csteipp (Chris Steipp)
Security Things

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
Oct 6 2014, 7:38 PM (133 w, 2 d)
Availability
Available
IRC Nick
csteipp
LDAP User
CSteipp
MediaWiki User
Unknown

Recent Activity

Sep 16 2016

MarcoAurelio awarded T116878: Create grafana dashboard for stewards showing number of blocks per wiki a Cookie token.
Sep 16 2016, 9:13 AM · Wikimedia-General-or-Unknown, Stewards-and-global-tools

Jun 29 2016

csteipp added a comment to T136587: Login no longer working - throws fatal MediaWiki\Session\UnexpectedValueException.

have php-openssl, but it does not support aes-256-ctr mode

Jun 29 2016, 4:29 PM · MW-1.28-release (WMF-deploy-2016-07-26_(1.28.0-wmf.12)), Security, MW-1.27-release-notes, MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, MediaWiki-User-login-and-signup, MediaWiki-Authentication-and-authorization

Jun 15 2016

csteipp added a comment to T137194: AuthManager cannot audit passwords.

I think the fewer places we have the password the better. So I think this is fine.

Jun 15 2016, 1:16 AM · MediaWiki-Authentication-and-authorization

Jun 6 2016

csteipp added a comment to T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki.

It seems like this is again overlapping with the discussion on T130748. We
were discussing there a cookie that the user could opt into, and then the
server wouldn't send the strict headers.

Jun 6 2016, 2:56 PM · ArchCom-Has-shepherd, RfC, JavaScript, Security-Team, ArchCom-RfC

May 27 2016

csteipp updated subscribers of T136451: Add csteipp as volunteer with access to security tasks.

A C-level needs to approve. That would be @Wwes .

May 27 2016, 10:31 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

https://phabricator.wikimedia.org/legalpad/signatures/ - signed

May 27 2016, 10:29 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

Is L2 still the correct agreement to sign?

May 27 2016, 10:22 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

Is L2 still the correct agreement to sign?

May 27 2016, 10:19 PM · WMF-NDA-Requests
csteipp added a comment to T136451: Add csteipp as volunteer with access to security tasks.

Yes

May 27 2016, 10:08 PM · WMF-NDA-Requests
csteipp created T136451: Add csteipp as volunteer with access to security tasks.
May 27 2016, 10:06 PM · WMF-NDA-Requests
csteipp added a comment to T130892: wikitech 2fa provisioning form does so without confirmation.

@dpatrick, sounds good

May 27 2016, 5:05 PM · MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)), Patch-For-Review, Security-Team, MediaWiki-extensions-OATHAuth, Labs, wikitech.wikimedia.org
csteipp added a comment to T119736: Could not find local user data for {Username}@{wiki}.

https://gerrit.wikimedia.org/r/#/c/289778/ with https://gerrit.wikimedia.org/r/#/c/289780/ fixes this particular case. I'll see if I can get those merged today.

May 27 2016, 3:52 PM · Collaboration-Team-Triage, MW-1.28-release (WMF-deploy-2016-07-19_(1.28.0-wmf.11)), User-notice, Notifications, MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-06-28_(1.28.0-wmf.8)), MW-1.28-release (WMF-deploy-2016-07-05_(1.28.0-wmf.9)), MW-1.28-release (WMF-deploy-2016-07-12_(1.28.0-wmf.10)), Patch-For-Review, MW-1.27-release (WMF-deploy-2016-01-12_(1.27.0-wmf.10)), MediaWiki-extensions-CentralAuth, Wikimedia-General-or-Unknown, MediaWiki-User-login-and-signup

May 26 2016

csteipp added a comment to T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.

The only thing that makes me sad about this is that it would mean that wikitech remains an LDAPAuth wiki indefinitely blocking my desire to convert it to part of the normal SUL wiki family when we have all of the OpenStack features migrated to Horizon or other related systems. (And yes I know that LDAP is used for more than OpenStack.) I would personally be more excited about consolidating the validation in https://www.linotp.org or something similar.

May 26 2016, 10:02 PM · MediaWiki-extensions-OATHAuth, Labs
csteipp added a comment to T136350: Move two-factor auth data (TOTP seed) from labswiki database to LDAP.

If you want to use ldap to store the secret, then mediawiki's Ex:OATHAuth needs to be ldap aware (or have hooks to let another extension swap out the secret). It's ugly, but doable.

May 26 2016, 8:00 PM · MediaWiki-extensions-OATHAuth, Labs
csteipp added a comment to T136269: QR code fails in Google Authenticator for accounts named with parentheses.

@dpatrick, are you the ios version of Google Authenticator, right? It's working fine for me as is, on android. But using the updated javascript also works, so probably good to get that rolled out.

May 26 2016, 6:18 PM · MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), MW-1.28-release (WMF-deploy-2016-05-24_(1.28.0-wmf.3)), Patch-For-Review, MediaWiki-extensions-OATHAuth

May 25 2016

csteipp added a comment to T131630: Tgr unable to login on Horizon.

On labswiki, the user table was create at a time when the collation wasn't explicitly set, so it's

May 25 2016, 8:38 PM · DBA, Labs, Horizon
csteipp added a comment to T136224: OATHAuth doing DB master queries on HTTP GET.

Ah, I see.

May 25 2016, 7:11 PM · MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, MediaWiki-extensions-OATHAuth, Availability
csteipp added a comment to T136224: OATHAuth doing DB master queries on HTTP GET.

@aaron, is there a way to see the actual request causing this? It must be for Special:OATH, but more details would be helpful.

May 25 2016, 7:04 PM · MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, MediaWiki-extensions-OATHAuth, Availability

May 24 2016

csteipp added a comment to T130748: Add Content-Security-Policy header enforcing 3rd party web interaction restrictions to proxy responses.

If you decide to go with the crypto cookie, I'd recommend using a JWT, with either an HS256 or ES256 signature. It's url-safe encoded so unlikely to get corrupted, and there are plenty of libraries out there so you don't have to try and get it right yourself.

May 24 2016, 3:23 PM · Labs
csteipp removed a member for Security: Springle.
May 24 2016, 2:45 PM

May 20 2016

csteipp updated subscribers of T120484: Create password-authentication service for use by CentralAuth.
May 20 2016, 10:43 PM · MediaWiki-Platform-Team, Services (blocked), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-CentralAuth
csteipp added a comment to T135691: Kartographer tries to fetch groups that are not present on pages.

Thanks for fixing Max. I'll let Yurik or someone more familiar with the code review the patch.

May 20 2016, 8:25 PM · Discovery, Maps, Maps (Kartographer)

May 19 2016

csteipp added a comment to T129584: Security review of Romanian diacritics rendering reader assessment gadget.

We'll be using EventLogging for this feature after all. Is a security review still needed?

May 19 2016, 5:16 PM · I18n, Security-Other, Security-Reviews

May 18 2016

csteipp added a comment to T107605: Support two-factor authentication on CentralAuth wikis.

OATH has been rolled out to testwiki and test2wiki. Everything seems to be working as expected. Assuming no issues come up, I'll make it available on all wikis (to Staff global group only) tomorrow in SWAT.

May 18 2016, 6:58 PM · MediaWiki-extensions-CentralAuth, Security-Team
csteipp closed T130700: Create central OATHAuth table for CentralAuth wikis as "Resolved".
mysql:wikiadmin@db1041 [centralauth]> CREATE TABLE `oathauth_users` (
    ->   `id` int(11) NOT NULL,
    ->   `secret` varbinary(255) DEFAULT NULL,
    ->   `scratch_tokens` varbinary(511) DEFAULT NULL,
    ->   PRIMARY KEY (`id`)
    -> ) ENGINE=InnoDB DEFAULT CHARSET=binary;
Query OK, 0 rows affected (0.06 sec)
May 18 2016, 6:14 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
csteipp closed T130700: Create central OATHAuth table for CentralAuth wikis, a subtask of T107605: Support two-factor authentication on CentralAuth wikis, as "Resolved".
May 18 2016, 6:14 PM · MediaWiki-extensions-CentralAuth, Security-Team
csteipp closed T127114: Login throttle can be tricked using non-canonicalized usernames as "Resolved".

And after the SpecialUserlogin refactor with wmf2, had to patch LoginSignupSpecialPage.

May 18 2016, 12:16 AM · Security, Vuln-Authn/Session, Security-Core
csteipp closed T127114: Login throttle can be tricked using non-canonicalized usernames, a subtask of T124940: MediaWiki 1.26.3 security release, as "Resolved".
May 18 2016, 12:16 AM · Security-Team, Security

May 17 2016

csteipp added a comment to T135198: Security review for RevisionSlider extension.

@Tobi_WMDE_SW, we'll try to work it in, but since we didn't schedule it at the beginning of the quarter, we have a lot of other reviews already scheduled-- we're fully booked between now and the end of the quarter. So unless an anticipated project isn't ready for review, it will likely be at the beginning of July.

May 17 2016, 3:17 PM · TCB-Team-Sprint-2016-05-19, TCB-Team-Sprint-2016-06-02, Revision-Slider, Community-Tech, TCB-Team, Security-Reviews
csteipp reopened T127114: Login throttle can be tricked using non-canonicalized usernames as "Open".

Reopening. I'll get the updated portion of the patch deployed.

May 17 2016, 12:46 AM · Security, Vuln-Authn/Session, Security-Core
csteipp reopened T127114: Login throttle can be tricked using non-canonicalized usernames, a subtask of T124940: MediaWiki 1.26.3 security release, as "Open".
May 17 2016, 12:46 AM · Security-Team, Security

May 16 2016

csteipp added a comment to T120484: Create password-authentication service for use by CentralAuth.

Pictures from our initial whiteboarding of the service, and some considerations for building it.

May 16 2016, 10:46 PM · MediaWiki-Platform-Team, Services (blocked), Security-Team, MediaWiki-Authentication-and-authorization, MediaWiki-extensions-CentralAuth
csteipp updated subscribers of T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description.

Yep, here's my patch:

May 16 2016, 9:48 PM · MW-1.28-release (WMF-deploy-2016-06-14_(1.28.0-wmf.6)), MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Interactive-Sprint, Discovery, Maps, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer), Security
csteipp moved T129177: Security review of Hovercards before beta->default conversion from Backlog to Done on the Security-Team board.
May 16 2016, 5:06 PM · MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, Reading-Web-Backlog, Reading-Web-Sprint-71-Matisse-Monet-Kandinsky-and-the-Departing-Painters, Reading-Web-Sprint-70-Lady-and-the-Trumps, Page-Previews, Security-Reviews, Security-Team

May 12 2016

csteipp closed T132929: Review TWL OAuth implementation as "Resolved".

Implementation using mwoauth looks good. It uses defaults for nearly all processing, which should be safe. It correctly uses the identify method to get the user's identity.

May 12 2016, 10:33 PM · Security-Team, Security-Reviews
csteipp closed T132929: Review TWL OAuth implementation, a subtask of T132934: Security review of TWL, as "Resolved".
May 12 2016, 10:33 PM · Security-Team, Security-Reviews
csteipp added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

Edit page views are quite common because people click red links.

Do we have recent data on how starting sessions on edit view would impact cache hit rates?

IIRC, my first version of the Squid caching integration started sessions on edit view, and back then it didn't seem to be a performance issue.

May 12 2016, 9:14 PM · ArchCom-RfC, Security, Patch-For-Review, Security-General
csteipp created T135165: Frack (boron and bismuth) access for Darian Patrick.
May 12 2016, 7:15 PM · fundraising-tech-ops
csteipp added a comment to T130700: Create central OATHAuth table for CentralAuth wikis.

@jcrespo, it's on S7, centralauth database. The table will be 'oathauth_users'.

May 12 2016, 5:36 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
csteipp added a comment to T130700: Create central OATHAuth table for CentralAuth wikis.

I've scheduled time on May 18th to create the table, and enable the extension (only accessible to a few people).

May 12 2016, 5:04 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
greg awarded T124940: MediaWiki 1.26.3 security release a Barnstar token.
May 12 2016, 12:52 AM · Security-Team, Security

May 11 2016

csteipp created T135046: Whitelist labs instances that need XFF header passed through the web proxy.
May 11 2016, 8:45 PM · WMF-Legal, Privacy, Labs-Infrastructure, Labs
csteipp closed T129177: Security review of Hovercards before beta->default conversion, a subtask of T70860: [GOAL] Graduate Hovercards feature (Popups extension) out of Beta Feature, as "Resolved".
May 11 2016, 4:21 PM · Reading Epics (Page Previews), Goal, Community-Liaisons, Reading-Web-Backlog, Reading-Web-Sprint-70-Lady-and-the-Trumps, Reading-Web-Planning, Category, Reading-Community-Engagement, Epic, Reading-Admin, User-notice, Notice, Page-Previews, Beta-Feature, Wikimedia-Extension-setup
csteipp closed T129177: Security review of Hovercards before beta->default conversion as "Resolved".

Looks mostly good, a couple minor cleanups.

  • The css in article.createImgThumbnail is constructed as 'url(' + url + ')', but article.createThumbnail prevents \, ', and " in the url. So either createThumbnail should filter )'s, or createImgThumbnail should put the url into a quoted string.
May 11 2016, 4:21 PM · MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, Reading-Web-Backlog, Reading-Web-Sprint-71-Matisse-Monet-Kandinsky-and-the-Departing-Painters, Reading-Web-Sprint-70-Lady-and-the-Trumps, Page-Previews, Security-Reviews, Security-Team
csteipp closed T129177: Security review of Hovercards before beta->default conversion, a subtask of T111231: [Story] Take page previews out of beta features on Wikidata, as "Resolved".
May 11 2016, 4:21 PM · Reading-Web-Backlog, Beta-Feature, Story, Page-Previews, MediaWiki-extensions-WikibaseRepository, Wikidata
csteipp closed T129177: Security review of Hovercards before beta->default conversion, a subtask of T132602: [GOAL] Roll Hovercards out on smaller wikipedia project, as "Resolved".
May 11 2016, 4:21 PM · Page-Previews, Goal, Reading-Web-Backlog, Reading-Web-Sprint-70-Lady-and-the-Trumps, Category, Reading-Community-Engagement, Epic, Reading-Admin, User-notice, Notice, Beta-Feature, Wikimedia-Extension-setup
csteipp added a comment to T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description.

Deployed by @MaxSem,

May 11 2016, 12:03 AM · MW-1.28-release (WMF-deploy-2016-06-14_(1.28.0-wmf.6)), MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Interactive-Sprint, Discovery, Maps, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer), Security

May 10 2016

csteipp added a comment to T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description.

Both Brian and I looked at the patch, and it seemed like it should fix the immediate problem. Max is going to deploy it.

May 10 2016, 11:34 PM · MW-1.28-release (WMF-deploy-2016-06-14_(1.28.0-wmf.6)), MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Interactive-Sprint, Discovery, Maps, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer), Security
csteipp renamed T131638: horizon accepts the same 2FA token as wikitech from "horizon accepts the same 2FA token aus wikitech" to "horizon accepts the same 2FA token as wikitech".
May 10 2016, 10:13 PM · Labs, Labs-Infrastructure, Security
csteipp added projects to T125177: api.log contains passwords in plaintext: Patch-For-Review, Reading-Infrastructure-Team.
May 10 2016, 10:05 PM · MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)), MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release-notes, Vuln-Infoleak, Reading-Infrastructure-Team, Patch-For-Review, Security, MediaWiki-API
csteipp added a comment to T132720: ApiHelp on api.php should set OutputPage::disallowUserJs.

Talked with the rest of the Security-Team, and we're not seeing a way this can be abused. Anyone object to making this public?

May 10 2016, 9:59 PM · Security-Team, MediaWiki-API
csteipp triaged T134699: Quarry: Query edit restriction is enforced in UI, not API as "Low" priority.
May 10 2016, 9:52 PM · Vuln-MissingAuthz, Quarry, Security
csteipp moved T134699: Quarry: Query edit restriction is enforced in UI, not API from Backlog to External (Non-WMF) Issues on the Security board.
May 10 2016, 9:51 PM · Vuln-MissingAuthz, Quarry, Security
csteipp triaged T134719: Kartographer has an XSS using magic javascript __proto__ property in GeoJson description as "High" priority.
May 10 2016, 9:34 PM · MW-1.28-release (WMF-deploy-2016-06-14_(1.28.0-wmf.6)), MW-1.28-release (WMF-deploy-2016-06-21_(1.28.0-wmf.7)), Interactive-Sprint, Discovery, Maps, Patch-For-Review, Vuln-XSS, JavaScript, Maps (Kartographer), Security
csteipp added a comment to T124940: MediaWiki 1.26.3 security release.

csteipp added a blocking task: T134863: Reflected XSS in GlobalGroupPermissions.

May 10 2016, 9:20 PM · Security-Team, Security
csteipp added a subtask for T124940: MediaWiki 1.26.3 security release: Unknown Object (Task).
May 10 2016, 9:20 PM · Security-Team, Security
csteipp added a comment to T134774: Array to string conversion in /srv/mediawiki/php-1.27.0-wmf.22/extensions/ZeroBanner/includes/ZeroSpecialPage.php on line 131.

Ok, I remembered why we used IM instead of GD - multiline text. @csteipp, can we quickly approve https://github.com/stil/gd-text -- seems like exactly the lib we need to switch away from imagemagick-generated multiline text images.

May 10 2016, 8:53 PM · MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Patch-For-Review, Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, ZeroBanner
csteipp added a comment to T133408: Security review of TemplateStyles.

Cool. At .5 kloc of php, should be a quick review.

May 10 2016, 4:00 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles

May 9 2016

csteipp moved T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs from Ready to Waiting on the Security-Team board.
May 9 2016, 6:22 PM · Services (blocked), Security-Team, User-mobrovac, Security-Reviews, Graphoid
csteipp moved T130892: wikitech 2fa provisioning form does so without confirmation from Backlog to Waiting on the Security-Team board.
May 9 2016, 6:22 PM · MW-1.27-release (WMF-deploy-2016-04-12_(1.27.0-wmf.21)), Patch-For-Review, Security-Team, MediaWiki-extensions-OATHAuth, Labs, wikitech.wikimedia.org
csteipp moved T130700: Create central OATHAuth table for CentralAuth wikis from Backlog to In Progress on the Security-Team board.
May 9 2016, 6:18 PM · Patch-For-Review, DBA, MediaWiki-extensions-CentralAuth, Security-Team
csteipp moved T124445: Design research support for two step authentication from Ready to In Progress on the Security-Team board.
May 9 2016, 6:18 PM · MediaWiki-extensions-OATHAuth, Security-Team
csteipp moved T124940: MediaWiki 1.26.3 security release from Epics in progress to In Progress on the Security-Team board.
May 9 2016, 6:17 PM · Security-Team, Security
csteipp added a comment to T133408: Security review of TemplateStyles.

@Jdforrester-WMF: What is next for this? Anything I can do to help things along?

May 9 2016, 5:49 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles
csteipp added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

Wouldn't the settings cookies kill caching anyway? Or is that rigged up to cache-vary on the specific cookie values without forcing things through to the backend? (Eg, if I'm an anon user with images disabled, beta on, and font size bumped up, are my pages still cached?) Or are we thinking of optimizing the case where someone clicks on settings and then never does anything with it?

May 9 2016, 4:54 PM · ArchCom-RfC, Security, Patch-For-Review, Security-General
csteipp added a comment to T134672: Set up Yubikey support in Phabricator.

This would add Yubi OTP to phabricator as a second factor (from skimming the code, if I'm missing something else, let me know).

May 9 2016, 4:07 PM · Phabricator, Operations
csteipp added a comment to T129584: Security review of Romanian diacritics rendering reader assessment gadget.

Thanks for the update. I've tentatively rescheduled for the week of May 30th. Let me know if it looks like it won't be ready by then.

May 9 2016, 2:49 PM · I18n, Security-Other, Security-Reviews

May 5 2016

csteipp added a comment to T124445: Design research support for two step authentication.

Darian has them written up, and I think he'll be passing them on today or tomorrow

May 5 2016, 11:09 PM · MediaWiki-extensions-OATHAuth, Security-Team
csteipp added a comment to T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.

We can potentially avoid session inflation by creating the session separately from creating the edit html (which would indeed allow session inflation if an attacker requests edit urls repeatedly without cookies enabled). For example, we could start the session from JavaScript on the edit page in a background request (AJAX).

May 5 2016, 10:19 PM · ArchCom-RfC, Security, Patch-For-Review, Security-General
csteipp added a comment to T134533: [betalabs] Regression: asynchronous update for cross-wiki notifications.

Was this made a security issue on purpose? I noticed the order of the "Create Task" dropdown in Phab changed yesterday, so I'm wondering if this was by accident...

May 5 2016, 9:51 PM · MW-1.28-release (WMF-deploy-2016-05-10_(1.28.0-wmf.1)), Regression, Patch-For-Review, Notifications, Collab-Team-2016-Apr-Jun-Q4
csteipp added a comment to T127114: Login throttle can be tricked using non-canonicalized usernames.

Line $username = User::getCanonicalName( $username, 'usable' ) ?: $username; should be backported.

May 5 2016, 9:07 PM · Security, Vuln-Authn/Session, Security-Core
csteipp added a comment to T124940: MediaWiki 1.26.3 security release.

I'll do the backports of T132874 today or tomorrow

May 5 2016, 7:34 PM · Security-Team, Security
csteipp edited the description of T124940: MediaWiki 1.26.3 security release.
May 5 2016, 7:33 PM · Security-Team, Security
csteipp added a subtask for T124940: MediaWiki 1.26.3 security release: T132874: API action=move is not rate limited.
May 5 2016, 7:32 PM · Security-Team, Security
csteipp added a parent task for T132874: API action=move is not rate limited: T124940: MediaWiki 1.26.3 security release.
May 5 2016, 7:32 PM · Patch-For-Review, MediaWiki-API, Security
csteipp closed T132874: API action=move is not rate limited as "Resolved".

19:30 csteipp: deployed patch for T132874

May 5 2016, 7:31 PM · Patch-For-Review, MediaWiki-API, Security
csteipp added a comment to T129584: Security review of Romanian diacritics rendering reader assessment gadget.

@Jdforrester-WMF is this at the point where you want a review now?

May 5 2016, 7:07 PM · I18n, Security-Other, Security-Reviews
csteipp added a comment to T124940: MediaWiki 1.26.3 security release.

@MaxSem, are you able to do backports of the patch for T130947?

May 5 2016, 6:55 PM · Security-Team, Security
csteipp updated subscribers of T124940: MediaWiki 1.26.3 security release.

@dpatrick / @Bawolff / @MaxSem - All those patches are deployed now. Can you all make sure you have 'SECURITY: ' at the start of the commit summary? Makes it easier to see on the cluster what's been added on top of master when deploying, and probably good to be consistent when we push these into master.

May 5 2016, 6:54 PM · Security-Team, Security
csteipp closed T133507: Careless use of $wgExternalLinkTarget is insecure as "Resolved".

18:47 csteipp: deployed patch for T133507

May 5 2016, 6:48 PM · Patch-For-Review, Security
csteipp closed T133507: Careless use of $wgExternalLinkTarget is insecure, a subtask of T124940: MediaWiki 1.26.3 security release, as "Resolved".
May 5 2016, 6:48 PM · Security-Team, Security
csteipp added a comment to T133507: Careless use of $wgExternalLinkTarget is insecure.

New version based on csteipp's CR:
T133507-master

May 5 2016, 6:43 PM · Patch-For-Review, Security
csteipp closed T129506: MediaWiki:Gadget-popups.js isn't renderable as "Resolved".
May 5 2016, 6:26 PM · MW-1.29-release (WMF-deploy-2017-01-24_(1.29.0-wmf.9)), Patch-For-Review, Vuln-DoS, Security, Math, Wikimedia-General-or-Unknown
csteipp closed T129506: MediaWiki:Gadget-popups.js isn't renderable, a subtask of T124940: MediaWiki 1.26.3 security release, as "Resolved".
May 5 2016, 6:26 PM · Security-Team, Security
csteipp added a comment to T129506: MediaWiki:Gadget-popups.js isn't renderable.

Redeployed core patch (with define), and dependent Math patch.

May 5 2016, 6:26 PM · MW-1.29-release (WMF-deploy-2017-01-24_(1.29.0-wmf.9)), Patch-For-Review, Vuln-DoS, Security, Math, Wikimedia-General-or-Unknown
csteipp closed T130947: Diff generation should use PoolCounter as "Resolved".

Patch is now deployed.

May 5 2016, 6:24 PM · Patch-For-Review, Performance, MediaWiki-History-or-Diffs, MediaWiki-extensions-PoolCounter, Vuln-DoS, Security
csteipp closed T130947: Diff generation should use PoolCounter, a subtask of T124940: MediaWiki 1.26.3 security release, as "Resolved".
May 5 2016, 6:24 PM · Security-Team, Security
csteipp closed T122056: Old tokens are remaining valid within a new session as "Resolved".

This has been deployed for a while, and backports have been added for the tarball release.

May 5 2016, 6:03 PM · MW-1.28-release (WMF-deploy-2016-05-31_(1.28.0-wmf.4)), MW-1.28-release-notes, MW-1.28-release (WMF-deploy-2016-05-24_(1.28.0-wmf.3)), MW-1.27-release-notes, MW-1.28-release (WMF-deploy-2016-06-07_(1.28.0-wmf.5)), Patch-For-Review, Security, MediaWiki-General-or-Unknown
csteipp closed T122056: Old tokens are remaining valid within a new session, a subtask of T124940: MediaWiki 1.26.3 security release, as "Resolved".
May 5 2016, 6:03 PM · Security-Team, Security

May 3 2016

csteipp updated subscribers of T40417: MediaWiki's anonymous edit token leaves wiki installations (incl. Wikipedia) open to mass anonymous spam we can't block.
May 3 2016, 9:26 PM · ArchCom-RfC, Security, Patch-For-Review, Security-General
csteipp created T134313: redis-openvas on Bismuth is broken due to missing /var/run/redis.
May 3 2016, 8:20 PM · Security-Team
csteipp added a comment to T112792: Security review for cross-wiki aspects of Echo notifications.

@Catrope, really sorry this is late. I've looked through https://gerrit.wikimedia.org/r/#/c/284677 and it looks ok. I'm fine if your team pushes this today.

May 3 2016, 1:00 PM · Security-Reviews, Security-Team, Collaboration-Team-Triage, Notifications

Apr 28 2016

csteipp added a comment to T112792: Security review for cross-wiki aspects of Echo notifications.

@dpatrick, heads up, collaboration would like to merge gerrit 284677 before the branch cut next Tuesday. Ping me if you need help getting that finished!

Apr 28 2016, 1:47 AM · Security-Reviews, Security-Team, Collaboration-Team-Triage, Notifications
csteipp moved T112792: Security review for cross-wiki aspects of Echo notifications from Scheduled to In Progress on the Security-Reviews board.
Apr 28 2016, 1:45 AM · Security-Reviews, Security-Team, Collaboration-Team-Triage, Notifications
csteipp moved T129426: Security review of json-schema from Scheduled to In Progress on the Security-Reviews board.
Apr 28 2016, 1:45 AM · Security-Reviews, Security-Team
csteipp moved T129177: Security review of Hovercards before beta->default conversion from Scheduled to In Progress on the Security-Reviews board.
Apr 28 2016, 1:45 AM · MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, Reading-Web-Backlog, Reading-Web-Sprint-71-Matisse-Monet-Kandinsky-and-the-Departing-Painters, Reading-Web-Sprint-70-Lady-and-the-Trumps, Page-Previews, Security-Reviews, Security-Team
csteipp moved T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs from In Progress to Waiting/Blocked on the Security-Reviews board.
Apr 28 2016, 1:45 AM · Services (blocked), Security-Team, User-mobrovac, Security-Reviews, Graphoid
csteipp moved T115095: Security review of Newsletter extension from In Progress to Waiting/Blocked on the Security-Reviews board.
Apr 28 2016, 1:45 AM · Patch-For-Review, Security-Team, Wikimedia-Hackathon-2016, Security-Reviews, MediaWiki-extensions-Newsletter
csteipp added a comment to T129177: Security review of Hovercards before beta->default conversion.

Looks mostly good, a couple minor cleanups.

Apr 28 2016, 1:39 AM · MW-1.28-release (WMF-deploy-2016-05-17_(1.28.0-wmf.2)), Reading-Web-Sprint-72-Ninety-nine-problems-but-Nirzar-aint-one, Reading-Web-Backlog, Reading-Web-Sprint-71-Matisse-Monet-Kandinsky-and-the-Departing-Painters, Reading-Web-Sprint-70-Lady-and-the-Trumps, Page-Previews, Security-Reviews, Security-Team

Apr 27 2016

csteipp closed T120212: Security review of EventBus extension, a subtask of T114443: EventBus MVP, as "Resolved".
Apr 27 2016, 7:00 PM · RfC, Analytics, Operations, ArchCom-RfC, Wikidata-Query-Service, Service-Architecture, Services, MediaWiki-General-or-Unknown, Wikidata, Epic, Discovery, EventBus