprivate as well, allowing the consumer to keep accessing my email address without me being aware of it or having any way to prevent it.

Jan 21 2025, 2:00 PM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth
MarkusRost added a comment to T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.

Security-Team I have found an abuse vector for this issue. While the new access tokens are invalid for editing the wiki, they are still valid for the identify endpoint oauth2/resource/profile.

Jan 21 2025, 1:34 PM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth
MarkusRost added a comment to T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.
In T336113#8983811, @Tgr hat geschrieben:

I don't think there's a straightforward way of doing this. RefreshTokenRepository is a CacheRepository subclass so you can only delete if you know the token ID. We'd need to be able to delete by acceptance ID.

Jan 21 2025, 9:56 AM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth

Nov 8 2024

MarkusRost added a member for Trusted-Contributors: JaydenKieran.
Nov 8 2024, 1:40 AM

May 6 2024

MarkusRost added a member for Trusted-Contributors: Alex44019.
May 6 2024, 2:57 PM

Jul 2 2023

MarkusRost added a comment to T340921: Make OAuth2 refresh tokens valid for longer than access tokens.
In T340921#8984284, @gerritbot wrote:

Change 934713 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fix default refresh token expiry

https://gerrit.wikimedia.org/r/934713

Jul 2 2023, 9:17 PM · MW-1.42-notes (1.42.0-wmf.1; 2023-10-17), MediaWiki-extensions-OAuth
MarkusRost created T340921: Make OAuth2 refresh tokens valid for longer than access tokens.
Jul 2 2023, 8:12 AM · MW-1.42-notes (1.42.0-wmf.1; 2023-10-17), MediaWiki-extensions-OAuth

May 7 2023

MarkusRost set Security to security-bug on T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.

While I can't see a clear abuse vector due to the Cannot create access token, user did not approve issuing this access token error, this still feels a lot like a security issue. Therefore I'm escalating just to be sure.

May 7 2023, 7:40 AM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth
MarkusRost updated the task description for T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.
May 7 2023, 7:39 AM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth

May 6 2023

MarkusRost created T336113: CVE-2025-32068: Revoking authorization of OAuth2 consumer does not invalidate refresh tokens.
May 6 2023, 9:29 PM · SecTeam-Processed, Security-Team, MediaWiki-Platform-Team, Vuln-Authn/Session, Security, affects-Miraheze, MediaWiki-extensions-OAuth

Jun 30 2022

MarkusRost added a comment to T34959: Private filters should not be visible in recent changes.

I think having edits to abuse filter hidden from recent changes is problematic for admins. It's currently possible that admins will never notice the existence of new filters which might cause problems later on. Trying to solve issues of editors is also made a lot harder when admins don't know that there was a recent abuse filter change which causes the issue.

Jun 30 2022, 3:14 PM · MW-1.35-notes (1.35.0-wmf.5; 2019-11-05), User-DannyS712, AbuseFilter

Jan 4 2021

MarkusRost added a comment to T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level.

Wouldn't returning a permissions error be the better message? That message should already exist as well and the user is in fact missing the permission to protect to that level.

Jan 4 2021, 6:22 PM · MW-1.36-notes, MW-1.37-notes (1.37.0-wmf.1; 2021-04-13), Platform Team Workboards (Clinic Duty Team), Patch-For-Review, Vuln-MissingAuthz, Security-Team, Security, MediaWiki-Action-API
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits