Page MenuHomePhabricator

csteipp (Chris Steipp)
Disabled

Projects

User does not belong to any projects.

User Details

User Since
Oct 6 2014, 7:38 PM (493 w, 12 h)
Roles
Disabled
IRC Nick
csteipp
LDAP User
CSteipp
MediaWiki User
Unknown
This account has been disabled.

Recent Activity

Jan 24 2023

Sj awarded T86869: Support a nice sso experience with MediaWiki's OAuth a Pterodactyl token.
Jan 24 2023, 12:54 AM · Roadmap, Notice, MediaWiki-extensions-OAuth, Epic

Jan 5 2020

mmodell awarded T99750: Update phabricator to use Authentication Only consumer a Meh! token.
Jan 5 2020, 6:22 AM · Release-Engineering-Team-TODO, Release-Engineering-Team (Development services), Phabricator

Feb 8 2019

Krinkle awarded T109724: A combination of Special:MyPage redirects and pagecounts allows an external site to know the wikipedia login of an user a Orange Medal token.
Feb 8 2019, 7:05 PM · Security, Vuln-Infoleak, MW-1.27-release-notes, MediaWiki-Redirects, MW-1.25-release, MW-1.26-release, MW-1.23-release, MW-1.24-release, Security-Team, Privacy

Oct 1 2018

RandomDSdevel awarded T56515: Apply editing rate limits for all users a Piece of Eight token.
Oct 1 2018, 1:23 AM · User-notice-archive, Stewards-and-global-tools, SRE, Wikimedia-Site-requests

Jun 11 2018

Gerrit Code Review <gerrit@wikimedia.org> committed rEQS2bb60d8b367b: Update patch set 2 (authored by csteipp).
Update patch set 2
Jun 11 2018, 8:25 PM
Gerrit Code Review <gerrit@wikimedia.org> committed rEQSe1e4000a9fd8: Update patch set 1 (authored by csteipp).
Update patch set 1
Jun 11 2018, 8:23 PM

Sep 16 2016

MarcoAurelio awarded T116878: Create grafana dashboard for stewards showing number of blocks per wiki a Cookie token.
Sep 16 2016, 9:13 AM · Observability-Metrics, observability, Grafana, WMF-General-or-Unknown, Stewards-and-global-tools

Jun 29 2016

csteipp added a comment to T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException.

have php-openssl, but it does not support aes-256-ctr mode

Jun 29 2016, 4:29 PM · Security, MW-1.27-release-notes, MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, MediaWiki-User-login-and-signup, MediaWiki-Core-AuthManager

Jun 15 2016

csteipp added a comment to T137194: AuthManager cannot audit passwords.

I think the fewer places we have the password the better. So I think this is fine.

Jun 15 2016, 1:16 AM · MediaWiki-Core-AuthManager

Jun 6 2016

csteipp added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

It seems like this is again overlapping with the discussion on T130748. We
were discussing there a cookie that the user could opt into, and then the
server wouldn't send the strict headers.

Jun 6 2016, 2:56 PM · MediaWiki-General, ContentSecurityPolicy, Platform Team Legacy (Watching / External), TechCom-RFC (TechCom-RFC-Closed), Patch-For-Review, Epic, Security-Team

May 27 2016

csteipp updated subscribers of T136451: Add csteipp as volunteer with access to security tasks.

A C-level needs to approve. That would be @Wwes .

May 27 2016, 10:31 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

https://phabricator.wikimedia.org/legalpad/signatures/ - signed

May 27 2016, 10:29 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

Is L2 still the correct agreement to sign?

May 27 2016, 10:22 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

Is L2 still the correct agreement to sign?

May 27 2016, 10:19 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

Yes

May 27 2016, 10:08 PM · WMF-NDA-Requests
csteipp created T136451: Add csteipp as volunteer with access to security tasks.
May 27 2016, 10:06 PM · WMF-NDA-Requests
csteipp added a comment to T130892: wikitech 2fa provisioning form does so without confirmation.

@dpatrick, sounds good

May 27 2016, 5:05 PM · MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)), Patch-For-Review, Security-Team, MediaWiki-extensions-OATHAuth, Cloud-Services, wikitech.wikimedia.org
csteipp added a comment to T119736: Could not find local user data for {Username}@{wiki}.

https://gerrit.wikimedia.org/r/#/c/289778/ with https://gerrit.wikimedia.org/r/#/c/289780/ fixes this particular case. I'll see if I can get those merged today.

May 27 2016, 3:52 PM · User-notice-archive, Collaboration-Team-Triage, Notifications, MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-07-12_(1.28.0-wmf.10)), Patch-For-Review, MW-1.27-release (WMF-deploy-2016-01-12_(1.27.0-wmf.10)), MediaWiki-extensions-CentralAuth, WMF-General-or-Unknown, MediaWiki-User-login-and-signup

May 26 2016

csteipp added a comment to T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.

The only thing that makes me sad about this is that it would mean that wikitech remains an LDAPAuth wiki indefinitely blocking my desire to convert it to part of the normal SUL wiki family when we have all of the OpenStack features migrated to Horizon or other related systems. (And yes I know that LDAP is used for more than OpenStack.) I would personally be more excited about consolidating the validation in https://www.linotp.org or something similar.

May 26 2016, 10:02 PM · MediaWiki-extensions-OATHAuth, Cloud-Services
csteipp added a comment to T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.

If you want to use ldap to store the secret, then mediawiki's Ex:OATHAuth needs to be ldap aware (or have hooks to let another extension swap out the secret). It's ugly, but doable.

May 26 2016, 8:00 PM · MediaWiki-extensions-OATHAuth, Cloud-Services
csteipp added a comment to T136269: QR code fails in Google Authenticator for accounts named with parentheses.

@dpatrick, are you the ios version of Google Authenticator, right? It's working fine for me as is, on android. But using the updated javascript also works, so probably good to get that rolled out.

May 26 2016, 6:18 PM · MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), MW-1.28-release (WMF-deploy-2016-05-24_(1.28.0-wmf.3)), Patch-For-Review, MediaWiki-extensions-OATHAuth

May 25 2016

csteipp added a comment to T131630: Tgr unable to login on Horizon.

On labswiki, the user table was create at a time when the collation wasn't explicitly set, so it's

May 25 2016, 8:38 PM · DBA, Horizon, Cloud-Services
csteipp added a comment to T136224: OATHAuth doing DB master queries on HTTP GET.

Ah, I see.

May 25 2016, 7:11 PM · MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, MediaWiki-extensions-OATHAuth, Sustainability
csteipp added a comment to T136224: OATHAuth doing DB master queries on HTTP GET.

@aaron, is there a way to see the actual request causing this? It must be for Special:OATH, but more details would be helpful.

May 25 2016, 7:04 PM · MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, MediaWiki-extensions-OATHAuth, Sustainability

May 24 2016

csteipp added a comment to T130748: Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses.

If you decide to go with the crypto cookie, I'd recommend using a JWT, with either an HS256 or ES256 signature. It's url-safe encoded so unlikely to get corrupted, and there are plenty of libraries out there so you don't have to try and get it right yourself.

May 24 2016, 3:23 PM · Toolforge, Privacy Engineering
csteipp removed a member for acl*security: Springle.
May 24 2016, 2:45 PM

May 20 2016

csteipp updated subscribers of T120484: Create password-authentication service for use by CentralAuth.
May 20 2016, 10:43 PM · MediaWiki-Platform-Team (Radar), MediaWiki-Core-AuthManager, MediaWiki-extensions-CentralAuth
csteipp added a comment to T135691: Kartographer tries to fetch groups that are not present on pages.

Thanks for fixing Max. I'll let Yurik or someone more familiar with the code review the patch.

May 20 2016, 8:25 PM · Discovery-ARCHIVED, Maps, Maps (Kartographer)

May 19 2016

csteipp added a comment to T129584: Security review of Romanian diacritics rendering reader assessment gadget.

We'll be using EventLogging for this feature after all. Is a security review still needed?

May 19 2016, 5:16 PM · I18n, Security-Other

May 18 2016

csteipp added a comment to T107605: Support two-factor authentication on CentralAuth wikis.

OATH has been rolled out to testwiki and test2wiki. Everything seems to be working as expected. Assuming no issues come up, I'll make it available on all wikis (to Staff global group only) tomorrow in SWAT.

May 18 2016, 6:58 PM · MediaWiki-extensions-CentralAuth, Security-Team
csteipp closed T130700: Create central OATHAuth table for CentralAuth wikis as Resolved.
mysql:wikiadmin@db1041 [centralauth]> CREATE TABLE `oathauth_users` (
    ->   `id` int(11) NOT NULL,
    ->   `secret` varbinary(255) DEFAULT NULL,
    ->   `scratch_tokens` varbinary(511) DEFAULT NULL,
    ->   PRIMARY KEY (`id`)
    -> ) ENGINE=InnoDB DEFAULT CHARSET=binary;
Query OK, 0 rows affected (0.06 sec)
May 18 2016, 6:14 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
csteipp closed T130700: Create central OATHAuth table for CentralAuth wikis, a subtask of T107605: Support two-factor authentication on CentralAuth wikis, as Resolved.
May 18 2016, 6:14 PM · MediaWiki-extensions-CentralAuth, Security-Team
csteipp closed T127114: Login throttle can be tricked using non-canonicalized usernames as Resolved.

And after the SpecialUserlogin refactor with wmf2, had to patch LoginSignupSpecialPage.

May 18 2016, 12:16 AM · Security, Vuln-Authn/Session, Security-Core
csteipp closed T127114: Login throttle can be tricked using non-canonicalized usernames, a subtask of T124940: MediaWiki 1.26.3 security release, as Resolved.
May 18 2016, 12:16 AM · Security, Security-Team

May 17 2016

csteipp triaged T135360: AbuseFilter reveals connection between accounts on login-autocreate as Medium priority.
May 17 2016, 8:50 PM · Security, Vuln-Infoleak, AbuseFilter
csteipp added a comment to T135198: Security review for RevisionSlider extension.

@Tobi_WMDE_SW, we'll try to work it in, but since we didn't schedule it at the beginning of the quarter, we have a lot of other reviews already scheduled-- we're fully booked between now and the end of the quarter. So unless an anticipated project isn't ready for review, it will likely be at the beginning of July.

May 17 2016, 3:17 PM · secscrum, Application Security Reviews, TCB-Team-Sprint-2016-05-19, TCB-Team-Sprint-2016-06-02, Revision-Slider, Community-Tech
csteipp reopened T127114: Login throttle can be tricked using non-canonicalized usernames as "Open".

Reopening. I'll get the updated portion of the patch deployed.

May 17 2016, 12:46 AM · Security, Vuln-Authn/Session, Security-Core
csteipp reopened T127114: Login throttle can be tricked using non-canonicalized usernames, a subtask of T124940: MediaWiki 1.26.3 security release, as Open.
May 17 2016, 12:46 AM · Security, Security-Team

May 16 2016

csteipp added a comment to T120484: Create password-authentication service for use by CentralAuth.

Pictures from our initial whiteboarding of the service, and some considerations for building it.

May 16 2016, 10:46 PM · MediaWiki-Platform-Team (Radar), MediaWiki-Core-AuthManager, MediaWiki-extensions-CentralAuth
csteipp updated subscribers of T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description.

Yep, here's my patch:

May 16 2016, 9:48 PM · Security, MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Maps-Sprint, Discovery-ARCHIVED, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer)
csteipp moved T129177: Security review of Hovercards before beta->default conversion from Incoming to Our Part Is Done on the Security-Team board.
May 16 2016, 5:06 PM · Patch-For-Review, MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, Web-Team-Backlog, Reading-Web-Sprint-71-Matisse-Monet-Kandinsky-and-the-Departing-Painters, Reading-Web-Sprint-70-Lady-and-the-Trumps, Page-Previews, Security-Team

May 12 2016

csteipp closed T132929: Review TWL OAuth implementation as Resolved.

Implementation using mwoauth looks good. It uses defaults for nearly all processing, which should be safe. It correctly uses the identify method to get the user's identity.

May 12 2016, 10:33 PM · Security-Team
csteipp closed T132929: Review TWL OAuth implementation, a subtask of T132934: Security review of TWL, as Resolved.
May 12 2016, 10:33 PM · Security-Team
csteipp added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

Edit page views are quite common because people click red links.

Do we have recent data on how starting sessions on edit view would impact cache hit rates?

IIRC, my first version of the Squid caching integration started sessions on edit view, and back then it didn't seem to be a performance issue.

May 12 2016, 9:14 PM · Patch-Needs-Improvement, Security, MediaWiki-Core-AuthManager, TechCom-RFC
csteipp created T135165: Frack (boron and bismuth) access for Darian Patrick.
May 12 2016, 7:15 PM · fundraising-tech-ops
csteipp added a comment to T130700: Create central OATHAuth table for CentralAuth wikis.

@jcrespo, it's on S7, centralauth database. The table will be 'oathauth_users'.

May 12 2016, 5:36 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
csteipp added a comment to T130700: Create central OATHAuth table for CentralAuth wikis.

I've scheduled time on May 18th to create the table, and enable the extension (only accessible to a few people).

May 12 2016, 5:04 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
greg awarded T124940: MediaWiki 1.26.3 security release a Barnstar token.
May 12 2016, 12:52 AM · Security, Security-Team

May 11 2016

csteipp created T135046: Allowlist Cloud VPS instances that need XFF header passed through the web proxy.
May 11 2016, 8:45 PM · Privacy Engineering, cloud-services-team (Kanban), WMF-Legal, Privacy, Cloud-Services
csteipp closed T129177: Security review of Hovercards before beta->default conversion, a subtask of T70860: [GOAL] Graduate Page Previews feature (Popups extension) out of Beta Feature, as Resolved.
May 11 2016, 4:21 PM · User-notice-archive, Readers-Web-Kanbanana-Board-Old, Wikimedia-extension-review-queue, Reading Epics (Page Previews), Goal, Community-Relations-Support, Web-Team-Backlog, Reading-Web-Sprint-70-Lady-and-the-Trumps, Reading-Web-Planning, Phlogiston-Category, Readers-Community-Engagement, Epic, Reading-Admin, Notice, Page-Previews, Beta-Feature, Wikimedia-Extension-setup
csteipp closed T129177: Security review of Hovercards before beta->default conversion as Resolved.

Looks mostly good, a couple minor cleanups.

  • The css in article.createImgThumbnail is constructed as 'url(' + url + ')', but article.createThumbnail prevents \, ', and " in the url. So either createThumbnail should filter )'s, or createImgThumbnail should put the url into a quoted string.
May 11 2016, 4:21 PM · Patch-For-Review, MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, Web-Team-Backlog, Reading-Web-Sprint-71-Matisse-Monet-Kandinsky-and-the-Departing-Painters, Reading-Web-Sprint-70-Lady-and-the-Trumps, Page-Previews, Security-Team
csteipp closed T129177: Security review of Hovercards before beta->default conversion, a subtask of T111231: Page previews for Wikidata, as Resolved.
May 11 2016, 4:21 PM · Web-Team-Backlog, [DEPRECATED] wdwb-tech, Product-Infrastructure-Team-Backlog-Deprecated, Mobile-Content-Service, Wikimania-Hackathon-2018, Wikimedia-Site-requests, User-aude, Beta-Feature, Story, Page-Previews, MediaWiki-extensions-WikibaseRepository, Wikidata
csteipp closed T129177: Security review of Hovercards before beta->default conversion, a subtask of T132602: [GOAL] Roll Hovercards out on smaller wikipedia project, as Resolved.
May 11 2016, 4:21 PM · Page-Previews, Goal, Web-Team-Backlog, Reading-Web-Sprint-70-Lady-and-the-Trumps, Phlogiston-Category, Readers-Community-Engagement, Epic, Reading-Admin, Notice, Beta-Feature, Wikimedia-Extension-setup
csteipp added a comment to T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description.

Deployed by @MaxSem,

May 11 2016, 12:03 AM · Security, MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Maps-Sprint, Discovery-ARCHIVED, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer)

May 10 2016

csteipp added a comment to T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description.

Both Brian and I looked at the patch, and it seemed like it should fix the immediate problem. Max is going to deploy it.

May 10 2016, 11:34 PM · Security, MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Maps-Sprint, Discovery-ARCHIVED, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer)
csteipp added a project to T134863: Reflected XSS in GlobalGroupPermissions: Security-Team.
May 10 2016, 10:18 PM · Security, Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions
csteipp renamed T131638: horizon accepts the same 2FA token as wikitech from horizon accepts the same 2FA token aus wikitech to horizon accepts the same 2FA token as wikitech.
May 10 2016, 10:13 PM · Security, Cloud-Services
csteipp added projects to T125177: api.log contains passwords in plaintext: Patch-For-Review, Reading-Infrastructure-Team-Old (Don't use).
May 10 2016, 10:05 PM · Security, Product-Infrastructure-Team-Backlog-Deprecated, MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Vuln-Infoleak, Patch-For-Review, MediaWiki-Action-API
csteipp added a comment to T132720: ApiHelp on api.php should avoid applying common.js and common.css.

Talked with the rest of the Security-Team, and we're not seeing a way this can be abused. Anyone object to making this public?

May 10 2016, 9:59 PM · Performance-Team, MW-1.39-notes (1.39.0-wmf.13; 2022-05-23), MediaWiki-Action-API
csteipp triaged T134699: Quarry: Query edit restriction is enforced in UI, not API as Low priority.
May 10 2016, 9:52 PM · Security, Vuln-MissingAuthz, Quarry
csteipp moved T134699: Quarry: Query edit restriction is enforced in UI, not API from Backlog / Other to External (Non-WMF) Issues on the acl*security board.
May 10 2016, 9:51 PM · Security, Vuln-MissingAuthz, Quarry
csteipp triaged T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description as High priority.
May 10 2016, 9:34 PM · Security, MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Maps-Sprint, Discovery-ARCHIVED, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer)
csteipp added a comment to T124940: MediaWiki 1.26.3 security release.

csteipp added a blocking task: T134863: Reflected XSS in GlobalGroupPermissions.

May 10 2016, 9:20 PM · Security, Security-Team
csteipp added a subtask for T124940: MediaWiki 1.26.3 security release: T134863: Reflected XSS in GlobalGroupPermissions.
May 10 2016, 9:20 PM · Security, Security-Team
csteipp added a parent task for T134863: Reflected XSS in GlobalGroupPermissions: T124940: MediaWiki 1.26.3 security release.
May 10 2016, 9:20 PM · Security, Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions
csteipp triaged T134863: Reflected XSS in GlobalGroupPermissions as High priority.
May 10 2016, 9:17 PM · Security, Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions
csteipp added a comment to T134774: Array to string conversion in /srv/mediawiki/php-1.27.0-wmf.22/extensions/ZeroBanner/includes/ZeroSpecialPage.php on line 131.

Ok, I remembered why we used IM instead of GD - multiline text. @csteipp, can we quickly approve https://github.com/stil/gd-text -- seems like exactly the lib we need to switch away from imagemagick-generated multiline text images.

May 10 2016, 8:53 PM · MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Patch-For-Review, Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, ZeroBanner
csteipp added a comment to T133408: Security review of TemplateStyles.

Cool. At .5 kloc of php, should be a quick review.

May 10 2016, 4:00 PM · Patch-For-Review, Reading-Admin, TemplateStyles
csteipp updated subscribers of T134863: Reflected XSS in GlobalGroupPermissions.

@hoo / @Legoktm, FYI, in case you see any strange behavior.

May 10 2016, 3:57 PM · Security, Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions
csteipp added a comment to T134863: Reflected XSS in GlobalGroupPermissions.

15:52 csteipp: deployed patch for T134863

May 10 2016, 3:53 PM · Security, Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions
csteipp added a comment to T134863: Reflected XSS in GlobalGroupPermissions.

Thanks @Grunny! I'll get that deployed as soon as our normal deploy window is finished.

May 10 2016, 3:41 PM · Security, Patch-For-Review, Security-Team, MediaWiki-extensions-CentralAuth, Vuln-XSS, Security-Extensions

May 9 2016

csteipp moved T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) from In Progress to Ready on the Security-Team board.
May 9 2016, 6:27 PM · Security, MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Security-Team, MediaWiki-Language-converter, Security-Core
csteipp moved T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs from Ready to Waiting on the Security-Team board.
May 9 2016, 6:22 PM · Services (watching), Security-Team, User-mobrovac, Graphoid
csteipp moved T130892: wikitech 2fa provisioning form does so without confirmation from Incoming to Waiting on the Security-Team board.
May 9 2016, 6:22 PM · MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)), Patch-For-Review, Security-Team, MediaWiki-extensions-OATHAuth, Cloud-Services, wikitech.wikimedia.org
csteipp moved T130700: Create central OATHAuth table for CentralAuth wikis from Incoming to In Progress on the Security-Team board.
May 9 2016, 6:18 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
csteipp moved T124445: Design research support for two step authentication from Ready to In Progress on the Security-Team board.
May 9 2016, 6:18 PM · SecTeam-Processed, Security, MediaWiki-extensions-OATHAuth
csteipp moved T124940: MediaWiki 1.26.3 security release from Epics in progress to In Progress on the Security-Team board.
May 9 2016, 6:17 PM · Security, Security-Team
csteipp moved T71367: page_recent_contributors leaks revdeleted user names (CVE-2021-31545) from Waiting to In Progress on the Security-Team board.
May 9 2016, 6:15 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.35; 2021-03-16), AbuseFilter (Overhaul-2020), Privacy Engineering, Security, Vuln-Infoleak
csteipp added a project to T71367: page_recent_contributors leaks revdeleted user names (CVE-2021-31545): Patch-For-Review.
May 9 2016, 6:13 PM · Patch-For-Review, MW-1.36-notes (1.36.0-wmf.35; 2021-03-16), AbuseFilter (Overhaul-2020), Privacy Engineering, Security, Vuln-Infoleak
csteipp added a comment to T133408: Security review of TemplateStyles.

@Jdforrester-WMF: What is next for this? Anything I can do to help things along?

May 9 2016, 5:49 PM · Patch-For-Review, Reading-Admin, TemplateStyles
csteipp added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

Wouldn't the settings cookies kill caching anyway? Or is that rigged up to cache-vary on the specific cookie values without forcing things through to the backend? (Eg, if I'm an anon user with images disabled, beta on, and font size bumped up, are my pages still cached?) Or are we thinking of optimizing the case where someone clicks on settings and then never does anything with it?

May 9 2016, 4:54 PM · Patch-Needs-Improvement, Security, MediaWiki-Core-AuthManager, TechCom-RFC
csteipp added a comment to T134672: Set up Yubikey support in Phabricator.

This would add Yubi OTP to phabricator as a second factor (from skimming the code, if I'm missing something else, let me know).

May 9 2016, 4:07 PM · Phabricator, SRE
csteipp added a comment to T129584: Security review of Romanian diacritics rendering reader assessment gadget.

Thanks for the update. I've tentatively rescheduled for the week of May 30th. Let me know if it looks like it won't be ready by then.

May 9 2016, 2:49 PM · I18n, Security-Other

May 5 2016

csteipp added a comment to T124445: Design research support for two step authentication.

Darian has them written up, and I think he'll be passing them on today or tomorrow

May 5 2016, 11:09 PM · SecTeam-Processed, Security, MediaWiki-extensions-OATHAuth
csteipp added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

We can potentially avoid session inflation by creating the session separately from creating the edit html (which would indeed allow session inflation if an attacker requests edit urls repeatedly without cookies enabled). For example, we could start the session from JavaScript on the edit page in a background request (AJAX).

May 5 2016, 10:19 PM · Patch-Needs-Improvement, Security, MediaWiki-Core-AuthManager, TechCom-RFC
csteipp added a comment to T134533: [betalabs] Regression: asynchronous update for cross-wiki notifications.

Was this made a security issue on purpose? I noticed the order of the "Create Task" dropdown in Phab changed yesterday, so I'm wondering if this was by accident...

May 5 2016, 9:51 PM · MW-1.28-release (WMF-deploy-2016-05-10_(1.28.0-wmf.1)), Regression, Patch-For-Review, Notifications, Collab-Team-2016-Apr-Jun-Q4
csteipp added a comment to T127114: Login throttle can be tricked using non-canonicalized usernames.

Line $username = User::getCanonicalName( $username, 'usable' ) ?: $username; should be backported.

May 5 2016, 9:07 PM · Security, Vuln-Authn/Session, Security-Core
csteipp added a comment to T124940: MediaWiki 1.26.3 security release.

I'll do the backports of T132874 today or tomorrow

May 5 2016, 7:34 PM · Security, Security-Team
csteipp updated the task description for T124940: MediaWiki 1.26.3 security release.
May 5 2016, 7:33 PM · Security, Security-Team
csteipp added a subtask for T124940: MediaWiki 1.26.3 security release: T132874: API action=move is not rate limited.
May 5 2016, 7:32 PM · Security, Security-Team
csteipp added a parent task for T132874: API action=move is not rate limited: T124940: MediaWiki 1.26.3 security release.
May 5 2016, 7:32 PM · Security, Patch-For-Review, MediaWiki-Action-API
csteipp closed T132874: API action=move is not rate limited as Resolved.

19:30 csteipp: deployed patch for T132874

May 5 2016, 7:31 PM · Security, Patch-For-Review, MediaWiki-Action-API
csteipp added a comment to T129584: Security review of Romanian diacritics rendering reader assessment gadget.

@Jdforrester-WMF is this at the point where you want a review now?

May 5 2016, 7:07 PM · I18n, Security-Other
csteipp added a comment to T124940: MediaWiki 1.26.3 security release.

@MaxSem, are you able to do backports of the patch for T130947?

May 5 2016, 6:55 PM · Security, Security-Team
csteipp updated subscribers of T124940: MediaWiki 1.26.3 security release.

@dpatrick / @Bawolff / @MaxSem - All those patches are deployed now. Can you all make sure you have 'SECURITY: ' at the start of the commit summary? Makes it easier to see on the cluster what's been added on top of master when deploying, and probably good to be consistent when we push these into master.

May 5 2016, 6:54 PM · Security, Security-Team
csteipp closed T133507: Careless use of $wgExternalLinkTarget is insecure as Resolved.

18:47 csteipp: deployed patch for T133507

May 5 2016, 6:48 PM · Security, Wikimedia-Performance-publish, Performance-Team, Patch-For-Review
csteipp closed T133507: Careless use of $wgExternalLinkTarget is insecure, a subtask of T124940: MediaWiki 1.26.3 security release, as Resolved.
May 5 2016, 6:48 PM · Security, Security-Team
csteipp added a comment to T133507: Careless use of $wgExternalLinkTarget is insecure.

New version based on csteipp's CR:
T133507-master

May 5 2016, 6:43 PM · Security, Wikimedia-Performance-publish, Performance-Team, Patch-For-Review
csteipp closed T129506: MediaWiki:Gadget-popups.js isn't renderable as Resolved.
May 5 2016, 6:26 PM · Security, MW-1.29-release (WMF-deploy-2017-01-24_(1.29.0-wmf.9)), Patch-For-Review, Vuln-DoS, Math, WMF-General-or-Unknown
csteipp closed T129506: MediaWiki:Gadget-popups.js isn't renderable, a subtask of T124940: MediaWiki 1.26.3 security release, as Resolved.
May 5 2016, 6:26 PM · Security, Security-Team