Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Tuesday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (61 w, 3 d)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Recent Activity

Fri, Nov 15

sbassett added a comment to T181803: Stop storing Mailman passwords in plain text.

Yeah, but you wouldn't want someone malicious to look at this issue and target WM's mailing list to get all those passwords and usernames out, right? I'm not saying that would happen since you need to have some sort of database access, but it could be worse if it was someone inside the Foundation.

Fri, Nov 15, 4:33 PM · Privacy, User-Josve05a, Operations, Security, Wikimedia-Mailing-lists
sbassett closed T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987) as Resolved.

Ok, backports done, CVE filed (CVE-2019-18987), tracking in T234983. I'm going to resolve this for now. Thanks everyone.

Fri, Nov 15, 4:16 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security
sbassett renamed T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987) from Old public versions of private filters are publicly viewable to Old public versions of private filters are publicly viewable (CVE-2019-18987).
Fri, Nov 15, 4:13 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security

Thu, Nov 14

sbassett removed a project from T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987): Patch-For-Review.
Thu, Nov 14, 10:58 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security
sbassett removed a project from T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987): Patch-For-Review.
Thu, Nov 14, 9:54 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security

Wed, Nov 13

sbassett added a comment to T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987).

Exactly, thanks! I just forgot one thing: adding a @fixme comment right above the if, saying something like:

@fixme Temporary stopgap for T237887

Just in case that code survives for more than expected.

Wed, Nov 13, 10:59 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security
sbassett moved T238268: How to best contact the WMF Security team? from Backlog to In Progress on the Security-Team board.
Wed, Nov 13, 9:54 PM · Security-Team
sbassett updated subscribers of T238268: How to best contact the WMF Security team?.

Thanks, @Aklapper. I've gone ahead and added a new section here:

Wed, Nov 13, 9:53 PM · Security-Team
sbassett triaged T238268: How to best contact the WMF Security team? as Low priority.
Wed, Nov 13, 9:52 PM · Security-Team
sbassett added a comment to T149869: Security review for PageForms.

It would be great if you could look at this fix and let me know if it does indeed solve the problem.... assuming you still do that sort of thing!

Wed, Nov 13, 9:05 PM · Security, MediaWiki-extensions-Page_Forms, Security-Team-Reviews

Tue, Nov 12

sbassett updated the task description for T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews.
Tue, Nov 12, 11:17 PM · Security-Team, Restricted Project
sbassett triaged T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews as Normal priority.
Tue, Nov 12, 11:16 PM · Security-Team, Restricted Project
sbassett created T238167: Develop "security testing toolboxes" (Node/JS) for manual security reviews.
Tue, Nov 12, 11:16 PM · Security-Team, Restricted Project
sbassett renamed T221477: Develop "security testing toolboxes" (PHP) for manual security reviews from Develop "security testing toolboxes" for manual security reviews, push to wikimedia/security/tooling repo to Develop "security testing toolboxes" (PHP) for manual security reviews.
Tue, Nov 12, 11:14 PM · Security-Team
sbassett moved T221477: Develop "security testing toolboxes" (PHP) for manual security reviews from In Progress to Done on the Security-Team board.
Tue, Nov 12, 11:14 PM · Security-Team
sbassett closed T221477: Develop "security testing toolboxes" (PHP) for manual security reviews as Resolved.
Tue, Nov 12, 11:14 PM · Security-Team
sbassett removed projects from T221477: Develop "security testing toolboxes" (PHP) for manual security reviews: Patch-For-Review, Restricted Project.
Tue, Nov 12, 11:13 PM · Security-Team
sbassett changed the status of Restricted Task, a subtask of T177433: Develop HTML Content API to be used with companion structured JSON APIs, from Open to Stalled.
Tue, Nov 12, 11:10 PM · Product-Infrastructure-Team-Backlog, Epic, Page Content Service, Reading Epics (Platform JS CSS and HTML consolidation)
sbassett removed projects from T227209: Security Review For Parsoid-PHP: Patch-For-Review, Restricted Project.
Tue, Nov 12, 11:07 PM · Parsoid-PHP, Security-Team-Reviews
sbassett moved T227209: Security Review For Parsoid-PHP from Awaiting remediation to Archive on the Security-Team-Reviews board.
Tue, Nov 12, 11:07 PM · Parsoid-PHP, Security-Team-Reviews
sbassett closed T227209: Security Review For Parsoid-PHP, a subtask of T229015: Tracking: Direct live production traffic at Parsoid/PHP, as Resolved.
Tue, Nov 12, 11:07 PM · Core Platform Team, User-WDoran, Parsoid-PHP
sbassett closed T227209: Security Review For Parsoid-PHP as Resolved.
Tue, Nov 12, 11:07 PM · Parsoid-PHP, Security-Team-Reviews
sbassett added a comment to T227209: Security Review For Parsoid-PHP.

phan-taint-check-plugin@latest (either 2.1.0 or master) and mediawiki-phan-config@0.8.0 seem to have incompatible constraints in the version of phan required.
I'm going to leave that patch as WIP until that can be rectified but otherwise consider the above concerns addressed.

Tue, Nov 12, 11:06 PM · Parsoid-PHP, Security-Team-Reviews
sbassett changed the visibility for T233213: XSS in Wikidata Query Service UI.
Tue, Nov 12, 8:42 PM · Discovery-Search (Current work), User-Addshore, Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Vuln-XSS, Wikidata, Wikidata Query UI, Security
sbassett added a comment to T233213: XSS in Wikidata Query Service UI.

@JBennett I think we can make this public now?
I had a quick flick through the comments and don't see anything private in here.

Tue, Nov 12, 8:42 PM · Discovery-Search (Current work), User-Addshore, Wikidata-Campsite (Wikidata-Campsite-Iteration-∞), Vuln-XSS, Wikidata, Wikidata Query UI, Security
sbassett added a comment to T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987).

Sure, I assume you mean 1) CVE 2) backports 3) tracking at T234983 and then making this task public?

Yes.

Tue, Nov 12, 8:34 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security
sbassett added a comment to T237887: Old public versions of private filters are publicly viewable (CVE-2019-18987).
19:18 <Urbanecm> !log Deploy security patch for T237887

@sbassett Could you do the final honours?

Tue, Nov 12, 8:18 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), User-Urbanecm, AbuseFilter, Security
sbassett added a comment to T238072: Alert group HTML form without CSRF protection.

Some further discussions of this oft-reported issue: T14945, T40417.

Tue, Nov 12, 4:55 PM · Security
sbassett changed the visibility for T238071: Alert group Development configuration file.
Tue, Nov 12, 4:48 PM · Security
sbassett triaged T238071: Alert group Development configuration file as Lowest priority.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:48 PM · Security
sbassett changed the visibility for T238070: Alert group Development configuration file.
Tue, Nov 12, 4:48 PM · Security
sbassett triaged T238070: Alert group Development configuration file as Lowest priority.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:47 PM · Security
sbassett triaged T238079: Alert group Possible sensitive files as Lowest priority.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:47 PM · Security
sbassett changed the visibility for T238077: Alert group Documentation file.
Tue, Nov 12, 4:45 PM · Security
sbassett changed the visibility for T238078: Alert group Documentation file.
Tue, Nov 12, 4:45 PM · Security
sbassett changed the status of T238078: Alert group Documentation file from Declined to Invalid.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:45 PM · Security
sbassett changed the status of T238077: Alert group Documentation file from Declined to Invalid.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:44 PM · Security
sbassett added a comment to T238073: Alert group HTTPS connection with weak key length.

Unrelated to Wikimedia production sites.

Tue, Nov 12, 4:42 PM · Security
sbassett changed the visibility for T238068: Alert group Development configuration file.
Tue, Nov 12, 4:15 PM · Security
sbassett triaged T238068: Alert group Development configuration file as Lowest priority.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:15 PM · Security
sbassett changed the visibility for T238069: Alert group Development configuration file.
Tue, Nov 12, 4:14 PM · Security
sbassett triaged T238069: Alert group Development configuration file as Lowest priority.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:14 PM · Security
sbassett changed the visibility for T238059: Alert group: Git repository found.
Tue, Nov 12, 4:13 PM · Security
sbassett triaged T238059: Alert group: Git repository found as Lowest priority.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:13 PM · Security
sbassett added a comment to T238067: Alert group Development configuration file.

Extremely low-level information disclosure of various configuration files are not typically considered vulnerabilities for FLOSS code such as MediaWiki, as said configuration files are publicly-available in various repositories. This is both known and intentional. Additionally, such files can often be deleted once MediaWiki has been installed and configured. A web server running MediaWiki can also be configured not to serve such files.

Tue, Nov 12, 4:12 PM · Security
sbassett triaged T238067: Alert group Development configuration file as Lowest priority.
Tue, Nov 12, 4:06 PM · Security
sbassett changed the visibility for T238066: Alert group Cross site scripting (content-sniffing).
Tue, Nov 12, 4:04 PM · Security
sbassett closed T238066: Alert group Cross site scripting (content-sniffing) as Invalid.

The <ScRiPt%20>BL79(9647)</ScRiPt> XSS payload referenced within the output of the automated security scan above is returned as part of a JSON response from the MediaWiki action API with a content-type of application/json`. No modern web browsers should be rendering this content as HTML where such a naive XSS payload would be executed. Additionally, the output appears to be properly sanitized when the action API results are returned as HTML (format=html). Resolving as invalid.

Tue, Nov 12, 4:04 PM · Security
sbassett changed the visibility for T238065: Alert group Cross site scripting (content-sniffing).
Tue, Nov 12, 4:02 PM · Security
sbassett closed T238065: Alert group Cross site scripting (content-sniffing) as Invalid.

The <ScRiPt%20>BL79(9647)</ScRiPt> XSS payload referenced within the output of the automated security scan above is returned as part of a JSON response from the MediaWiki action API with a content-type of application/json`. No modern web browsers should be rendering this content as HTML where such a naive XSS payload would be executed. Additionally, the output appears to be properly sanitized when the action API results are returned as HTML (format=html). Resolving as invalid.

Tue, Nov 12, 4:02 PM · Security
sbassett moved T238062: Alert group: BREACH attack from Backlog / Other to Done on the Security board.
Tue, Nov 12, 3:59 PM · Security
sbassett triaged T238062: Alert group: BREACH attack as Lowest priority.
Tue, Nov 12, 3:59 PM · Security
sbassett moved T238063: Alert group: Cross site scripting (content-sniffing) from Backlog / Other to Done on the Security board.
Tue, Nov 12, 3:56 PM · Security
sbassett triaged T238063: Alert group: Cross site scripting (content-sniffing) as Lowest priority.
Tue, Nov 12, 3:56 PM · Security
sbassett closed T238063: Alert group: Cross site scripting (content-sniffing) as Invalid.

The <ScRiPt%20>BL79(9647)</ScRiPt> XSS payload referenced within the output of the automated security scan above is returned as part of a JSON response from the MediaWiki action API with a content-type of application/json. No modern web browsers should be rendering this content as HTML where such a naive XSS payload would be executed. Additionally, the output appears to be properly sanitized when the action API results are returned as HTML (format=html). Resolving as invalid.

Tue, Nov 12, 3:56 PM · Security
sbassett closed T238062: Alert group: BREACH attack as Invalid.

This is unrelated to any Wikimedia production website or project and is instead an issue with the website against which this scan was run: wikicod.ir. Resolving as invalid.

Tue, Nov 12, 3:48 PM · Security
sbassett added a comment to T238060: Alert group: JSONP enabled by default in MappingJackson2JsonView.

The output of the automated security scan pasted above appears to reference a JSONP-related vulnerability for the Java Spring framework. MediaWiki is written in PHP and does not use Java for any of its core components, so this is a false positive. While we appreciate anybody taking the time to investigate security-related issues within MediaWiki or any other Wikimedia code, filing Phabricator tasks for false positives like this, extremely low-level information disclosure vulnerabilities which are most likely invalid for FLOSS code, issues which have not been thoroughly investigated and provided without explicit steps for reproduction, or where an existing Phabricator task already exists is at best, very unhelpful. Additionally, please find and review our published steps for responsibly reporting security issues.

Tue, Nov 12, 3:43 PM · Security

Thu, Nov 7

sbassett added a comment to T237449: wikimedia/security gerrit requests.

Can we update the wikimedia-security group to include @Dsharpe and @JFishback_WMF?

Done.

Thu, Nov 7, 4:47 PM · Release-Engineering-Team-TODO (201911), Gerrit, Security-Team, Release-Engineering-Team

Wed, Nov 6

sbassett reopened T227346: Security readiness review for the MachineVision extension, a subtask of T226119: Build middleware to utilize machine vision API for structured data on commons depicts tag suggestion tool, as Open.
Wed, Nov 6, 8:06 PM · Epic, Machine vision, Product-Infrastructure-Team-Backlog
sbassett reopened T227346: Security readiness review for the MachineVision extension, a subtask of T227349: Deploy the MachineVision extension to production, as Open.
Wed, Nov 6, 8:06 PM · Product-Infrastructure-Team-Backlog (Kanban), Machine vision
sbassett reopened T227346: Security readiness review for the MachineVision extension as "Open".
Wed, Nov 6, 8:06 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision
sbassett moved T230140: Security Review For MediaWiki REST API infrastructure from In Progress to Archive on the Security-Team-Reviews board.
Wed, Nov 6, 8:06 PM · Security-Team-Reviews
sbassett moved T235720: Security concept review for newcomer tasks on Special:Homepage from In Progress to Awaiting remediation on the Security-Team-Reviews board.
Wed, Nov 6, 8:05 PM · Privacy, Growth-Team (Current Sprint), GrowthExperiments-Homepage, Security-Team-Reviews
sbassett added a comment to T227346: Security readiness review for the MachineVision extension.

Thanks for digging in on that, @sbassett. I imagine the htmlentities call was originally included out of habit when constructing a URL, but in this case the $id values will only be valid Wikidata IDs (i.e., 'Q' followed by a positive integer) from the DB and thus would need no escaping (even if they weren't escaped anyway within Html::element). I've submitted a new patch to remove the htmlentities call and the Phan suppression.

Wed, Nov 6, 7:52 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision

Tue, Nov 5

sbassett added a comment to T227346: Security readiness review for the MachineVision extension.

About that SecurityCheck-DoubleEscaped suppression, the rule is in fact triggered in CI if the suppression is removed:

Interesting. I think that may be a bug - I'll file one for the phan-taint-check-plugin project. But yes, it obviously needs to be suppressed for now.

Tue, Nov 5, 9:13 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision
sbassett moved T237449: wikimedia/security gerrit requests from Backlog to Watching on the Security-Team board.
Tue, Nov 5, 7:32 PM · Release-Engineering-Team-TODO (201911), Gerrit, Security-Team, Release-Engineering-Team
sbassett added projects to T237449: wikimedia/security gerrit requests: Release-Engineering-Team, Release-Engineering-Team-TODO, Security-Team.
Tue, Nov 5, 7:32 PM · Release-Engineering-Team-TODO (201911), Gerrit, Security-Team, Release-Engineering-Team
sbassett created T237449: wikimedia/security gerrit requests.
Tue, Nov 5, 7:31 PM · Release-Engineering-Team-TODO (201911), Gerrit, Security-Team, Release-Engineering-Team
sbassett added a comment to T227346: Security readiness review for the MachineVision extension.

About that SecurityCheck-DoubleEscaped suppression, the rule is in fact triggered in CI if the suppression is removed:

Tue, Nov 5, 3:51 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision

Mon, Nov 4

sbassett added a comment to T237118: Offboard Raz Shuty from various Wikimedia systems.

@WMDE-leszek Excellent, thanks.

Mon, Nov 4, 5:31 PM · LDAP-Access-Requests, Security-Team, Operations
sbassett added a comment to T237118: Offboard Raz Shuty from various Wikimedia systems.
  • "Tag {{former staff}} on any relevant project user profile pages" isn't done as part of the offboarding steps handled by SRE. If someone deals with that, then I'm not sure who :-)
Mon, Nov 4, 5:18 PM · LDAP-Access-Requests, Security-Team, Operations

Fri, Nov 1

sbassett moved T227346: Security readiness review for the MachineVision extension from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Fri, Nov 1, 10:16 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision
sbassett moved T227346: Security readiness review for the MachineVision extension from In Progress to Awaiting remediation on the Security-Team-Reviews board.
Fri, Nov 1, 10:16 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision
sbassett added a comment to T227346: Security readiness review for the MachineVision extension.

Note: the above is a fairly basic review. I didn't focus on any performance-related issues as they pertain to security, as I'm hoping that's happening in T230813. I might also play around with the ext from a black box perspective next week with @Mholloway's docker environment. At a cursory review, r547555 and r547688 both look fine to me, but I might also review those a bit more next week. But none of this should block any deployments, etc.

Fri, Nov 1, 10:15 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision
sbassett added a comment to T227346: Security readiness review for the MachineVision extension.

Security Review Summary - T227346 - 2019-11-01
Overall, the MachineVision extension looks pretty good. There are a handful of issues below, but nothing I would categorize as above low for right now.

Fri, Nov 1, 10:11 PM · MW-1.35-notes (1.35.0-wmf.8; 2019-11-26), Patch-For-Review, Restricted Project, Security-Team-Reviews, Product-Infrastructure-Team-Backlog, Machine vision
sbassett moved T221477: Develop "security testing toolboxes" (PHP) for manual security reviews from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Fri, Nov 1, 7:07 PM · Security-Team
sbassett updated the task description for T221477: Develop "security testing toolboxes" (PHP) for manual security reviews.
Fri, Nov 1, 6:39 PM · Security-Team
sbassett raised the priority of T221477: Develop "security testing toolboxes" (PHP) for manual security reviews from Low to Normal.
Fri, Nov 1, 6:38 PM · Security-Team
sbassett added a comment to T237118: Offboard Raz Shuty from various Wikimedia systems.

@WMDE-leszek - no problem, I was just trying to be proactive :)

Fri, Nov 1, 6:20 PM · LDAP-Access-Requests, Security-Team, Operations
sbassett updated the task description for T237118: Offboard Raz Shuty from various Wikimedia systems.
Fri, Nov 1, 4:38 PM · LDAP-Access-Requests, Security-Team, Operations
sbassett renamed T237118: Offboard Raz Shuty from various Wikimedia systems from Offboard Raz Shuty from Wikimedia Tools, Etc. to Offboard Raz Shuty from various Wikimedia systems.
Fri, Nov 1, 4:16 PM · LDAP-Access-Requests, Security-Team, Operations
sbassett triaged T237118: Offboard Raz Shuty from various Wikimedia systems as Normal priority.
Fri, Nov 1, 4:15 PM · LDAP-Access-Requests, Security-Team, Operations
sbassett moved T237118: Offboard Raz Shuty from various Wikimedia systems from Backlog to Watching on the Security-Team board.
Fri, Nov 1, 4:15 PM · LDAP-Access-Requests, Security-Team, Operations
sbassett created T237118: Offboard Raz Shuty from various Wikimedia systems.
Fri, Nov 1, 4:15 PM · LDAP-Access-Requests, Security-Team, Operations

Thu, Oct 31

sbassett closed T104807: Older hidden versions of a currently-public AbuseFilter are exposed via diffs (CVE-2019-18612) as Resolved.
Thu, Oct 31, 4:05 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), Vuln-Infoleak, Security-Extensions, Security, AbuseFilter

Wed, Oct 30

sbassett changed the visibility for T236098: Security review for T235209 (Monthly convert: set hide cookie when modal loads).
Wed, Oct 30, 3:47 PM · Security-Team, Security
sbassett moved T236098: Security review for T235209 (Monthly convert: set hide cookie when modal loads) from Backlog / Other to Done on the Security board.
Wed, Oct 30, 3:39 PM · Security-Team, Security
sbassett closed T236098: Security review for T235209 (Monthly convert: set hide cookie when modal loads), a subtask of T235209: Monthly convert: set hide cookie when modal loads, as Resolved.
Wed, Oct 30, 3:39 PM · MW-1.35-notes (1.35.0-wmf.5; 2019-11-05), Fundraising Sprint Visual Basic Instinct, Fundraising Sprint Usual Subscripts, Fundraising-Backlog
sbassett closed T236098: Security review for T235209 (Monthly convert: set hide cookie when modal loads) as Resolved.

As discussed per the meeting today (2019-10-19) and via @Ejegg's email, the Security-Team is comfortable with this change in functionality and would assign a low risk for this change. Please let us know if any further issues arrive and feel free to keep us apprised of any movement away from using iframes or similar elements within these payment contexts.

Wed, Oct 30, 3:39 PM · Security-Team, Security

Tue, Oct 29

sbassett added a comment to T104807: Older hidden versions of a currently-public AbuseFilter are exposed via diffs (CVE-2019-18612).

@Daimona - great, thanks for the help! Once the remaining backports are merged, I'll resolve this task.

Tue, Oct 29, 5:22 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), Vuln-Infoleak, Security-Extensions, Security, AbuseFilter
sbassett added a comment to T226945: Decide on future of running Phan tests on release branches.

We absolutely need phan for release branches. Many of the regressions in previous releases could've been caught if phan were running.

This. It's just too easy to introduce regressions when backporting changes, especially big changes like security changes. Example: https://gerrit.wikimedia.org/r/#/q/Ie23e8234ae550273bf3f6f9c5ac45b7fc54eec2a this would've broken 1.3[123], but no tests failed.

Tue, Oct 29, 5:22 PM · Patch-For-Review, Continuous-Integration-Config, phan, MW-1.32-release, MW-1.31-release, MediaWiki-Core-Testing
sbassett removed a project from T234862: Verify that the MediaWiki API is not leaking Oversighted edit summaries within CheckUser results (CVE-2019-18611): Restricted Project.
Tue, Oct 29, 3:53 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), User-Urbanecm, Vuln-Infoleak, MediaWiki-API, CheckUser, Security
sbassett moved T227820: (informal) Security Concept Review For LibUp 2.0 from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Tue, Oct 29, 3:53 PM · Restricted Project, LibUp, Security-Team-Reviews
sbassett moved T227591: Security Concept Review for the machine vision middleware project from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Tue, Oct 29, 3:53 PM · Restricted Project, Machine vision, Product-Infrastructure-Team-Backlog, Security-Team-Reviews
sbassett moved T216419: Security review - Wikibase Termbox Front End from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Tue, Oct 29, 3:53 PM · Restricted Project, Security-Team-Reviews
sbassett moved T234862: Verify that the MediaWiki API is not leaking Oversighted edit summaries within CheckUser results (CVE-2019-18611) from Restricted Project Column to Restricted Project Column on the Restricted Project board.
Tue, Oct 29, 3:53 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), User-Urbanecm, Vuln-Infoleak, MediaWiki-API, CheckUser, Security
sbassett renamed T104807: Older hidden versions of a currently-public AbuseFilter are exposed via diffs (CVE-2019-18612) from Older hidden versions of a currently-public AbuseFilter are exposed via diffs to Older hidden versions of a currently-public AbuseFilter are exposed via diffs (CVE-2019-18612).
Tue, Oct 29, 3:51 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), Vuln-Infoleak, Security-Extensions, Security, AbuseFilter
sbassett closed T234862: Verify that the MediaWiki API is not leaking Oversighted edit summaries within CheckUser results (CVE-2019-18611) as Resolved.
Tue, Oct 29, 3:50 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), User-Urbanecm, Vuln-Infoleak, MediaWiki-API, CheckUser, Security
sbassett renamed T234862: Verify that the MediaWiki API is not leaking Oversighted edit summaries within CheckUser results (CVE-2019-18611) from Verify that the MediaWiki API is not leaking Oversighted edit summaries within CheckUser results to Verify that the MediaWiki API is not leaking Oversighted edit summaries within CheckUser results (CVE-2019-18611).
Tue, Oct 29, 3:48 PM · MW-1.35-notes (1.35.0-wmf.4; 2019-10-29), User-Urbanecm, Vuln-Infoleak, MediaWiki-API, CheckUser, Security
sbassett removed a project from T223463: (2019-09) Create secteam groups in admin.yaml and define permissions: Restricted Project.
Tue, Oct 29, 3:21 PM · SRE-Access-Requests, Operations, Security-Team, Patch-For-Review