The mobile media viewer should blacklist images in/with noviwer/metadata classes like the desktop one does.
Tue, Apr 25
Probably some error prevented the process of user creation for Bnhassin, so the user table did get created but the central user database did not get updated. So the rename was allowed but broke when it reached enwiki since the account already existed there.
Why would it be invasive? We already collect and correlate browser details and edit actions, and timing/velocity of typing and mouse movements on the registration page is not even PII.
Mon, Apr 24
There are two separate user accounts on enwiki (both 0 edits, one created in 2013, the other in 2014). The rename should never have started in the first place.
Both users exist on enwiki. That's not supposed to happen and not fixable by maintenance script.
--ignorestatus means run the script even if the rename status is in progess (which normally means the rename is still ongoing and should not be messed with, but sometimes the rename fails so badly that it can't even update the status to failed). So not applicable here.
(the gerritbot issue is T161525)
According to Netrenderer IE 5-6 is broken but IE7 works fine with Wikipedia.
Not actionable as it is and no proposals in (almost) a year, let's close this.
Or maybe $author-username is problematic? There is no guarantee the author email can be resolved to a gerrit username.
My guess is this has been broken by https://gerrit.wikimedia.org/r/#/c/340801/ - the timing matches roughly, and that's the last username-related change. Maybe something does not like spaces in the username.
Thanks! I did not get to use it in the end (the event ended up being mostly discussion and not much actual development) but it was nice to know we have that option.
It would be also nice if any software project willing to be prioritized required a public implementation plan (ie. don't circumvent the RfC process for WMF software). I think lately we are getting better at that but it would still nice if it was called out explicitly.
Sun, Apr 23
This seems like a pretty dangerous spear phishing vector when used by a skilled attacker.
Sat, Apr 22
I could reproduce this for a short time (minutes) after the bug report was made, but then not anymore. Might be coincidence, or else there was something wrong with the image thumbnails and then somebody purged them.
Fri, Apr 21
I don't remember the details, beyond that User::save did not seem to clear the cache: loading the same user again resulted in the old data. Maybe it was some sort of in-process caching, or consistent reads resulting in pre-update DB data - I can't recall if I looked at those possibilities.
Thu, Apr 20
Looks like this was fixed at some point.
Jenkins seems to have tied itself into a knot over the switch from \TestingAccessWrapper to \Wikimedia\TestingAccessWrapper:
- extension tests ignore the extension's composer.json and just use core/vendor (see mw-fetch-composer-dev.sh)
- core patches run a couple extension tests as well, which fail
- DonationInterface tests run with 1.27 core. (The tests pass, I have no idea why.)
Wed, Apr 19
The main technical question IMO is what tool to use for HTML transformations: some npm library (that would mean putting the logic in the Electron service which seems less nice than making Collection self-contained), or simple text processing (that will end badly unless we are sure only very simple transformations will be needed), or DOM manipulation in PHP (that will create a dependency on RemexHtml as I don't think there is anything else out there able to deal with HTML5).
One thing to consider for the future is that with TemplateStyles editors will be able to add print-specific styles for their templates. (It's already possible via MediaWiki:*.css but impractical.) It would probably be useful to have some kind of tutorial/guidelines/best practices document for that.
FWIW the OCG HTML transformation logic is in the Visitor class and it does not seem to do anything interesting, beyond filtering out various things.
Wikimedia_beetle.png and Wikimedia_beetle.svg are different images. One of them is probably being preloaded.
Tue, Apr 18
The first, I think? I'm not sure I understand the difference.
MMV does not realize SVGs can be scaled beyond their nominal size (that's T71237; it's labeled easy but might not be). Doesn't explain the blur though; that's some problem with the placeholder image (which is intentionally blurry but should go away as soon as the large image is loaded) that might or might not be HiDPI-related.
Mon, Apr 17
Using s7 would be convenient because it has global user/watchlist data so it would be possible to do a join between watchlists and push subscription lists, which seems like the most performant way to handle watchlist push notifications. (The same thing could be achieved by setting up another replication stream for watchlist, but why do it twice?)
WikimediaMessages is a (somewhat hacky) way to keep the code clean of Wikimedia-specific references: define messages with a generic text and use the WikimediaMessages extension to replace it. Since it is not useful outside Wikimedia, not much effort went into documenting it.
Walking back from the throw clause in ORES\Api::request, this seems to happen when you are looking at a change list special page (trigger ChangesListSpecialPageStructuredFilters), ORES is enabled and the cache for ORES\Stats::fetchStats is cold.
Thu, Apr 13
Just point $wgOresBaseUrl to something that does not exist (while looking at a recentchanges row that has not been cached in the local DB yet).
Wed, Apr 12
With the benefit of hindsight: this change should have included some logging so it is easy to spot when a given wiki is affected.
Broke zerowiki as well, see T162771.
Tue, Apr 11
Is it possible to do the following?
- Allow scores to be returned in Action API responses provided there are corresponding records in the recent changes corresponding to the revisions. Rely on existing limits for number of revisions.
- When revisions exist but they're not in the recent changes table, don't allow more than X unavailable revision scores to be fetched at a time. Use API continuation in batches of only X revisions at a time for some small X, but don't store them upon fetch; instead, delegate the decision on whether to store or somehow cache in the ORES backend to the ORES backend.
Mon, Apr 10
Note that special page names can be localized, so that e.g. on the Persian Wikipedia the link might look like ویژه:زبانهای_من/Beta_Features/Hovercards.
Thu, Apr 6
There have been a lot of similar reports lately (T162130, T161917, T160867) so something is probably up. At a glance, the only common factor that jumps our is that they all seem to be from HiDPI devices, based on the thumbnail dimensions.
IMO wiki code is typical enough that anyone else using css-sanitizer to purify user-generated CSS could make good use of the capability, so it makes more sense to do it there.
A list of sanitization errors for MediaWiki:*.css pages on Wikimedia projects:.
Unsupported properties in the first 50 errors:
-moz-box-shadow, -webkit-box-shadow -moz-linear-gradient, -webkit-gradient, -webkit-linear-gradient, -ms-linear-gradient, -o-linear-gradient, -moz-border-radius, -moz-border-radius-*, -webkit-border-radius, -webkit-border-*-radius zoom (used for IE CSS hacks) -webkit-background-size, -khtml-background-size, -moz-background-size, -o-background-size -ms-filter, filter -o-user-select -webkit-min-device-pixel-ratio -moz-column-count, -webkit-column-count -webkit-column-gap, -moz-column-gap, -ms-column-gap -moz-column-width, -webkit-column-width, -ms-column-width -webkit-column-break-inside -moz-font-feature-settings, -webkit-font-feature-settings cursor: hand -moz-box-shadow, -webkit-box-shadow -webkit-transition, -moz-transition, -o-transition, -ms-transition -webkit-text-decoration, -moz-text-decoration -webkit-background-size -webkit-print-color-adjust <property>: <value>\9;, <property>: <value> !ie;, *<value> (these seem to be old IE CSS hacks) list-style-type: -moz-kannada will-change pointer-events -webkit-background-clip, -moz-background-clip ::-moz-placeholder, ::-webkit-input-placeholder, ::-ms-input-placeholder -moz-box-sizing, -webkit-box-sizing :-moz-first-node
Wed, Apr 5
Tue, Apr 4
I don't think it is malign, just parallelizing queries to load balancing source IPs (always the same ones).
Seems to have restarted (at least based on raw GET volume, haven't looked at what type it is). See P5199#27747 for the ranges if someone wants to set up an IP block.
Did the IPs change periodically or did they actually use 50 boxes to query the API in parallel? The second case sounds like a proper DDoS scenario; not sure we would have an easy way of protecting against that. If it's from a single IP at a time, some sort of per-IP connection limit would suffice.
It would be great to have it on the server, yes. psysh has all kinds of cool stuff (tab autocompletion, nice dumping, inspection, phpdoc extraction, recovering from fatals...). Not sure about the security impact, but it's only used from shell so intentionally malicious code is the only threat model I can think of, and all of the dependencies are reputable (Symfony, nikic, Jakub Onderka) or trivial (dnoegel/php-xdg-base-dir).
A possible cause is that the preview shortcut does not work until you make some changes to the text.
Mon, Apr 3
The EU data protection working group advisory WP-194 section 3.3 ("cookies set for the specific task of increasing the security of the service that has been explicitly requested by the user") clearly applies here, as long as the cookie is only set on edit attempts (IIRC not the case with the current implementation, but would be a trivial change).
Sat, Apr 1
Fri, Mar 31
I thought TextExtracts stores article plaintext in the page_props table, but apparently it uses memcached. So there might be no easy way to dump that. I guess a script could just fetch it from the API, but that might be too slow or fragile.
Thu, Mar 30
This seems to be a side effect of T154698: Prevent contributions attributed to private and WMF IP addresses:
tgr@terbium:~$ mwscript eval.php --wiki=mediawikiwiki > $passwordReset = new PasswordReset( RequestContext::getMain()->getConfig(), \MediaWiki\Auth\AuthManager::singleton() );
Wed, Mar 29
Is T136114 related?
A possible microtask:
If you are looking for tasks, here is a recent request: https://stackoverflow.com/questions/43007309/wheres-the-list-of-values-for-action-in-permissions-related-mediawiki-hooks