dpatrick (Darian Anthony Patrick)
User

Projects

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Friday

  • Clear sailing ahead.
User Since
May 19 2015, 9:05 PM (92 w, 16 h)
Availability
Available
LDAP User
Unknown
MediaWiki User
DPatrick (WMF)

Recent Activity

Tue, Feb 14

dpatrick triaged T158119: Add Security.md to MediaWiki Core? as "Normal" priority.
Tue, Feb 14, 9:41 PM · MediaWiki-Documentation, Documentation, Security-Team, Security
dpatrick added a comment to T158119: Add Security.md to MediaWiki Core?.

@Reedy, I think this is a good idea for people working with a local repo who are unfamiliar with our projects.

Tue, Feb 14, 9:41 PM · MediaWiki-Documentation, Documentation, Security-Team, Security
dpatrick awarded T158119: Add Security.md to MediaWiki Core? a Like token.
Tue, Feb 14, 9:36 PM · MediaWiki-Documentation, Documentation, Security-Team, Security
dpatrick moved T138324: Security review for CollaborationKit from Waiting/Blocked to Backlog on the Security-Reviews board.
Tue, Feb 14, 9:21 PM · MediaWiki-extensions-CollaborationKit, Security-Reviews

Wed, Feb 8

dpatrick changed the start date for E430: Security Review: Internal File Server configuration and access from Mon, Jan 30 to Mon, Feb 13.
Wed, Feb 8, 6:36 PM · Security-Reviews

Tue, Feb 7

dpatrick renamed E485: Security review of Extension:PageForms from Security review for Extension:PageForms to Security review of Extension:PageForms.
Tue, Feb 7, 5:38 PM · Security-Reviews
dpatrick moved T157077: Security review of Extension:3d from Backlog to Scheduled on the Security-Reviews board.
Tue, Feb 7, 5:35 PM · Security-Reviews
dpatrick moved T141474: Automatic start of authentication workflow for link provider (if it's the only available one) from Backlog to In Progress on the Security-Reviews board.
Tue, Feb 7, 5:35 PM · Security-Reviews, Patch-For-Review, MediaWiki-Authentication-and-authorization
dpatrick moved T153087: Security Review of Trending Edits Endpoint from Backlog to Scheduled on the Security-Reviews board.
Tue, Feb 7, 5:34 PM · Reading Epics (Trending Edits), Reading-Web-Trending-Service, Security-Reviews
dpatrick moved T149869: Security review for PageForms from Backlog to Scheduled on the Security-Reviews board.
Tue, Feb 7, 5:34 PM · MediaWiki-extensions-Page_Forms, Security-Reviews
dpatrick created E486: Security Review of Trending Edits Endpoint.
Tue, Feb 7, 5:33 PM · Security-Reviews
dpatrick created E485: Security review of Extension:PageForms.
Tue, Feb 7, 5:24 PM · Security-Reviews
dpatrick added a comment to T149869: Security review for PageForms.

@Dereckson I'd like to schedule this soon but we need more information. Can you update the description? You can find a template for Phabricator at https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Security_reviews#Requesting_a_review.

Tue, Feb 7, 5:23 PM · MediaWiki-extensions-Page_Forms, Security-Reviews
dpatrick created E484: Security review of Extension:3d.
Tue, Feb 7, 5:13 PM · Security-Reviews

Fri, Feb 3

dpatrick created E481: Security review of OIT LDAP User Management Tool.
Fri, Feb 3, 12:41 AM · Security-Reviews
dpatrick closed T156958: Repository request: OIT-LDAP-Tools as "Resolved".

This has been completed. https://phabricator.wikimedia.org/source/OIT-LDAP-Tools/

Fri, Feb 3, 12:30 AM · Repository-Admins

Wed, Feb 1

dpatrick edited the description of T156958: Repository request: OIT-LDAP-Tools.
Wed, Feb 1, 8:13 PM · Repository-Admins
dpatrick created T156958: Repository request: OIT-LDAP-Tools.
Wed, Feb 1, 8:12 PM · Repository-Admins

Tue, Jan 31

dpatrick closed T155867: Security Issue Access Request for Ejegg as "Resolved".

Discussed last week and approved. Thanks @Ejegg. You should have access now.

Tue, Jan 31, 9:46 PM · Security
dpatrick added a member for Security: Ejegg.
Tue, Jan 31, 9:45 PM
dpatrick triaged T156343: striker does not (?) honour TitleBlacklist for shell names as "Unbreak Now!" priority.
Tue, Jan 31, 9:36 PM · Striker, Tool-Labs, Labs, Security
dpatrick added a comment to T156343: striker does not (?) honour TitleBlacklist for shell names.

@bd808 -- Can you take a look at this?

Tue, Jan 31, 9:36 PM · Striker, Tool-Labs, Labs, Security
dpatrick triaged T155867: Security Issue Access Request for Ejegg as "Normal" priority.
Tue, Jan 31, 9:27 PM · Security

Mon, Jan 30

dpatrick added a comment to T155265: LiquidThreads denial of service due to unvalidated limit parameter.

Deployed to the cluster now

Mon, Jan 30, 11:45 PM · WMF-deploy-2017-01-24_(1.29.0-wmf.9), Patch-For-Review, MediaWiki-extensions-LiquidThreads, Security-Extensions, Vuln-DoS, Security
dpatrick changed the start date for E430: Security Review: Internal File Server configuration and access from Jan 23 2017 to Mon, Jan 30.
Mon, Jan 30, 11:29 PM · Security-Reviews
dpatrick moved T140167: Security Review of LoginNotify extension from Waiting/Blocked to Done on the Security-Reviews board.
Mon, Jan 30, 11:28 PM · MediaWiki-extensions-LoginNotify, Security-Reviews
dpatrick moved T140167: Security Review of LoginNotify extension from Scheduled to Waiting/Blocked on the Security-Reviews board.
Mon, Jan 30, 11:25 PM · MediaWiki-extensions-LoginNotify, Security-Reviews
dpatrick added a comment to T140167: Security Review of LoginNotify extension.

@Bawolff No issues were found beyond those already discussed in other tickets. Once those are resolved, this extension can be deployed.

Mon, Jan 30, 11:24 PM · MediaWiki-extensions-LoginNotify, Security-Reviews
dpatrick created E477: Security review of OIT LDAP Password Change Page.
Mon, Jan 30, 11:18 PM · Security-Reviews
dpatrick changed the end date for E433: Security Review of Popups extension library from Fri, Feb 3 to Fri, Jan 27.
Mon, Jan 30, 11:16 PM · Security-Reviews
dpatrick removed invites for E433: Security Review of Popups extension library: dpatrick.
Mon, Jan 30, 11:16 PM · Security-Reviews
dpatrick closed T132063: Security review of 3d2png, a subtask of T132058: 3d extension supporting AMF and STL (3d printing files), as "Resolved".
Mon, Jan 30, 8:54 PM · WMF-deploy-2016-05-10_(1.28.0-wmf.1), MW-1.28-release-notes, Patch-For-Review, 3d, Wikimedia-Hackathon-2016, Reading-Community-Engagement, MediaWiki-File-management, Commons, Editing-Department, Multimedia
dpatrick closed T132063: Security review of 3d2png as "Resolved".
Mon, Jan 30, 8:54 PM · Patch-For-Review, 3d, Security-Reviews
dpatrick added a comment to T132063: Security review of 3d2png.

@MarkTraceur Looks good. Thanks!

Mon, Jan 30, 8:54 PM · Patch-For-Review, 3d, Security-Reviews

Fri, Jan 27

dpatrick created E476: Security review of Newsletter extension.
Fri, Jan 27, 8:50 PM · Security-Reviews

Tue, Jan 24

dpatrick added a project to T155265: LiquidThreads denial of service due to unvalidated limit parameter: Vuln-DoS.
Tue, Jan 24, 10:02 PM · WMF-deploy-2017-01-24_(1.29.0-wmf.9), Patch-For-Review, MediaWiki-extensions-LiquidThreads, Security-Extensions, Vuln-DoS, Security
dpatrick triaged T155265: LiquidThreads denial of service due to unvalidated limit parameter as "Normal" priority.
Tue, Jan 24, 10:02 PM · WMF-deploy-2017-01-24_(1.29.0-wmf.9), Patch-For-Review, MediaWiki-extensions-LiquidThreads, Security-Extensions, Vuln-DoS, Security
dpatrick triaged T156184: Consider making rawHTML mode not apply to system messages as "Normal" priority.
Tue, Jan 24, 9:45 PM · Patch-For-Review, MediaWiki-Interface, Security

Jan 4 2017

dpatrick changed the start date for E430: Security Review: Internal File Server configuration and access from Jan 3 2017 to Jan 23 2017.
Jan 4 2017, 6:38 PM · Security-Reviews
dpatrick changed the start date for E434: Security review for TwoColConflict extension from Jan 3 2017 to Dec 19 2016.
Jan 4 2017, 6:37 PM · Security-Reviews

Jan 3 2017

dpatrick updated subscribers of T153948: thumbnail script should respect imgAuthBeforeStream.

Thanks @MarkAHershberger. @Bawolff, will you review Mark's patch?

Jan 3 2017, 9:26 PM · Security, MediaWiki-General-or-Unknown, Patch-For-Review
dpatrick triaged T153948: thumbnail script should respect imgAuthBeforeStream as "High" priority.
Jan 3 2017, 9:26 PM · Security, MediaWiki-General-or-Unknown, Patch-For-Review

Dec 21 2016

dpatrick added a comment to T125338: Security and compliance with the Privacy Policy review of Extension:StopForumSpam to consider deployment on WMF wikis.

Just adding this e-mail snippet from @Legoktm from Dec. 14th as a reminder to myself (or whomever) that this still needs to go through formal review:

Dec 21 2016, 3:12 AM · Security-Reviews, MediaWiki-extensions-StopForumSpam, Support-and-Safety, WMF-Legal
dpatrick changed the start date for E434: Security review for TwoColConflict extension from Mon, Feb 6 to Jan 3 2017.
Dec 21 2016, 2:50 AM · Security-Reviews
dpatrick created E434: Security review for TwoColConflict extension.
Dec 21 2016, 2:46 AM · Security-Reviews
dpatrick moved T151902: Security Review of Popups extension library from Backlog to Scheduled on the Security-Reviews board.
Dec 21 2016, 1:47 AM · Page-Previews (2016-17-Q3-Goal), Reading-Web-Backlog, Security-Reviews
dpatrick created E433: Security Review of Popups extension library.
Dec 21 2016, 1:42 AM · Security-Reviews
dpatrick moved T149083: Security review for InterwikiSorting Extension from Backlog to Scheduled on the Security-Reviews board.
Dec 21 2016, 12:25 AM · MediaWiki-extensions-InterwikiSorting, WMDE-QWERTY-Team-Board, User-Addshore, Wikidata, Security-Reviews
dpatrick created E432: Security review for InterwikiSorting Extension.
Dec 21 2016, 12:25 AM · Security-Reviews
dpatrick added a comment to T151902: Security Review of Popups extension library.

To clarify, this ticket is requesting review of Redux not Hovercards, correct?

Dec 21 2016, 12:16 AM · Page-Previews (2016-17-Q3-Goal), Reading-Web-Backlog, Security-Reviews
dpatrick moved T149082: Security review for Cognate Extension from Backlog to Scheduled on the Security-Reviews board.
Dec 21 2016, 12:13 AM · Patch-For-Review, WMDE-QWERTY-Team-Board, User-Addshore, Wikidata, Cognate, Security-Reviews
dpatrick created E431: Security review for Cognate Extension.
Dec 21 2016, 12:13 AM · Security-Reviews

Dec 20 2016

dpatrick moved T148567: Restrict outgoing network connections from Electron render service from Backlog to In Progress on the Security-Reviews board.
Dec 20 2016, 10:22 PM · Electron-PDFs, Services (blocked), Security-Reviews, User-mobrovac, Services-next, Operations
dpatrick moved T143969: Unable to mirror repository from git.legoktm.com into diffusion from Backlog to In Progress on the Security-Reviews board.
Dec 20 2016, 10:21 PM · Security-Reviews, Patch-For-Review, Striker, Phabricator
dpatrick changed E430: Security Review: Internal File Server configuration and access to an all day event.
Dec 20 2016, 10:19 PM · Security-Reviews
dpatrick created E430: Security Review: Internal File Server configuration and access.
Dec 20 2016, 10:18 PM · Security-Reviews

Dec 7 2016

dpatrick triaged T144100: Pageview dumps incorrectly formatted, looks like a result of possibly malicious activity as "Normal" priority.
Dec 7 2016, 5:30 PM · Security, Analytics, Dumps-Generation

Nov 30 2016

dpatrick created T152021: Omit private data from being generated during dump runs.
Nov 30 2016, 6:06 PM · Patch-For-Review, Dumps-Generation, Security

Nov 29 2016

dpatrick triaged T151408: Separate bot right for normal pages and interface (MediaWiki:) pages as "Normal" priority.
Nov 29 2016, 9:59 PM · Patch-For-Review, MediaWiki-Recent-changes, MediaWiki-General-or-Unknown, Security
dpatrick added a comment to T349: Security update planning re Composer managed libraries for use on WMF cluster.

Can this be closed?

Nov 29 2016, 8:20 PM · Librarization

Nov 23 2016

dpatrick updated subscribers of T150832: Replicate page_assessments and page_assessments_projects tables on Labs.

@Bawolff, can you take a look at this?

Nov 23 2016, 6:51 PM · Security-Reviews, Patch-For-Review, Community-Tech, MediaWiki-extensions-PageAssessments, Labs, DBA
dpatrick added a project to T150832: Replicate page_assessments and page_assessments_projects tables on Labs: Security-Reviews.
Nov 23 2016, 6:51 PM · Security-Reviews, Patch-For-Review, Community-Tech, MediaWiki-extensions-PageAssessments, Labs, DBA

Nov 22 2016

Davey2010 awarded T150605: Publish an analysis of the OurMine hack a Barnstar token.
Nov 22 2016, 10:38 PM · Security-Team, Security-General
dpatrick added a parent task for T151010: Add logging to OATHAuth: Unknown Object (Task).
Nov 22 2016, 10:30 PM · MediaWiki-extensions-OATHAuth
dpatrick assigned T151010: Add logging to OATHAuth to Reedy.
Nov 22 2016, 10:30 PM · MediaWiki-extensions-OATHAuth
dpatrick added a comment to T107707: Login alert when user logs in from new machine.

@Bawolff has create an extension, LoginNotify, which handles this. I'm reviewing the extension this week.

Nov 22 2016, 10:25 PM · Security-Core, MediaWiki-User-login-and-signup
dpatrick added a parent task for T107707: Login alert when user logs in from new machine: Unknown Object (Task).
Nov 22 2016, 10:23 PM · Security-Core, MediaWiki-User-login-and-signup
dpatrick added a parent task for T151015: Deploy EmailAuth extension to the beta cluster: Unknown Object (Task).
Nov 22 2016, 10:19 PM · MediaWiki-extensions-EmailAuth
dpatrick triaged T150605: Publish an analysis of the OurMine hack as "High" priority.
Nov 22 2016, 10:18 PM · Security-Team, Security-General
dpatrick added a parent task for T150605: Publish an analysis of the OurMine hack: Unknown Object (Task).
Nov 22 2016, 10:18 PM · Security-Team, Security-General
dpatrick claimed T150605: Publish an analysis of the OurMine hack.
Nov 22 2016, 10:17 PM · Security-Team, Security-General
dpatrick moved T150526: BotPasswords: grant all rights from Backlog to Other WMF team on the Security board.
Nov 22 2016, 10:15 PM · MediaWiki-Authentication-and-authorization, Security
dpatrick added a comment to T150526: BotPasswords: grant all rights.

From a technical standpoint, there's nothing to prevent this feature from being added.

@dpatrick, @Bawolff, any objections from a Security perspective? The TL;DR is "Add an option to BotPasswords to just let the bot use every right available to the account instead of messing with grants."

Nov 22 2016, 10:14 PM · MediaWiki-Authentication-and-authorization, Security
dpatrick added a parent task for T57420: Remove local wiki password hash when CentralAuth has attached account: Unknown Object (Task).
Nov 22 2016, 9:51 PM · MediaWiki-extensions-CentralAuth
dpatrick created E386: Security Review: LoginNotify.
Nov 22 2016, 8:51 PM · Security-Reviews
dpatrick moved T144467: Security review for Google MT for Content Translation from Scheduled to In Progress on the Security-Reviews board.
Nov 22 2016, 8:49 PM · Language-Engineering October-December 2016, WorkType-NewFunctionality, Security-Reviews, Security-Extensions, ContentTranslation-Deployments, ContentTranslation-CXserver, ContentTranslation
dpatrick added a project to E385: Security Review: Audit tables on labsdb databases/sanitarium: Security-Reviews.
Nov 22 2016, 8:47 PM · Security-Reviews
dpatrick created E385: Security Review: Audit tables on labsdb databases/sanitarium.
Nov 22 2016, 8:47 PM · Security-Reviews
dpatrick changed the start date for E342: Security Review: Recommendation API from Nov 21 2016 to Nov 28 2016.
Nov 22 2016, 8:43 PM · Security-Reviews
dpatrick added invites for E342: Security Review: Recommendation API: Bawolff.
Nov 22 2016, 8:41 PM · Security-Reviews
dpatrick changed the start date for E342: Security Review: Recommendation API from Nov 21 2016 to Nov 21 2016.
Nov 22 2016, 8:40 PM · Security-Reviews
dpatrick changed the start date for E342: Security Review: Recommendation API from Nov 14 2016 to Nov 21 2016.
Nov 22 2016, 8:40 PM · Security-Reviews

Nov 21 2016

dpatrick added a comment to T113262: Citoid doesn't strip links to Google Books correctly, removing page number along with preview.

What is the conclusion for this? Do we

  • Remove search query string only
  • Leave all query parameters in
Nov 21 2016, 8:52 PM · VisualEditor, WorkType-Maintenance, Citoid

Nov 17 2016

dpatrick awarded T149617: Integrating MediaWiki (and other services) with dynamic configuration a Like token.
Nov 17 2016, 7:44 PM · Wikimedia-Multiple-active-datacenters, Services (watching), Performance-Team, discovery-system, User-Joe, User-mobrovac, MediaWiki-Configuration, Operations, Wikimedia-Developer-Summit (2017)
dpatrick awarded T149665: UX to create safe spaces a Like token.
Nov 17 2016, 7:43 PM · Community-Wishlist-Survey-2015, Teahouse, MediaWiki-Patrolling, Flow, Editing-UX-Research, Collaboration-Team-Triage, Wikimedia-Developer-Summit (2017)
dpatrick awarded T147604: Cross-functional support for rich media a Like token.
Nov 17 2016, 7:42 PM · Wikimedia-Video
dpatrick awarded T149459: UX Guidelines working session and, potentially, presentation a Like token.
Nov 17 2016, 7:39 PM · WikimediaUI Style Guide, UI-Standardization, Design, Wikimedia-Developer-Summit (2017)
dpatrick awarded T149551: [WikiDev17] OAuth roadmap planning a Like token.
Nov 17 2016, 7:38 PM · MediaWiki-extensions-OAuth, Wikimedia-Developer-Summit (2017)

Nov 16 2016

dpatrick removed a member for Security: RobLa-WMF.
Nov 16 2016, 11:30 PM
dpatrick added a comment to T150647: Deploy EncryptedPassword to WMF.

So, the thinking here is that we are mitigating exposure of old, non-upgraded password hashes correct?

And the assumption is that, were there to be some vulnerability that allows an attacker access to the database, that vulnerability does not also yield access to the encryption key?

This would also wrap them in pbkdf2, so it will help even if the attacker has the encryption key. However, an attacker with db access but no config file access does sound like a very plausible attack scenario too.

Nov 16 2016, 8:08 PM · Wikimedia-Site-requests, Security-Team

Nov 15 2016

dpatrick added a comment to T150647: Deploy EncryptedPassword to WMF.

So, the thinking here is that we are mitigating exposure of old, non-upgraded password hashes correct?

Nov 15 2016, 2:29 AM · Wikimedia-Site-requests, Security-Team

Nov 14 2016

dpatrick added a comment to T150605: Publish an analysis of the OurMine hack.

Hello all. For now, it appears that the attacker has ceased attempting to compromise accounts. We are still investigating prior instances and are not yet ready to provide a report. Once we are ready, that report will likely be in a format similar to what @MZMcBride described above. We thank everyone who has worked to remediate the issues occurring over the past few days and we will update you as soon as we can.

Nov 14 2016, 5:51 PM · Security-Team, Security-General

Nov 10 2016

dpatrick added a comment to T150046: Spaces request for SIEM.

This should be separate from Security. We track vulnerability metrics using the Security tag and the tasks created for the SIEM project should not be included in those metrics. Additionally, at this point, the tag is being used to notate a specific project that requires some collaboration across teams. At this point, only Foundation employees are working on this project so it's fine to reference Office Wiki for more information.

Nov 10 2016, 6:28 PM · Developer-Relations (Oct-Dec-2016), Project-Admins

Nov 8 2016

dpatrick moved T142226: Productize the Electron PDF render service & create a REST API end point from Scheduled to Done on the Security-Reviews board.
Nov 8 2016, 9:40 PM · User-Joe, Security-Reviews, Electron-PDFs, Services (blocked), User-mobrovac, Services-next, Operations
dpatrick moved T148583: Security review for Linter extension from Backlog to Scheduled on the Security-Reviews board.
Nov 8 2016, 9:40 PM · MediaWiki-extensions-Linter, Security-Reviews
dpatrick edited projects for T141474: Automatic start of authentication workflow for link provider (if it's the only available one), added: Security-Reviews; removed Security.
Nov 8 2016, 9:39 PM · Security-Reviews, Patch-For-Review, MediaWiki-Authentication-and-authorization
dpatrick added a comment to T148576: Security review request: Electron render service.

This has been reviewed and no major issues were found.

Nov 8 2016, 4:52 PM · Services (done), Electron-PDFs, User-mobrovac, Security-Reviews

Nov 3 2016

dpatrick changed the visibility for T149504: Reflected XSS in Parsoid error page.
Nov 3 2016, 12:01 AM · Parsoid, Security
dpatrick closed T149504: Reflected XSS in Parsoid error page as "Resolved".

This appears to have been fixed, and should probably be marked as resolved and made public?

I'll let @dpatrick make a call on making it public by looking at the discussion on this ticket.

Nov 3 2016, 12:01 AM · Parsoid, Security

Nov 2 2016

dpatrick added a comment to T149504: Reflected XSS in Parsoid error page.

Hi everybody,

As patch has been deployed and announced I would like to request a CVE id with the issue. Is this okay or would you like for me to hold off the request for more time?

Thanks in advance,

Nov 2 2016, 11:58 PM · Parsoid, Security