dpatrick (Darian Anthony Patrick)Disabled
Disabled

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
May 19 2015, 9:05 PM (169 w, 4 h)
Roles
Disabled
Availability
Available
IRC Nick
dapatrick
LDAP User
Unknown
MediaWiki User
DPatrick (WMF) [ Global Accounts ]

Recent Activity

Jun 11 2018

Gerrit Code Review <gerrit@wikimedia.org> committed rEEMA3f3a9e54d38c: Update patch set 1 (authored by dpatrick).
Update patch set 1
Jun 11 2018, 8:31 PM
Gerrit Code Review <gerrit@wikimedia.org> committed rEDAHbb0706614bc2: Update patch set 1 (authored by dpatrick).
Update patch set 1
Jun 11 2018, 3:42 AM

Dec 14 2017

dpatrick moved T144467: Security review for Google MT for Content Translation from Waiting/Blocked to In Progress on the Security-Reviews board.
Dec 14 2017, 7:39 PM · Language-2018-July-September, CX-deployments, Language-2017-Oct-Dec, Services (watching), Parsing-Team, Language-Q1-2016-17 Sprint 6, Language-Engineering July-September 2016, Security-Reviews, Security-Extensions

Dec 13 2017

dpatrick moved T182756: Gerrit DoS from MediaWiki/Security Team/To triage to Other WMF team on the Security board.
Dec 13 2017, 6:22 PM · Gerrit, Security
dpatrick moved T177765: Security review of mediawiki-services-chromium-render from Scheduled to In Progress on the Security-Reviews board.
Dec 13 2017, 5:34 PM · Services (watching), Security-Reviews
dpatrick moved T180021: Security review for extension Wikispeech from Backlog to Scheduled on the Security-Reviews board.
Dec 13 2017, 5:34 PM · Wikispeech-WMSE, Wikispeech, Security-Reviews
dpatrick created E794: Security review for the new mobileapps media endpoint.
Dec 13 2017, 5:22 PM · Security-Reviews
dpatrick created E793: Security review for extension Wikispeech.
Dec 13 2017, 5:21 PM · Security-Reviews

Dec 6 2017

dpatrick moved T182072: Upgrade OTRS to 5.0.25 or apply security patch manually from MediaWiki/Security Team/To triage to Operational issues on the Security board.
Dec 6 2017, 6:30 PM · Security, OTRS

Nov 28 2017

dpatrick added a comment to T162181: Should we add psy/psysh to wmf vendor repo for use on WMF servers?.

@dpatrick thanks for the detailed review! It is somewhat scary, yeah, but this is a command-line tool used by already trusted users so the attack surface will be very limited.

Out of curiosity, do you notify the maintainers of external projects in such cases? For smallish projects it might be helpful information to know that someone who does security for a job did a review.

Nov 28 2017, 1:01 AM · Security-Reviews, Patch-For-Review, Wikimedia-General-or-Unknown, MediaWiki-Vendor

Nov 22 2017

dpatrick moved T168264: Security review of vue.js library from Scheduled to Awaiting remediation on the Security-Reviews board.
Nov 22 2017, 6:42 PM · User-Addshore, JavaScript, Security-Reviews, Wikidata
dpatrick closed T148567: Restrict outgoing network connections from Electron render service as Resolved.

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

The service cannot establish any connections outside of the production environment because it does not contact the production proxy, so any attempt to request an external resource will simply time out.

Nov 22 2017, 6:33 PM · Electron-PDFs, Services (blocked), Security-Reviews, User-mobrovac, Services-next, Operations
dpatrick closed T148567: Restrict outgoing network connections from Electron render service, a subtask of T142226: Productize the Electron PDF render service & create a REST API end point, as Resolved.
Nov 22 2017, 6:33 PM · User-Joe, Security-Reviews, Electron-PDFs, Services (blocked), User-mobrovac, Services-next, Operations
dpatrick moved T180896: Allow functionaries to reset second factor on low-risk accounts from MediaWiki/Security Team/To triage to Other WMF team on the Security board.
Nov 22 2017, 6:25 PM · WMF-Legal, Trust-and-Safety, Security, Security-Extensions, MediaWiki-extensions-OATHAuth
dpatrick triaged T181019: Consider using a single MediaWiki releases key instead of individual keys as Normal priority.

I like this idea, as Moritz laid it out above. I think this would make sense moving forward, and fits well with the release improvment project, as releases could be signed by the Jenkins instance.

Nov 22 2017, 6:18 PM · Security, MediaWiki-Releasing
dpatrick triaged T180615: https://www.mediawiki.org/keys/keys.html contains keys if people no longer doing releases. as High priority.
Nov 22 2017, 6:16 PM · Patch-For-Review, Security
dpatrick updated the task description for T180615: https://www.mediawiki.org/keys/keys.html contains keys if people no longer doing releases..
Nov 22 2017, 6:01 PM · Patch-For-Review, Security
dpatrick updated subscribers of T181034: Require email address to register on Beta Cluster.
Nov 22 2017, 5:58 PM · WMF-Legal, Privacy, Beta-Cluster-Infrastructure, Security
dpatrick moved T181127: Upgrade OTRS to 5.0.24 from Other WMF team to Operational issues on the Security board.
Nov 22 2017, 5:51 PM · Patch-For-Review, Security, Operations, OTRS
dpatrick moved T181127: Upgrade OTRS to 5.0.24 from MediaWiki/Security Team/To triage to Other WMF team on the Security board.
Nov 22 2017, 5:48 PM · Patch-For-Review, Security, Operations, OTRS
dpatrick added a member for Security: Addshore.
Nov 22 2017, 5:47 PM
dpatrick closed T180249: Security issue access for addshore as Resolved.

Approved!

Nov 22 2017, 5:46 PM · User-Addshore, Security
dpatrick added a comment to T168264: Security review of vue.js library.

Many apologies for the delay here. I reviewed this back in June, failed to add my notes, then re-reviewed last week due to code changes since the last time I looked at it. I found no issues while reviewing this library. I checked for the following:

  • XSS via unescaped input or failure to maintain escaping (via mustache interpolation, v-model, static data, etc.)
  • Resource consumption/DoS
  • Template expression injection at runtime from user-controlled data
Nov 22 2017, 5:33 PM · User-Addshore, JavaScript, Security-Reviews, Wikidata

Nov 21 2017

dpatrick added a comment to T148567: Restrict outgoing network connections from Electron render service.

Just following up on some lingering security reviews. I know that this service has been deployed. Do we have appropriate firejail and iptables rules in place now to restrict egress?

Nov 21 2017, 4:59 PM · Electron-PDFs, Services (blocked), Security-Reviews, User-mobrovac, Services-next, Operations
dpatrick closed T178077: Security review of Beautiful Soup as Resolved.

will you be using HTMLParser, or an external parser (lxml, html5lib, etc.)?

We'll be using the Python 3's default html.parser for now: https://github.com/kodchi/ppg/blob/master/src/process_toc.py#L26

Nov 21 2017, 4:56 PM · Readers-Web-Backlog (Tracking), Proton, Security-Reviews

Nov 14 2017

dpatrick added a comment to T178077: Security review of Beautiful Soup.
Nov 14 2017, 7:13 PM · Readers-Web-Backlog (Tracking), Proton, Security-Reviews

Nov 8 2017

dpatrick triaged T179609: Obtain CVE's for 1.27.4/1.29.2 security releases as Normal priority.
Nov 8 2017, 6:15 PM · Security
dpatrick moved T179700: Measure failed logins due to accounts being locked from MediaWiki/Security Team/To triage to Other WMF team on the Security board.
Nov 8 2017, 6:14 PM · User-MarcoAurelio, Anti-Harassment, MediaWiki-extensions-CentralAuth, Stewards-and-global-tools, Security
dpatrick triaged T180019: Various XSS issues in SocialProfile's TopUsers special pages and the <topusers> tag as High priority.
Nov 8 2017, 6:06 PM · Social-Tools, SocialProfile, Vuln-XSS, Security
dpatrick updated the task description for T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.
Nov 8 2017, 5:58 PM · MW-1.28-release, MW-1.30-release, MW-1.29-release, MW-1.27-release, Security
dpatrick added a subtask for T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases: T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812).
Nov 8 2017, 5:53 PM · MW-1.28-release, MW-1.30-release, MW-1.29-release, MW-1.27-release, Security
dpatrick added a parent task for T125163: id attribute on headlines allow raw > [Possible issue in combination with language converter] (CVE-2017-8812): T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.
Nov 8 2017, 5:53 PM · MW-1.29-release-notes, Patch-For-Review, MediaWiki-Language-converter, Security, Security-Team
dpatrick updated the task description for T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.
Nov 8 2017, 5:51 PM · MW-1.28-release, MW-1.30-release, MW-1.29-release, MW-1.27-release, Security

Nov 1 2017

dpatrick added a subtask for T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases: T176247: It's possible to mangle HTML via raw message parameter expansion.
Nov 1 2017, 5:34 PM · MW-1.28-release, MW-1.30-release, MW-1.29-release, MW-1.27-release, Security
dpatrick added a parent task for T176247: It's possible to mangle HTML via raw message parameter expansion: T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.
Nov 1 2017, 5:34 PM · MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Patch-For-Review, Community-Tech, MW-1.31-release, MW-1.30-release, Vuln-XSS, MediaWiki-Parser, Security

Oct 31 2017

dpatrick closed T173014: Security review of pdfrw as Resolved.

This review is complete. Basic concerns such as system i/o (very limited) and shell execution (none) were found to be safe. Encryption implementation was not reviewed since we won't be using that portion of the code. My main concerns would lie with code execution or denial of service (a la https://github.com/pmaupin/pdfrw/issues/92) via malicious PDF input, however, the fact that this will run in a closed ecosystem (in which input originates only from a system we control) mitigates those concerns.

Oct 31 2017, 9:01 PM · Proton, Security-Reviews, Readers-Web-Backlog (Tracking)
dpatrick closed T173014: Security review of pdfrw, a subtask of T171832: Deploy new book renderer to all projects, as Resolved.
Oct 31 2017, 9:01 PM · Readers-Web-Backlog (Tracking), Wikimedia-Site-requests, Proton, Electron-PDFs
dpatrick added a comment to T173014: Security review of pdfrw.

I checked out the WIP ppg code in the description of T171960 and I'm wondering whether that will be invoked by the Node service (T177765), returning a ready-to-read PDF which has ToC, page numbers, etc., or will the Node service just render an article which will then be post-processed (adding ToC, page numbers, etc.) separately? I'm asking to ascertain whether the script which will use pdfrw will be firejailed. This question is not a blocker. I'm just curious.

Oct 31 2017, 8:14 PM · Proton, Security-Reviews, Readers-Web-Backlog (Tracking)
dpatrick created E769: Security review of Beautiful Soup.
Oct 31 2017, 8:05 PM · Security-Reviews
dpatrick changed the end date for E767: Security review of mediawiki-services-chromium-render from Nov 3 2017 to Nov 10 2017.
Oct 31 2017, 8:03 PM · Security-Reviews
dpatrick moved T177210: Security review of Marvin from Backlog to Scheduled on the Security-Reviews board.
Oct 31 2017, 7:20 PM · Security-Reviews, Marvin
dpatrick moved T177765: Security review of mediawiki-services-chromium-render from Backlog to Scheduled on the Security-Reviews board.
Oct 31 2017, 7:20 PM · Services (watching), Security-Reviews
dpatrick created E768: Security review of Marvin.
Oct 31 2017, 7:20 PM · Security-Reviews
dpatrick created E767: Security review of mediawiki-services-chromium-render.
Oct 31 2017, 7:19 PM · Security-Reviews

Oct 25 2017

dpatrick added a comment to T174388: LoginNotify should inform users of the IP address of failed login attempts to their account.

Approved by Legal.

Oct 25 2017, 9:46 PM · Patch-For-Review, Notifications, Collaboration-Team-Triage, User-Huji, Community-Tech, Privacy, WMF-Legal, MediaWiki-extensions-LoginNotify
dpatrick triaged T178723: OngletGoogle gadget looks suspicious as High priority.
Oct 25 2017, 5:12 PM · Wikimedia-General-or-Unknown, JavaScript, Vuln-XSS, Security
dpatrick added a project to T178787: CreateRedirect extension vulnerable to CSRF: Vuln-CSRF.
Oct 25 2017, 5:11 PM · Vuln-CSRF, MediaWiki-extensions-Other, Security
dpatrick triaged T178787: CreateRedirect extension vulnerable to CSRF as High priority.
Oct 25 2017, 5:07 PM · Vuln-CSRF, MediaWiki-extensions-Other, Security

Oct 18 2017

dpatrick triaged T178451: XSS when $wgShowExceptionDetails=false and browser sends non-standard url escaping as Normal priority.
Oct 18 2017, 5:19 PM · MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Patch-For-Review, Vuln-XSS, Security

Oct 12 2017

dpatrick triaged T177997: WikiImporter::notice echoing of unescaped values is a dangerous api as Normal priority.
Oct 12 2017, 4:20 PM · MW-1.31-release-notes (WMF-deploy-2018-01-02 (1.31.0-wmf.15)), Patch-For-Review, Google-Code-in-2017, Easy, Security-Core, Security, MediaWiki-Export-or-Import
dpatrick moved T178010: missing character equivalencies: ÈÉÊẼÌÍÏÓÒÔÕ∅Q̃ÚŰÜŨ from MediaWiki/Security Team/To triage to Other WMF team on the Security board.
Oct 12 2017, 4:15 PM · Equivset, Security, AntiSpoof
dpatrick added a comment to T177765: Security review of mediawiki-services-chromium-render.

@phuedx, do you mind updating the description to note why Electron needs to be replaced and what problems have been observed? Thanks!

Oct 12 2017, 3:29 PM · Services (watching), Security-Reviews
dpatrick moved T176533: Re-enable stacktraces on Wikimedia wikis ($wgShowExceptionDetails = true); from Backlog to In Progress on the Security-Reviews board.
Oct 12 2017, 3:22 PM · Security-Reviews, Wikimedia-Site-requests
dpatrick added a comment to T176533: Re-enable stacktraces on Wikimedia wikis ($wgShowExceptionDetails = true);.

Displaying stacktraces/detailed error messages is generally considered an insecure deployment pattern in web application security. I think I understand the logic for wanting to do so, however I don't support it, despite our redaction of arguments. My concern is that that redaction may somehow fail in a critical way, resulting in unintentional exposure of data beyond that which can be gathered by nature of the openness of our project.

Oct 12 2017, 3:19 PM · Security-Reviews, Wikimedia-Site-requests
dpatrick moved T160982: Security review for FileImporter extension from Backlog to Scheduled on the Security-Reviews board.
Oct 12 2017, 3:10 PM · Move-Files-To-Commons, TCB-Team, User-Addshore, WMDE-QWERTY-Team, Security-Reviews
dpatrick moved T149424: Security review the Extension:WikipediaExtracts from Backlog to Scheduled on the Security-Reviews board.
Oct 12 2017, 3:09 PM · MediaWiki-extensions-WikipediaExtracts, Security-Reviews
dpatrick moved T173014: Security review of pdfrw from Backlog to Scheduled on the Security-Reviews board.
Oct 12 2017, 3:09 PM · Proton, Security-Reviews, Readers-Web-Backlog (Tracking)
dpatrick created E755: Security review new version of the Vega lib.
Oct 12 2017, 3:09 PM · Security-Reviews
dpatrick created E754: Security review of Extension:WikipediaExtracts.
Oct 12 2017, 3:07 PM · Security-Reviews
dpatrick created E753: Security review for FileImporter extension.
Oct 12 2017, 3:05 PM · Security-Reviews
dpatrick updated the event description for E752: Security review of pdfrw.
Oct 12 2017, 3:04 PM · Security-Reviews
dpatrick added a comment to T173014: Security review of pdfrw.

In addition to pdfrw, it's looking increasingly likely that we're going to have to use BeautifulSoup for easy DOM querying and manipulation. At this time we won't be using any external parsers such as lxml, but we'll use Python's built in html.parser. Should I create a new task for this? Not sure if any past projects have used this library before, but ORES or Wikimetrics don't seem to use it.

Oct 12 2017, 3:03 PM · Proton, Security-Reviews, Readers-Web-Backlog (Tracking)
dpatrick created E752: Security review of pdfrw.
Oct 12 2017, 3:01 PM · Security-Reviews

Oct 4 2017

dpatrick closed T177355: #Security access for MusikAnimal as Resolved.

Discussed on 2017-10-04 and approved.

Oct 4 2017, 5:08 PM · Security
dpatrick added a member for Security: MusikAnimal.
Oct 4 2017, 5:08 PM
dpatrick closed T177351: #Security access for samwilson as Resolved.

Discussed on 2017-10-04 and approved.

Oct 4 2017, 5:08 PM · Security
dpatrick added a member for Security: Samwilson.
Oct 4 2017, 5:08 PM

Sep 29 2017

dpatrick awarded T98831: Honor DNT header for access logs & varnish logs a Like token.
Sep 29 2017, 10:22 PM · WMF-Legal, Analytics, Operations, Privacy

Sep 28 2017

dpatrick triaged T176554: Enable 2FA for eliminators as Normal priority.
Sep 28 2017, 5:15 PM · User-Ladsgroup, MediaWiki-extensions-OATHAuth, Wikimedia-Site-requests, Security

Sep 20 2017

dpatrick changed the end date for E742: Security review of wikiba.se from Sep 29 2017 to Sep 22 2017.
Sep 20 2017, 5:51 PM · Security-Reviews
dpatrick created E742: Security review of wikiba.se.
Sep 20 2017, 5:50 PM · Security-Reviews
dpatrick moved T171274: Security review of wikiba.se from Backlog to Scheduled on the Security-Reviews board.
Sep 20 2017, 5:45 PM · Security-Reviews, Wikidata
dpatrick added a comment to T174126: Security review for the ReadingLists extension.

@dpatrick is this on your radar?

Please see my previous comment, just trying to get this in before end of quarter. Thanks!

Sep 20 2017, 5:43 PM · Reading-Infrastructure-Team-Backlog (Kanban), Wikipedia-Android-App-Backlog, Security-Reviews, Reading List Service
dpatrick updated the invite list for E741: Security review for the ReadingLists extension, invited: Bawolff; uninvited: Reedy.
Sep 20 2017, 5:37 PM · Security-Reviews
dpatrick created E741: Security review for the ReadingLists extension.
Sep 20 2017, 5:35 PM · Security-Reviews

Sep 6 2017

dpatrick changed the status of T174068: Password blacklist not consistently enforced from Stalled to Open.
Sep 6 2017, 4:25 PM · Security, Wikimedia-General-or-Unknown

Aug 31 2017

dpatrick added a member for Security: K4-713.
Aug 31 2017, 6:48 PM
dpatrick closed T174489: Security Issue Access Request for K4-713 as Resolved.

@dpatrick : Yes, I'm using google authenticator.

Aug 31 2017, 6:48 PM · Security

Aug 30 2017

dpatrick removed a project from T174413: Set $wgScoreSafeMode to false: Security.
Aug 30 2017, 5:14 PM · Patch-For-Review, Wikimedia-Site-requests, MediaWiki-extensions-Score
dpatrick removed a project from T174553: Create a mechanism that allows fetching geolocation and subnet data for IP addresses: Security.
Aug 30 2017, 5:10 PM · Patch-For-Review, User-Huji, MediaWiki-extension-requests, Stewards-and-global-tools, MediaWiki-extensions-LoginNotify, CheckUser
dpatrick added a member for Security: Niharika.
Aug 30 2017, 5:01 PM
dpatrick closed T173856: #Security access for Niharika as Resolved.

Approved.

Aug 30 2017, 5:00 PM · Security, WMF-NDA-Requests
dpatrick added a comment to T174489: Security Issue Access Request for K4-713.

@K4-713, you will need to have two factor enabled for Phabricator. Can you verify that it is enabled?

Aug 30 2017, 5:00 PM · Security

Aug 25 2017

dpatrick added a comment to T173619: Security review for ArticleCreationWorkflow extension branch master.

@kaldari, I spoke with @Reedy and put this on the schedule for the week of 8/28. Sam's already started working on it.

Aug 25 2017, 7:52 PM · Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow, Security-Reviews
dpatrick created E689: Security review for ArticleCreationWorkflow extension branch master.
Aug 25 2017, 7:51 PM · Security-Reviews
dpatrick assigned T173619: Security review for ArticleCreationWorkflow extension branch master to Reedy.
Aug 25 2017, 6:34 PM · Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow, Security-Reviews

Aug 17 2017

dpatrick awarded T172584: Securing external binaries run by MediaWiki a Like token.
Aug 17 2017, 6:20 PM · MediaWiki-Shell, Operations, Wikimedia-General-or-Unknown, Security
dpatrick triaged T172584: Securing external binaries run by MediaWiki as Normal priority.
Aug 17 2017, 6:13 PM · MediaWiki-Shell, Operations, Wikimedia-General-or-Unknown, Security
dpatrick awarded T173370: Support restricted execution of external commands (via firejail) a Like token.
Aug 17 2017, 5:59 PM · MediaWiki-Shell, MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)), Patch-For-Review, MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017), Security-Team
dpatrick moved T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users from MediaWiki/Security Team/To triage to Other WMF team on the Security board.
Aug 17 2017, 5:58 PM · User-bd808, Privacy, cloud-services-team (Kanban), Cloud-Services, Security
dpatrick added a comment to T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.

FWIW, I support stating clearly at sign-up time that origin IP addresses are not private when using labs/toolforge. I don't believe we have the resources to fully lockdown all mechanisms of accessing this information, as @bd808 mentions above.

Aug 17 2017, 5:57 PM · User-bd808, Privacy, cloud-services-team (Kanban), Cloud-Services, Security
dpatrick awarded T173475: Echo Notification Mute (Block List) can be bypassed by changing username a Orange Medal token.
Aug 17 2017, 5:47 PM · MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)), Anti-Harassment (AHT Sprint 6), Patch-For-Review, Security, Collaboration-Team-Triage, Notifications
dpatrick triaged T173475: Echo Notification Mute (Block List) can be bypassed by changing username as Normal priority.
Aug 17 2017, 5:46 PM · MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)), Anti-Harassment (AHT Sprint 6), Patch-For-Review, Security, Collaboration-Team-Triage, Notifications
dpatrick updated subscribers of T171987: CentralNotice: Sanitize data for adding a campaign, changing campaign settings, and displaying info about campaigns.
Aug 17 2017, 5:32 PM · Fundraising Sprint Fhabricator is spelled with an "F", Fundraising Sprint Elevators were never intended to go down, Fundraising Sprint Dinosaur Cookies co-existed with Gingerbread People, Fundraising Sprint Cottage Cheese isn't Made of Cottages, Fundraising Sprint Winter Wanderland, Vuln-XSS, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Security
dpatrick added a comment to T171987: CentralNotice: Sanitize data for adding a campaign, changing campaign settings, and displaying info about campaigns.

@DStrine, can mitigation work for this issue be added to the workboard for @AndyRussG and @awight?

Aug 17 2017, 5:29 PM · Fundraising Sprint Fhabricator is spelled with an "F", Fundraising Sprint Elevators were never intended to go down, Fundraising Sprint Dinosaur Cookies co-existed with Gingerbread People, Fundraising Sprint Cottage Cheese isn't Made of Cottages, Fundraising Sprint Winter Wanderland, Vuln-XSS, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Security
dpatrick awarded T171987: CentralNotice: Sanitize data for adding a campaign, changing campaign settings, and displaying info about campaigns a Orange Medal token.
Aug 17 2017, 5:26 PM · Fundraising Sprint Fhabricator is spelled with an "F", Fundraising Sprint Elevators were never intended to go down, Fundraising Sprint Dinosaur Cookies co-existed with Gingerbread People, Fundraising Sprint Cottage Cheese isn't Made of Cottages, Fundraising Sprint Winter Wanderland, Vuln-XSS, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Security
dpatrick added a member for Security: Kbrown.
Aug 17 2017, 5:21 PM
dpatrick closed T171430: Security Issue Access Request for Kbrown as Resolved.

Sorry for the delay @Jalexander. The team discussed and approved this weeks ago, but I forgot say son on the ticket. Approved!

Aug 17 2017, 5:20 PM · Security

Jul 26 2017

dpatrick removed a project from T171200: Add a configuration option to make email mandatory during account creation: Security.
Jul 26 2017, 5:08 PM · MediaWiki-Authentication-and-authorization
dpatrick added a comment to T171430: Security Issue Access Request for Kbrown.

Hi all. @Jalexander, @Kbrown can you confirm than Karen has completed either an employee or volunteer NDA?

Jul 26 2017, 4:58 PM · Security