dpatrick (Darian Anthony Patrick)
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.

User Details

User Since
May 19 2015, 9:05 PM (110 w, 1 d)
Availability
Available
LDAP User
Unknown
MediaWiki User
DPatrick (WMF)

Recent Activity

Tue, Jun 13

dpatrick added a comment to T167812: TemplateStyles HTML injection.

Since this hasn't been deployed, this can committed now, correct?

Tue, Jun 13, 8:38 PM · Patch-For-Review, TemplateStyles, Security
dpatrick triaged T167812: TemplateStyles HTML injection as High priority.
Tue, Jun 13, 8:37 PM · Patch-For-Review, TemplateStyles, Security

Tue, Jun 6

dpatrick updated the task description for T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Tue, Jun 6, 4:13 PM · Interactive-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews

May 25 2017

dpatrick changed the start date for E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction from May 15 2017 to Mon, Jun 5.
May 25 2017, 5:34 PM · Security-Reviews
dpatrick created E598: Verification of whitelisted.yaml / graylisted.yaml.
May 25 2017, 5:32 PM · Security-Reviews
dpatrick added a comment to T128334: Investigation: Make upload-by-URL whitelist not dependent on a configuration setting for Commons.

This has been on the #Security-Review backlog for a long time. Is this review still needed?

May 25 2017, 5:25 PM · MediaWiki-extensions-GWToolset, Multimedia, Security-Reviews, Commons
dpatrick moved T162181: Should we add psy/psysh to wmf vendor repo for use on WMF servers? from Backlog to Scheduled on the Security-Reviews board.
May 25 2017, 5:24 PM · Security-Reviews, Patch-For-Review, Wikimedia-General-or-Unknown, MediaWiki-Vendor
dpatrick created E597: Security Review of psy/psysh use on WMF servers.
May 25 2017, 5:24 PM · Security-Reviews
dpatrick moved T108687: Security review for CodeMirror extension branch master from Scheduled to In Progress on the Security-Reviews board.
May 25 2017, 5:16 PM · Community-Tech, Security-Reviews, MediaWiki-extensions-CodeMirror

May 11 2017

dpatrick added invites for E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction: Reedy.
May 11 2017, 6:41 PM · Security-Reviews
dpatrick added a comment to T164784: New Phab project needed: MediaWiki-Release-Improvement.

Who can view that GoogleDoc?

May 11 2017, 6:05 PM · Project-Admins
dpatrick updated subscribers of T164784: New Phab project needed: MediaWiki-Release-Improvement.

Also wondering if this could be a subproject of MediaWiki-Releasing. However creating a first subproject moves all members from the parent project into it...

May 11 2017, 6:00 PM · Project-Admins
dpatrick added a comment to T164784: New Phab project needed: MediaWiki-Release-Improvement.

Sounds like tarball territory. Would this be a goal project ("without a defined ending date but which can definitely realistically be defined as finished at some point")?

May 11 2017, 5:59 PM · Project-Admins
dpatrick assigned T164800: A variant of "Load JS and CSS by URL" site JS snippet is vulnerable to XSS to Bawolff.
May 11 2017, 5:49 PM · Vuln-XSS, Security
dpatrick moved T165059: Change incorrect informations on the login form of phab-01.wmflabs.org from Backlog to Other WMF team on the Security board.
May 11 2017, 5:48 PM · Security, Labs-project-Phabricator
dpatrick removed a project from T164666: Long running query MessageCache::loadFromDB(en)-small on WMF "special" slaves: Security.

Untagging Security.

May 11 2017, 5:44 PM · MediaWiki-Cache, MW-1.30-release-notes, MediaWiki-Database
dpatrick created E591: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
May 11 2017, 5:41 PM · Security-Reviews

May 8 2017

dpatrick created T164784: New Phab project needed: MediaWiki-Release-Improvement.
May 8 2017, 7:27 PM · Project-Admins

May 2 2017

dpatrick moved T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction from Backlog to Scheduled on the Security-Reviews board.
May 2 2017, 8:37 PM · Interactive-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick moved T164103: Generate labsdb views for dtywiki, pawikisource, ptwikimedia, wbwikimedia from Backlog to Other WMF team on the Security board.
May 2 2017, 8:37 PM · Security, Labs
dpatrick added a comment to T164103: Generate labsdb views for dtywiki, pawikisource, ptwikimedia, wbwikimedia.

No qualms from us. Please proceed at your convenience.

May 2 2017, 8:37 PM · Security, Labs
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

@MaxSem, you can go ahead and release and open this bug. I have no further comments. The fix looks good.

May 2 2017, 8:03 PM · Patch-For-Review, Interactive-Sprint, Maps (Kartographer), Vuln-XSS, Security

Apr 27 2017

dpatrick triaged T164000: ghostscript dSafer bypass as High priority.
Apr 27 2017, 5:39 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Security
dpatrick added a comment to T164000: ghostscript dSafer bypass.

Thanks for the heads up @MoritzMuehlenhoff. While we're at it, I think it makes sense to set both pertinent PdfHandler config items to be firejailed:

  • PdfPostProcessor - /usr/local/bin/mediawiki-firejail-convert ($wgImageMagickConvertCommand)
  • PdfProcessor - /usr/local/bin/mediawiki-firejail-ghostscript
Apr 27 2017, 5:38 PM · Patch-For-Review, Wikimedia-General-or-Unknown, Security
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

Only specific configurations that sysadmins decided to use are affected.

Apr 27 2017, 1:57 AM · Patch-For-Review, Interactive-Sprint, Maps (Kartographer), Vuln-XSS, Security
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

I'm speaking in terms of the second patch above, to JsonConfig, where a dependency on Kartographer\SimpleStyleParser is introduced in includes/JCMapDataContent.php. The fix looks good, but do we need to notify users of this new coupling, or was it already assumed and understood that anyone using JsonConfig would also be using Kartographer? The docs at https://www.mediawiki.org/wiki/Extension:JsonConfig make it seem like it's a general purpose tool.

Apr 27 2017, 1:48 AM · Patch-For-Review, Interactive-Sprint, Maps (Kartographer), Vuln-XSS, Security
dpatrick added a comment to T163166: XSS in object descriptions from tabular data.

It looks like JsonConfig now cannot be used separately from Kartographer. Is this just temporary @MaxSem?

Apr 27 2017, 1:19 AM · Patch-For-Review, Interactive-Sprint, Maps (Kartographer), Vuln-XSS, Security

Apr 25 2017

dpatrick triaged T163166: XSS in object descriptions from tabular data as High priority.
Apr 25 2017, 9:02 PM · Patch-For-Review, Interactive-Sprint, Maps (Kartographer), Vuln-XSS, Security
dpatrick updated the task description for T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Apr 25 2017, 9:00 PM · Interactive-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick updated the task description for T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Apr 25 2017, 8:54 PM · Interactive-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick created T163827: Security review of Ex:JsonConfig/Ex:Kartographer interaction.
Apr 25 2017, 8:49 PM · Interactive-Sprint, Maps (Kartographer), MediaWiki-extensions-JsonConfig, Security-Reviews
dpatrick removed a project from T163019: Allow tool's maintainers to force HTTPS for their tool: Security.

This seems to be a non-Security issue, and one which is best handled by another team, so I'm untagging the Security project.

Apr 25 2017, 8:45 PM · User-Urbanecm, Labs, Tool-Labs
dpatrick added a member for Security: APalmer_WMF.
Apr 25 2017, 8:31 PM
dpatrick closed T163820: Security Issue Access Request for (APalmer_WMF) as Resolved.

Approved.

Apr 25 2017, 8:31 PM · Security
dpatrick added a member for Security: Matanya.
Apr 25 2017, 8:30 PM
dpatrick closed T163260: Security Issue Access Request for matanya as Resolved.

Approved. Thanks for your patience!

Apr 25 2017, 8:30 PM · Security
dpatrick closed T162621: Flow Nuke integration is broken for non-existent users as Resolved.
Apr 25 2017, 4:10 PM · Collaboration-Team-Triage (Collab-Team-Q4-Apr-Jun-2017), MediaWiki-extensions-Nuke, Flow, Security

Apr 12 2017

dpatrick added a comment to T161356: Security review of Mailvelope.

@tstarling Thanks Tim.

Apr 12 2017, 6:57 PM · Security-Reviews
dpatrick closed T161356: Security review of Mailvelope as Resolved.
Apr 12 2017, 6:57 PM · Security-Reviews
dpatrick closed T154695: Review 2FA login on iOS app as Resolved.

@JMinor, no issues found. Thanks for submitting this for review.

Apr 12 2017, 6:40 PM · Wikipedia-iOS-App-Backlog, Security-Reviews
dpatrick created E561: Security re-review of Ex:TemplateStyles.
Apr 12 2017, 6:37 PM · Security-Reviews

Apr 10 2017

dpatrick added a comment to T162621: Flow Nuke integration is broken for non-existent users.

This has been deployed:

Apr 10 2017, 10:45 PM · Collaboration-Team-Triage (Collab-Team-Q4-Apr-Jun-2017), MediaWiki-extensions-Nuke, Flow, Security

Apr 5 2017

dpatrick moved T108687: Security review for CodeMirror extension branch master from Backlog to Scheduled on the Security-Reviews board.
Apr 5 2017, 6:46 PM · Community-Tech, Security-Reviews, MediaWiki-extensions-CodeMirror
dpatrick moved T159709: Security review for WikibaseMediaInfo extension from Backlog to Scheduled on the Security-Reviews board.
Apr 5 2017, 6:46 PM · Wikidata, Structured-Multimedia-Data, Security-Reviews
dpatrick moved T133408: Security review of TemplateStyles from Done to Scheduled on the Security-Reviews board.
Apr 5 2017, 6:46 PM · Patch-For-Review, Reading-Admin, Security-Reviews, TemplateStyles
dpatrick created E553: Security review for WikibaseMediaInfo extension.
Apr 5 2017, 6:46 PM · Security-Reviews

Mar 29 2017

dpatrick updated the invite list for E549: Security review for CodeMirror extension branch master, invited: Reedy; uninvited: dpatrick.
Mar 29 2017, 4:59 PM · Security-Reviews
dpatrick created E549: Security review for CodeMirror extension branch master.
Mar 29 2017, 4:59 PM · Security-Reviews
dpatrick added a comment to T159709: Security review for WikibaseMediaInfo extension.

@Lydia_Pintscher Ping.

Mar 29 2017, 4:42 PM · Wikidata, Structured-Multimedia-Data, Security-Reviews

Mar 28 2017

dpatrick added a project to T161453: Having LocalisationCache directory default to system tmp directory is insecure: Vuln-Infoleak.
Mar 28 2017, 8:41 PM · MW-1.27-release-notes, MW-1.28-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)), MW-1.29-release-notes, MediaWiki-Internationalization, Vuln-Infoleak, Security
dpatrick triaged T161579: Review of reddit post about keyholder as Normal priority.
Mar 28 2017, 8:35 PM · Release-Engineering-Team, Security
dpatrick added a comment to T161356: Security review of Mailvelope.

To whom is WMF going to recommend Mailvelope? Is it for employees/contractors or the general public?

Mar 28 2017, 4:36 PM · Security-Reviews

Mar 24 2017

dpatrick moved T161356: Security review of Mailvelope from Backlog to In Progress on the Security-Reviews board.
Mar 24 2017, 10:59 PM · Security-Reviews
dpatrick added a comment to T161356: Security review of Mailvelope.

Created retroactively to capture content of e-mail response from @tstarling.

Mar 24 2017, 10:59 PM · Security-Reviews
dpatrick created T161356: Security review of Mailvelope.
Mar 24 2017, 10:58 PM · Security-Reviews

Mar 22 2017

dpatrick added a comment to T108687: Security review for CodeMirror extension branch master.

@kaldari, can you update the description of this ticket and add the info requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Once that's done, I'll get this scheduled.

Mar 22 2017, 5:43 PM · Community-Tech, Security-Reviews, MediaWiki-extensions-CodeMirror

Mar 21 2017

dpatrick moved T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki from Backlog to Other WMF team on the Security board.
Mar 21 2017, 8:25 PM · Security-Extensions, Security-Team, Security
dpatrick added a comment to T154695: Review 2FA login on iOS app.

@JMinor, I just rescheduled this for this week and next. I'll contact you off-Phab to schedule a review commencement meeting.

Mar 21 2017, 7:40 PM · Wikipedia-iOS-App-Backlog, Security-Reviews
dpatrick changed the start date for E503: Security review of 2FA login on iOS app from Mar 13 2017 to Mar 20 2017.
Mar 21 2017, 7:39 PM · Security-Reviews
dpatrick added a comment to T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master.

@Lydia_Pintscher, can you give us an update on this ticket?

Mar 21 2017, 7:37 PM · Patch-For-Review, Wikibase-Quality, Security-Team, Wikidata, Security-Reviews, Wikibase-Quality-External-Validation
dpatrick added a comment to T145966: Security review for Extension:DeleteBatch.

@Legoktm, @MarcoAurelio can you give an update on the status of the extension? Is it ready to review now? If not, I say we close this ticket as invalid and create another at a later date should the module prove ready for review and likely to be deployed.

Mar 21 2017, 7:36 PM · Security-Reviews
dpatrick added a comment to T149424: Security review the Extension:WikipediaExtracts.

@Sophivorus, @Dereckson, is this security review still needed?

Mar 21 2017, 7:31 PM · MediaWiki-extensions-WikipediaExtracts, Security-Reviews
dpatrick moved T160982: WIP Security review for FileImporter extension from Backlog to Waiting/Blocked on the Security-Reviews board.
Mar 21 2017, 7:29 PM · User-Addshore, WMDE-QWERTY-Team-Board, Security-Reviews
dpatrick added a comment to T159519: Investigate security concerns on enabling OAuth or BotPasswords for stewardwiki.

@MarcoAurelio, the Security team concurs with @Anomie. The main reason is not related to security concerns. We're okay with OAuth and BotPasswords on these wikis.

Mar 21 2017, 7:27 PM · Security-Extensions, Security-Team, Security
dpatrick added a comment to T159709: Security review for WikibaseMediaInfo extension.

@Lydia_Pintscher, can you update the description of this ticket with the information requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Thanks!

Mar 21 2017, 4:11 PM · Wikidata, Structured-Multimedia-Data, Security-Reviews

Feb 28 2017

dpatrick closed T158840: Security Issue Access Request for Nikerabbit as Resolved.

Approved! Thanks for all of your attentiveness thus far, and we're glad to have in Security.

Feb 28 2017, 9:16 PM · Security
dpatrick added a member for Security: Nikerabbit.
Feb 28 2017, 9:15 PM

Feb 24 2017

dpatrick moved T151798: add subdomain for annual report 2016 from Backlog to Done on the Security-Reviews board.
Feb 24 2017, 8:39 PM · Patch-For-Review, Security-Reviews, Operations, Annual-Report
dpatrick added a comment to T151798: add subdomain for annual report 2016.

I've reviewed both content and technical implementation of the 2016 Annual Report and found no major security problems. Here are a few notes on minor things:

  • "amoritization" on 2016/financials.html may be misspelled
  • In the video at the bottom of 2016/what-we-stand-for.html, at approx. 1:21, is it okay to show the list of users who have visited the office?
  • Use of Katherine and Jimmy's signatures may be useful in instances an attacker requires a signature on a physical form as part of a further attack. (I say this realizing that we've probably published Katherine and Jimmy's signatures before.
  • X-Frame-Options header is not set on live site (https://annual.wikimedia.org/2016/)
Feb 24 2017, 8:39 PM · Patch-For-Review, Security-Reviews, Operations, Annual-Report
dpatrick added a project to T151798: add subdomain for annual report 2016: Security-Reviews.
Feb 24 2017, 12:55 AM · Patch-For-Review, Security-Reviews, Operations, Annual-Report

Feb 22 2017

dpatrick changed the start date for E505: Security review of NamespaceRelations from Mar 6 2017 to Mar 13 2017.
Feb 22 2017, 9:40 PM · Security-Reviews
dpatrick changed the start date for E504: Security review of Timeless skin from Mar 6 2017 to Mar 13 2017.
Feb 22 2017, 9:40 PM · Security-Reviews
dpatrick moved T158661: Security review for FileExporter extension from Backlog to Scheduled on the Security-Reviews board.
Feb 22 2017, 7:42 PM · Patch-For-Review, Security-Reviews, User-Addshore
dpatrick updated subscribers of E506: Security review for Extension:FileExporter.
Feb 22 2017, 7:42 PM · Security-Reviews
dpatrick created E506: Security review for Extension:FileExporter.
Feb 22 2017, 7:42 PM · Security-Reviews
dpatrick moved T155087: Security review for NamespaceRelations from Backlog to Scheduled on the Security-Reviews board.
Feb 22 2017, 7:38 PM · Patch-For-Review, Security-Reviews
dpatrick updated subscribers of E505: Security review of NamespaceRelations.
Feb 22 2017, 7:37 PM · Security-Reviews
dpatrick created E505: Security review of NamespaceRelations.
Feb 22 2017, 7:36 PM · Security-Reviews
dpatrick moved T158011: Security review for Timeless skin from Backlog to Scheduled on the Security-Reviews board.
Feb 22 2017, 7:35 PM · Patch-For-Review, Timeless, Security-Reviews
dpatrick updated subscribers of E504: Security review of Timeless skin.
Feb 22 2017, 7:34 PM · Security-Reviews
dpatrick removed invites for E504: Security review of Timeless skin: dpatrick.
Feb 22 2017, 7:34 PM · Security-Reviews
dpatrick removed invites for E500: Security review of StopForumSpam: dpatrick.
Feb 22 2017, 7:34 PM · Security-Reviews
dpatrick removed invites for E502: Security review of Anniversaries Endpoint: dpatrick.
Feb 22 2017, 7:34 PM · Security-Reviews
dpatrick changed the start date for E484: Security review of Extension:3d from Feb 6 2017 to Feb 20 2017.
Feb 22 2017, 7:33 PM · Security-Reviews
dpatrick removed invites for E485: Security review of Extension:PageForms: dpatrick.
Feb 22 2017, 7:33 PM · Security-Reviews
dpatrick removed invites for E484: Security review of Extension:3d: dpatrick.
Feb 22 2017, 7:32 PM · Security-Reviews
dpatrick updated the invite list for E486: Security Review of Trending Edits Endpoint, invited: Bawolff; uninvited: dpatrick.
Feb 22 2017, 7:32 PM · Security-Reviews
dpatrick created E504: Security review of Timeless skin.
Feb 22 2017, 7:29 PM · Security-Reviews
dpatrick updated subscribers of E486: Security Review of Trending Edits Endpoint.
Feb 22 2017, 7:10 PM · Security-Reviews
dpatrick updated subscribers of E484: Security review of Extension:3d.
Feb 22 2017, 7:10 PM · Security-Reviews
dpatrick added invites for E485: Security review of Extension:PageForms: Bawolff.
Feb 22 2017, 7:09 PM · Security-Reviews
dpatrick updated subscribers of E502: Security review of Anniversaries Endpoint.
Feb 22 2017, 7:09 PM · Security-Reviews
dpatrick updated subscribers of E501: Security review of CollaborationKit.
Feb 22 2017, 7:09 PM · Security-Reviews
dpatrick updated subscribers of E500: Security review of StopForumSpam.
Feb 22 2017, 7:09 PM · Security-Reviews
dpatrick updated subscribers of E503: Security review of 2FA login on iOS app.
Feb 22 2017, 7:08 PM · Security-Reviews
dpatrick moved T154695: Review 2FA login on iOS app from Backlog to Scheduled on the Security-Reviews board.
Feb 22 2017, 7:08 PM · Wikipedia-iOS-App-Backlog, Security-Reviews
dpatrick added a comment to T154695: Review 2FA login on iOS app.

@JMinor, this review has been scheduled for the week of March 13th. Does this work for your deployment schedule? Also, can you provide documentation of setting up a test environment?

Feb 22 2017, 7:07 PM · Wikipedia-iOS-App-Backlog, Security-Reviews
dpatrick created E503: Security review of 2FA login on iOS app.
Feb 22 2017, 7:06 PM · Security-Reviews
dpatrick added a comment to T155087: Security review for NamespaceRelations.

Hi @Nemo_bis, could you update the description of this ticket and add the information requested at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review? Thanks!

Feb 22 2017, 7:03 PM · Patch-For-Review, Security-Reviews
dpatrick moved T153088: Security Review of On This Day Endpoint from Backlog to Scheduled on the Security-Reviews board.
Feb 22 2017, 6:58 PM · Reading Epics (New Feed Content), Mobile-Content-Service (Kanban), Security-Reviews