Thu, Aug 17
FWIW, I support stating clearly at sign-up time that origin IP addresses are not private when using labs/toolforge. I don't believe we have the resources to fully lockdown all mechanisms of accessing this information, as @bd808 mentions above.
Sorry for the delay @Jalexander. The team discussed and approved this weeks ago, but I forgot say son on the ticket. Approved!
Wed, Jul 26
Jul 19 2017
Jul 12 2017
Jul 11 2017
No qualms from me. I'm okay with OAuth on foundationwiki.
My apologies for the delay on this. In my review I focused on verifying safe interaction with the environment, safe shell invocation, resource consumption, php-parser not accidentally invoking code around the AST construction process, and appropriate remediation of any previously reported security vulnerabilities. I did not find any issues nor did I uncover any malcode (however, there is a huge amount of code here).
@schana, I'm scheduling this to start this week and be completed within two weeks.
Jun 13 2017
Since this hasn't been deployed, this can committed now, correct?
Jun 6 2017
May 25 2017
This has been on the #Security-Review backlog for a long time. Is this review still needed?
May 11 2017
May 8 2017
May 2 2017
No qualms from us. Please proceed at your convenience.
@MaxSem, you can go ahead and release and open this bug. I have no further comments. The fix looks good.
Apr 27 2017
Thanks for the heads up @MoritzMuehlenhoff. While we're at it, I think it makes sense to set both pertinent PdfHandler config items to be firejailed:
- PdfPostProcessor - /usr/local/bin/mediawiki-firejail-convert ($wgImageMagickConvertCommand)
- PdfProcessor - /usr/local/bin/mediawiki-firejail-ghostscript
I'm speaking in terms of the second patch above, to JsonConfig, where a dependency on Kartographer\SimpleStyleParser is introduced in includes/JCMapDataContent.php. The fix looks good, but do we need to notify users of this new coupling, or was it already assumed and understood that anyone using JsonConfig would also be using Kartographer? The docs at https://www.mediawiki.org/wiki/Extension:JsonConfig make it seem like it's a general purpose tool.
It looks like JsonConfig now cannot be used separately from Kartographer. Is this just temporary @MaxSem?
Apr 25 2017
This seems to be a non-Security issue, and one which is best handled by another team, so I'm untagging the Security project.
Approved. Thanks for your patience!
Apr 12 2017
@tstarling Thanks Tim.
@JMinor, no issues found. Thanks for submitting this for review.
Apr 10 2017
This has been deployed:
Apr 5 2017
Mar 29 2017
Mar 28 2017
Mar 24 2017
Created retroactively to capture content of e-mail response from @tstarling.
Mar 22 2017
@kaldari, can you update the description of this ticket and add the info requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Once that's done, I'll get this scheduled.
Mar 21 2017
@JMinor, I just rescheduled this for this week and next. I'll contact you off-Phab to schedule a review commencement meeting.
@Lydia_Pintscher, can you give us an update on this ticket?
@Legoktm, @MarcoAurelio can you give an update on the status of the extension? Is it ready to review now? If not, I say we close this ticket as invalid and create another at a later date should the module prove ready for review and likely to be deployed.
@Lydia_Pintscher, can you update the description of this ticket with the information requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Thanks!
Feb 28 2017
Approved! Thanks for all of your attentiveness thus far, and we're glad to have in Security.
Feb 24 2017
I've reviewed both content and technical implementation of the 2016 Annual Report and found no major security problems. Here are a few notes on minor things:
- "amoritization" on 2016/financials.html may be misspelled
- In the video at the bottom of 2016/what-we-stand-for.html, at approx. 1:21, is it okay to show the list of users who have visited the office?
- Use of Katherine and Jimmy's signatures may be useful in instances an attacker requires a signature on a physical form as part of a further attack. (I say this realizing that we've probably published Katherine and Jimmy's signatures before.
- X-Frame-Options header is not set on live site (https://annual.wikimedia.org/2016/)