dpatrick (Darian Anthony Patrick)
User

User Details

User Since
May 19 2015, 9:05 PM (126 w, 19 h)
Availability
Busy Busy at E752: Security review of pdfrw until Oct 21.
LDAP User
Unknown
MediaWiki User
DPatrick (WMF)

Recent Activity

Thu, Oct 12

dpatrick triaged T177997: WikiImporter::notice echoing of unescaped values is a dangerous api as Normal priority.
Thu, Oct 12, 4:20 PM · Easy, Security-Core, Security, MediaWiki-Export-or-Import
dpatrick moved T178010: missing character equivalencies: ÈÉÊẼÌÍÏÓÒÔÕ∅Q̃ÚŰÜŨ from Backlog to Other WMF team on the Security board.
Thu, Oct 12, 4:15 PM · Anti-Harassment, Security, AntiSpoof
dpatrick added a comment to T177765: Security review of mediawiki-services-chromium-render.

@phuedx, do you mind updating the description to note why Electron needs to be replaced and what problems have been observed? Thanks!

Thu, Oct 12, 3:29 PM · Services (watching), Security-Reviews
dpatrick moved T176533: Re-enable stacktraces on Wikimedia wikis ($wgShowExceptionDetails = true); from Backlog to In Progress on the Security-Reviews board.
Thu, Oct 12, 3:22 PM · Security-Reviews, Wikimedia-Site-requests
dpatrick added a comment to T176533: Re-enable stacktraces on Wikimedia wikis ($wgShowExceptionDetails = true);.

Displaying stacktraces/detailed error messages is generally considered an insecure deployment pattern in web application security. I think I understand the logic for wanting to do so, however I don't support it, despite our redaction of arguments. My concern is that that redaction may somehow fail in a critical way, resulting in unintentional exposure of data beyond that which can be gathered by nature of the openness of our project.

Thu, Oct 12, 3:19 PM · Security-Reviews, Wikimedia-Site-requests
dpatrick moved T160982: Security review for FileImporter extension from Backlog to Scheduled on the Security-Reviews board.
Thu, Oct 12, 3:10 PM · Move-Files-To-Commons, TCB-Team, User-Addshore, WMDE-QWERTY-Team-Board, Security-Reviews
dpatrick moved T149424: Security review the Extension:WikipediaExtracts from Backlog to Scheduled on the Security-Reviews board.
Thu, Oct 12, 3:09 PM · MediaWiki-extensions-WikipediaExtracts, Security-Reviews
dpatrick moved T173014: Security review of pdfrw from Backlog to Scheduled on the Security-Reviews board.
Thu, Oct 12, 3:09 PM · Proton, Security-Reviews, Readers-Web-Backlog (Tracking)
dpatrick created E755: Security review new version of the Vega lib.
Thu, Oct 12, 3:09 PM · Security-Reviews
dpatrick created E754: Security review of Extension:WikipediaExtracts.
Thu, Oct 12, 3:07 PM · Security-Reviews
dpatrick created E753: Security review for FileImporter extension.
Thu, Oct 12, 3:05 PM · Security-Reviews
dpatrick updated the event description for E752: Security review of pdfrw.
Thu, Oct 12, 3:04 PM · Security-Reviews
dpatrick added a comment to T173014: Security review of pdfrw.

In addition to pdfrw, it's looking increasingly likely that we're going to have to use BeautifulSoup for easy DOM querying and manipulation. At this time we won't be using any external parsers such as lxml, but we'll use Python's built in html.parser. Should I create a new task for this? Not sure if any past projects have used this library before, but ORES or Wikimetrics don't seem to use it.

Thu, Oct 12, 3:03 PM · Proton, Security-Reviews, Readers-Web-Backlog (Tracking)
dpatrick created E752: Security review of pdfrw.
Thu, Oct 12, 3:01 PM · Security-Reviews

Wed, Oct 4

dpatrick closed T177355: #Security access for MusikAnimal as Resolved.

Discussed on 2017-10-04 and approved.

Wed, Oct 4, 5:08 PM · Security
dpatrick added a member for Security: MusikAnimal.
Wed, Oct 4, 5:08 PM
dpatrick closed T177351: #Security access for samwilson as Resolved.

Discussed on 2017-10-04 and approved.

Wed, Oct 4, 5:08 PM · Security
dpatrick added a member for Security: Samwilson.
Wed, Oct 4, 5:08 PM

Fri, Sep 29

dpatrick awarded T98831: Honor DNT header for access logs & varnish logs a Like token.
Fri, Sep 29, 10:22 PM · WMF-Legal, Analytics, Operations, Privacy

Thu, Sep 28

dpatrick triaged T176554: Enable 2FA for eliminators as Normal priority.
Thu, Sep 28, 5:15 PM · User-Ladsgroup, MediaWiki-extensions-OATHAuth, Wikimedia-Site-requests, Security
dpatrick moved T176867: Article suppression should remove the page name from all logs as well from Backlog to Other WMF team on the Security board.
Thu, Sep 28, 5:02 PM · Anti-Harassment, Stewards-and-global-tools, MediaWiki-Revision-deletion, Vuln-Infoleak, Security-Core, Security

Wed, Sep 20

dpatrick changed the end date for E742: Security review of wikiba.se from Fri, Sep 29 to Fri, Sep 22.
Wed, Sep 20, 5:51 PM · Security-Reviews
dpatrick created E742: Security review of wikiba.se.
Wed, Sep 20, 5:50 PM · Security-Reviews
dpatrick moved T171274: Security review of wikiba.se from Backlog to Scheduled on the Security-Reviews board.
Wed, Sep 20, 5:45 PM · Security-Reviews, Wikidata
dpatrick added a comment to T174126: Security review for the ReadingLists extension.

@dpatrick is this on your radar?

Please see my previous comment, just trying to get this in before end of quarter. Thanks!

Wed, Sep 20, 5:43 PM · Reading-Infrastructure-Team-Backlog (Kanban), Wikipedia-Android-App-Backlog, Security-Reviews, Reading List Service
dpatrick updated the invite list for E741: Security review for the ReadingLists extension, invited: Bawolff; uninvited: Reedy.
Wed, Sep 20, 5:37 PM · Security-Reviews
dpatrick created E741: Security review for the ReadingLists extension.
Wed, Sep 20, 5:35 PM · Security-Reviews

Sep 6 2017

dpatrick changed the status of T174068: Password blacklist not consistently enforced from Stalled to Open.
Sep 6 2017, 4:25 PM · Security, Wikimedia-General-or-Unknown

Aug 31 2017

dpatrick added a member for Security: K4-713.
Aug 31 2017, 6:48 PM
dpatrick closed T174489: Security Issue Access Request for K4-713 as Resolved.

@dpatrick : Yes, I'm using google authenticator.

Aug 31 2017, 6:48 PM · Security

Aug 30 2017

dpatrick removed a project from T174413: Set $wgScoreSafeMode to false: Security.
Aug 30 2017, 5:14 PM · Patch-For-Review, Wikimedia-Site-requests, MediaWiki-extensions-Score
dpatrick removed a project from T174553: Create an extension that allows fetching geolocation and subnet data for IP addresses: Security.
Aug 30 2017, 5:10 PM · MediaWiki-extension-requests, Stewards-and-global-tools, MediaWiki-extensions-LoginNotify, CheckUser
dpatrick added a member for Security: Niharika.
Aug 30 2017, 5:01 PM
dpatrick closed T173856: #Security access for Niharika as Resolved.

Approved.

Aug 30 2017, 5:00 PM · Security, WMF-NDA-Requests
dpatrick added a comment to T174489: Security Issue Access Request for K4-713.

@K4-713, you will need to have two factor enabled for Phabricator. Can you verify that it is enabled?

Aug 30 2017, 5:00 PM · Security

Aug 25 2017

dpatrick added a comment to T173619: Security review for ArticleCreationWorkflow extension branch master.

@kaldari, I spoke with @Reedy and put this on the schedule for the week of 8/28. Sam's already started working on it.

Aug 25 2017, 7:52 PM · Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow, Security-Reviews
dpatrick created E689: Security review for ArticleCreationWorkflow extension branch master.
Aug 25 2017, 7:51 PM · Security-Reviews
dpatrick assigned T173619: Security review for ArticleCreationWorkflow extension branch master to Reedy.
Aug 25 2017, 6:34 PM · Community-Tech, MediaWiki-extensions-ArticleCreationWorkflow, Security-Reviews

Aug 17 2017

dpatrick awarded T173370: Support restricted execution of external commands (via firejail) a Like token.
Aug 17 2017, 5:59 PM · Patch-For-Review, MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017), Security-Team, MediaWiki-General-or-Unknown
dpatrick moved T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users from Backlog to Other WMF team on the Security board.
Aug 17 2017, 5:58 PM · User-bd808, Privacy, cloud-services-team (Kanban), Cloud-Services, Security
dpatrick added a comment to T172650: "last" command on WMF Labs/Tools allows users to view IPs of other toolforge users.

FWIW, I support stating clearly at sign-up time that origin IP addresses are not private when using labs/toolforge. I don't believe we have the resources to fully lockdown all mechanisms of accessing this information, as @bd808 mentions above.

Aug 17 2017, 5:57 PM · User-bd808, Privacy, cloud-services-team (Kanban), Cloud-Services, Security
dpatrick awarded T173475: Echo Notification Mute (Block List) can be bypassed by changing username a Orange Medal token.
Aug 17 2017, 5:47 PM · MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)), Anti-Harassment (AHT Sprint 6), Patch-For-Review, Security, Collaboration-Team-Triage, Notifications
dpatrick triaged T173475: Echo Notification Mute (Block List) can be bypassed by changing username as Normal priority.
Aug 17 2017, 5:46 PM · MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)), Anti-Harassment (AHT Sprint 6), Patch-For-Review, Security, Collaboration-Team-Triage, Notifications
dpatrick added a member for Security: Kbrown.
Aug 17 2017, 5:21 PM
dpatrick closed T171430: Security Issue Access Request for Kbrown as Resolved.

Sorry for the delay @Jalexander. The team discussed and approved this weeks ago, but I forgot say son on the ticket. Approved!

Aug 17 2017, 5:20 PM · Security

Jul 26 2017

dpatrick removed a project from T171200: Add a configuration option to make email mandatory during account creation: Security.
Jul 26 2017, 5:08 PM · MediaWiki-Authentication-and-authorization
dpatrick added a comment to T171430: Security Issue Access Request for Kbrown.

Hi all. @Jalexander, @Kbrown can you confirm than Karen has completed either an employee or volunteer NDA?

Jul 26 2017, 4:58 PM · Security
dpatrick triaged T171699: CheckUser should use methods from the IP class to validate IPs and CIDR ranges as Normal priority.
Jul 26 2017, 4:55 PM · CheckUser

Jul 19 2017

dpatrick added a subtask for T170548: nodejs 6.11: Unknown Object (Task).
Jul 19 2017, 5:16 PM · Maps-Sprint, Maps (Kartographer), Discovery, Services (done), User-mobrovac, Operations
dpatrick added a project to T171045: XSS in SocialProfile's UserBoard: Vuln-XSS.
Jul 19 2017, 5:12 PM · Vuln-XSS, SocialProfile, Social-Tools, Security
dpatrick updated subscribers of T169328: Protect against PHP code execution via memcached/unserialize.
Jul 19 2017, 5:09 PM · Services (watching), Security
dpatrick triaged T169328: Protect against PHP code execution via memcached/unserialize as Normal priority.
Jul 19 2017, 5:08 PM · Services (watching), Security

Jul 12 2017

dpatrick moved T168860: Security review for AdvancedSearch extension from Backlog to Scheduled on the Security-Reviews board.
Jul 12 2017, 7:21 PM · WMDE-Fun-Team, JavaScript, Security-Reviews, TCB-Team, Advanced-Search

Jul 11 2017

dpatrick triaged T170052: Access rights for HDFS on stat100* for Sqoop tasks as Unbreak Now! priority.
Jul 11 2017, 8:55 PM · Analytics-Kanban, User-Addshore, Security, Analytics-Cluster
dpatrick moved T170052: Access rights for HDFS on stat100* for Sqoop tasks from Backlog to External (Non-WMF) Issues on the Security board.
Jul 11 2017, 8:54 PM · Analytics-Kanban, User-Addshore, Security, Analytics-Cluster
dpatrick added a comment to T170301: Add OAuth Extension to Wikimedia Foundation Wiki.

No qualms from me. I'm okay with OAuth on foundationwiki.

Jul 11 2017, 8:11 PM · Anti-Harassment (AHT Sprint 2), User-MarcoAurelio, Wikimedia-Extension-setup, Community-Tech
dpatrick added a comment to T162181: Should we add psy/psysh to wmf vendor repo for use on WMF servers?.

My apologies for the delay on this. In my review I focused on verifying safe interaction with the environment, safe shell invocation, resource consumption, php-parser not accidentally invoking code around the AST construction process, and appropriate remediation of any previously reported security vulnerabilities. I did not find any issues nor did I uncover any malcode (however, there is a huge amount of code here).

Jul 11 2017, 5:15 PM · Security-Reviews, Patch-For-Review, Wikimedia-General-or-Unknown, MediaWiki-Vendor
dpatrick created E644: Security review for AdvancedSearch extension.
Jul 11 2017, 4:42 PM · Security-Reviews
dpatrick created E643: Security review of vue.js library.
Jul 11 2017, 4:39 PM · Security-Reviews
dpatrick moved T168264: Security review of vue.js library from Backlog to Scheduled on the Security-Reviews board.
Jul 11 2017, 4:39 PM · JavaScript, Security-Reviews, Wikidata
dpatrick moved T169656: Security Review of Recommendation API - take #2 from Backlog to Scheduled on the Security-Reviews board.
Jul 11 2017, 4:39 PM · Services (done), Security-Team, Security-Reviews, Recommendation-API
dpatrick created E642: Security Review of Recommendation API - take #2.
Jul 11 2017, 4:22 PM · Security-Reviews
dpatrick added a comment to T169656: Security Review of Recommendation API - take #2.

@schana, I'm scheduling this to start this week and be completed within two weeks.

Jul 11 2017, 4:22 PM · Services (done), Security-Team, Security-Reviews, Recommendation-API

Jun 13 2017

dpatrick added a comment to T167812: TemplateStyles HTML injection.

Since this hasn't been deployed, this can committed now, correct?

Jun 13 2017, 8:38 PM · Patch-For-Review, TemplateStyles, Security
dpatrick triaged T167812: TemplateStyles HTML injection as High priority.
Jun 13 2017, 8:37 PM · Patch-For-Review, TemplateStyles, Security

Jun 6 2017

dpatrick updated the task description for T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Jun 6 2017, 4:13 PM · Maps-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews

May 25 2017

dpatrick changed the start date for E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction from May 15 2017 to Jun 5 2017.
May 25 2017, 5:34 PM · Security-Reviews
dpatrick created E598: Verification of whitelisted.yaml / graylisted.yaml.
May 25 2017, 5:32 PM · Security-Reviews
dpatrick added a comment to T128334: Investigation: Make upload-by-URL whitelist not dependent on a configuration setting for Commons.

This has been on the #Security-Review backlog for a long time. Is this review still needed?

May 25 2017, 5:25 PM · MediaWiki-extensions-GWToolset, Multimedia, Security-Reviews, Commons
dpatrick moved T162181: Should we add psy/psysh to wmf vendor repo for use on WMF servers? from Backlog to Scheduled on the Security-Reviews board.
May 25 2017, 5:24 PM · Security-Reviews, Patch-For-Review, Wikimedia-General-or-Unknown, MediaWiki-Vendor
dpatrick created E597: Security Review of psy/psysh use on WMF servers.
May 25 2017, 5:24 PM · Security-Reviews
dpatrick moved T108687: Security review for CodeMirror extension branch master from Scheduled to In Progress on the Security-Reviews board.
May 25 2017, 5:16 PM · Community-Tech, Security-Reviews, MediaWiki-extensions-CodeMirror

May 11 2017

dpatrick added invites for E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction: Reedy.
May 11 2017, 6:41 PM · Security-Reviews
dpatrick added a comment to T164784: New Phab project needed: MediaWiki-Release-Improvement.

Who can view that GoogleDoc?

May 11 2017, 6:05 PM · Project-Admins
dpatrick updated subscribers of T164784: New Phab project needed: MediaWiki-Release-Improvement.

Also wondering if this could be a subproject of MediaWiki-Releasing. However creating a first subproject moves all members from the parent project into it...

May 11 2017, 6:00 PM · Project-Admins
dpatrick added a comment to T164784: New Phab project needed: MediaWiki-Release-Improvement.

Sounds like tarball territory. Would this be a goal project ("without a defined ending date but which can definitely realistically be defined as finished at some point")?

May 11 2017, 5:59 PM · Project-Admins
dpatrick assigned T164800: A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS to Bawolff.
May 11 2017, 5:49 PM · Vuln-XSS, Security
dpatrick moved T165059: Change incorrect informations on the login form of phab-01.wmflabs.org from Backlog to Other WMF team on the Security board.
May 11 2017, 5:48 PM · Security, VPS-project-Phabricator
dpatrick removed a project from T164666: Long running query MessageCache::loadFromDB(en)-small on WMF "special" slaves: Security.

Untagging Security.

May 11 2017, 5:44 PM · MediaWiki-Cache, MW-1.30-release-notes, MediaWiki-Database
dpatrick created E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
May 11 2017, 5:41 PM · Security-Reviews

May 8 2017

dpatrick created T164784: New Phab project needed: MediaWiki-Release-Improvement.
May 8 2017, 7:27 PM · Project-Admins

May 2 2017

dpatrick moved T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction from Backlog to Scheduled on the Security-Reviews board.
May 2 2017, 8:37 PM · Maps-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick moved T164103: Generate labsdb views for dtywiki, pawikisource, ptwikimedia, wbwikimedia from Backlog to Other WMF team on the Security board.
May 2 2017, 8:37 PM · Security, Cloud-Services
dpatrick added a comment to T164103: Generate labsdb views for dtywiki, pawikisource, ptwikimedia, wbwikimedia.

No qualms from us. Please proceed at your convenience.

May 2 2017, 8:37 PM · Security, Cloud-Services
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

@MaxSem, you can go ahead and release and open this bug. I have no further comments. The fix looks good.

May 2 2017, 8:03 PM · Patch-For-Review, Maps-Sprint, Maps (Kartographer), Vuln-XSS, Security

Apr 27 2017

dpatrick triaged T164000: ghostscript dSafer bypass as High priority.
Apr 27 2017, 5:39 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Security
dpatrick added a comment to T164000: ghostscript dSafer bypass.

Thanks for the heads up @MoritzMuehlenhoff. While we're at it, I think it makes sense to set both pertinent PdfHandler config items to be firejailed:

  • PdfPostProcessor - /usr/local/bin/mediawiki-firejail-convert ($wgImageMagickConvertCommand)
  • PdfProcessor - /usr/local/bin/mediawiki-firejail-ghostscript
Apr 27 2017, 5:38 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Security
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

Only specific configurations that sysadmins decided to use are affected.

Apr 27 2017, 1:57 AM · Patch-For-Review, Maps-Sprint, Maps (Kartographer), Vuln-XSS, Security
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

I'm speaking in terms of the second patch above, to JsonConfig, where a dependency on Kartographer\SimpleStyleParser is introduced in includes/JCMapDataContent.php. The fix looks good, but do we need to notify users of this new coupling, or was it already assumed and understood that anyone using JsonConfig would also be using Kartographer? The docs at https://www.mediawiki.org/wiki/Extension:JsonConfig make it seem like it's a general purpose tool.

Apr 27 2017, 1:48 AM · Patch-For-Review, Maps-Sprint, Maps (Kartographer), Vuln-XSS, Security
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

It looks like JsonConfig now cannot be used separately from Kartographer. Is this just temporary @MaxSem?

Apr 27 2017, 1:19 AM · Patch-For-Review, Maps-Sprint, Maps (Kartographer), Vuln-XSS, Security

Apr 25 2017

dpatrick triaged T163166: XSS in object descriptions from tabular data as High priority.
Apr 25 2017, 9:02 PM · Patch-For-Review, Maps-Sprint, Maps (Kartographer), Vuln-XSS, Security
dpatrick updated the task description for T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Apr 25 2017, 9:00 PM · Maps-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick updated the task description for T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Apr 25 2017, 8:54 PM · Maps-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick created T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Apr 25 2017, 8:49 PM · Maps-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick removed a project from T163019: Allow tool's maintainers to force HTTPS for their tool: Security.

This seems to be a non-Security issue, and one which is best handled by another team, so I'm untagging the Security project.

Apr 25 2017, 8:45 PM · User-Urbanecm, Toolforge
dpatrick added a member for Security: APalmer_WMF.
Apr 25 2017, 8:31 PM
dpatrick closed T163820: Security Issue Access Request for (APalmer_WMF) as Resolved.

Approved.

Apr 25 2017, 8:31 PM · Security
dpatrick added a member for Security: Matanya.
Apr 25 2017, 8:30 PM
dpatrick closed T163260: Security Issue Access Request for matanya as Resolved.

Approved. Thanks for your patience!

Apr 25 2017, 8:30 PM · Security
dpatrick closed T162621: Flow Nuke integration is broken for non-existent users as Resolved.
Apr 25 2017, 4:10 PM · Collaboration-Team-Triage (Collab-Team-Q4-Apr-Jun-2017), MediaWiki-extensions-Nuke, StructuredDiscussions, Security