Page MenuHomePhabricator

sbassett (Scott Bassett)
Application Security Engineer

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Saturday

  • Clear sailing ahead.

User Details

User Since
Sep 12 2018, 3:52 PM (111 w, 16 h)
Availability
Available
IRC Nick
sbassett
LDAP User
SBassett
MediaWiki User
SBassett (WMF) [ Global Accounts ]

Member of the Security-Team. My user-sbassett board should be fairly up-to-date, though we also track some other work within Asana these days.

Recent Activity

Yesterday

sbassett committed rERGU2ff6abc3052d: [SECURITY] Run stored, user-generated input from DB through htmlspecialchars()… (authored by sbassett).
[SECURITY] Run stored, user-generated input from DB through htmlspecialchars()…
Wed, Oct 28, 7:43 PM
sbassett renamed T266400: RandomGameUnit: Stored XSS (CVE-2020-27957) from RandomGameUnit: Stored XSS to RandomGameUnit: Stored XSS (CVE-2020-27957).
Wed, Oct 28, 7:35 PM · Patch-For-Review, Social-Tools, Vuln-XSS, RandomGameUnit, Security
sbassett claimed T262963: Security Readiness Review For geoip2/geoip2.
Wed, Oct 28, 4:25 PM · user-sbassett, Security, Security Readiness Reviews, secscrum, Anti-Harassment, IP Info, MediaWiki-Vendor
sbassett moved T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search from In Progress to Waiting on the user-sbassett board.
Wed, Oct 28, 4:24 PM · user-sbassett, Readers-Web-Backlog (Tracking), secscrum, Security, Vue.js (Vue.js-Search)
sbassett moved T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search from In Progress to Waiting on the secscrum board.
Wed, Oct 28, 4:24 PM · user-sbassett, Readers-Web-Backlog (Tracking), secscrum, Security, Vue.js (Vue.js-Search)
sbassett changed the status of T257734: Security Readiness Review For Vue version 3 from Open to Stalled.
Wed, Oct 28, 4:23 PM · user-sbassett, Security Readiness Reviews, secscrum, Security, Vue.js
sbassett changed the status of T257734: Security Readiness Review For Vue version 3, a subtask of T251974: Pre-plan Vue 2 to Vue 3 migration, from Open to Stalled.
Wed, Oct 28, 4:23 PM · Vue.js
sbassett moved T257734: Security Readiness Review For Vue version 3 from In Progress to Waiting on the secscrum board.
Wed, Oct 28, 4:23 PM · user-sbassett, Security Readiness Reviews, secscrum, Security, Vue.js
sbassett triaged T266513: Security Readiness Review For the MediaSearch extension as Low priority.
Wed, Oct 28, 4:14 PM · Security, secscrum, Security Readiness Reviews
sbassett triaged T266510: Security Readiness Review For Diff Blog oAuth plugin as Medium priority.
Wed, Oct 28, 4:13 PM · secscrum, Security, Security Readiness Reviews

Tue, Oct 27

sbassett moved T266512: Request access to toolforge "security" tool from Waiting to Done on the user-sbassett board.
Tue, Oct 27, 4:06 PM · user-sbassett, Toolforge, cloud-services-team (Kanban)
sbassett added a comment to T266512: Request access to toolforge "security" tool.

SBassett is already listed as a maintainer.

Tue, Oct 27, 4:06 PM · user-sbassett, Toolforge, cloud-services-team (Kanban)

Mon, Oct 26

sbassett moved T266512: Request access to toolforge "security" tool from Backlog to Waiting on the user-sbassett board.
Mon, Oct 26, 9:57 PM · user-sbassett, Toolforge, cloud-services-team (Kanban)
sbassett created T266512: Request access to toolforge "security" tool.
Mon, Oct 26, 9:57 PM · user-sbassett, Toolforge, cloud-services-team (Kanban)
sbassett added a comment to T101017: Early security release access for Lcawte (ShoutWiki).

@ema - I'll bring it up as a topic at our team meeting on 2020-10-27. Since this would become a new process for the Security-Team to manage, we'd need to work out a few more policy specifics.

Mon, Oct 26, 4:58 PM · user-sbassett, Security-Team, ShoutWiki, WMF-Legal, WMF-NDA-Requests
sbassett moved T265923: Reclaim @security_team_bot from Incoming to Our Part Is Done on the Security-Team board.
Mon, Oct 26, 3:13 PM · Security-Team, Phabricator-Bot-Requests, Release-Engineering-Team

Thu, Oct 22

sbassett added a comment to T264101: Find a way for the push service to authenticate to MediaWiki in beta and production.

@MSantos:

  1. Are there major technical reasons why the deployment-mediawiki instance can't support TLS connections? Given T235411, it will likely have to at some point, no? Unless no other services use beta in this way and never will.
  2. I'd agree that implementing authentication for option 3 is likely a good idea as an extra layer of security, despite internal-only rest requests hopefully being pretty safe. PKI is the most standard way of doing this over potentially-unencrypted channels, even if it seems a bit heavy in this case. I suppose a shared secret could also work, perhaps as an hmac transaction, but that would be less secure and involve more consideration of replay attacks, time-based expirations, etc.
Thu, Oct 22, 9:48 PM · Platform Engineering, Patch-For-Review, Product-Infrastructure-Team-Backlog (Kanban), Push-Notification-Service
sbassett renamed T265810: mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621) from mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension to mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621).
Thu, Oct 22, 8:28 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), WMDE-QWERTY-Sprint-2020-10-07, Unplanned-Sprint-Work, Move-Files-To-Commons, Security, Security-Team
sbassett renamed T265440: Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620) from Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement to Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620).
Thu, Oct 22, 8:27 PM · Cosmos, Vuln-XSS, Security

Tue, Oct 20

sbassett added a comment to T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search.

Hey @Niedzielski - I just wanted to check in and see if there are any updates on desired deployment dates. I still plan to finish this review sometime this month, but was to hoping to maybe set a more specific date/time based on your current estimates. Thanks.

Tue, Oct 20, 9:35 PM · user-sbassett, Readers-Web-Backlog (Tracking), secscrum, Security, Vue.js (Vue.js-Search)
sbassett moved T265810: mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621) from Watching to Our Part Is Done on the Security-Team board.
Tue, Oct 20, 4:14 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), WMDE-QWERTY-Sprint-2020-10-07, Unplanned-Sprint-Work, Move-Files-To-Commons, Security, Security-Team
sbassett triaged T265810: mw-ext-FileImporter uses a WMF IP address, does not include XFF for users using this extension (CVE-2020-27621) as Low priority.
Tue, Oct 20, 4:12 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), WMDE-QWERTY-Sprint-2020-10-07, Unplanned-Sprint-Work, Move-Files-To-Commons, Security, Security-Team
sbassett added a comment to T265923: Reclaim @security_team_bot.

Is there any point changing the email of the account?

I don't think so - it can be invalid and whatever. See also https://www.mediawiki.org/wiki/Phabricator/Bots#Acquiring_a_bot

Tue, Oct 20, 12:47 AM · Security-Team, Phabricator-Bot-Requests, Release-Engineering-Team

Mon, Oct 19

sbassett added a comment to T265440: Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620).

@sbassett Thanks for clearing that up. And yeah I'm not sure, it looks like I'm still not able to see the task unfortunately?

Mon, Oct 19, 5:17 PM · Cosmos, Vuln-XSS, Security
sbassett added a comment to T265440: Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620).

@SamanthaNguyen - Ok, I've resolved this task and made it public. T263810 is just the tracking task for the quarterly-ish supplemental exts/skins announcement (recent example: https://lists.wikimedia.org/pipermail/wikitech-l/2020-September/093904.html). I subbed you to the task, but perhaps that's not enough to override the current security setting.

Mon, Oct 19, 5:12 PM · Cosmos, Vuln-XSS, Security
sbassett closed T265440: Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620) as Resolved.
Mon, Oct 19, 5:09 PM · Cosmos, Vuln-XSS, Security
sbassett moved T246449: Security Issue Access Request for 2020 Stewards from Backlog to Acknowledged on the Operations board.
Mon, Oct 19, 4:28 PM · Operations, Security-Team, Stewards-and-global-tools, Security, User-revi
sbassett moved T246449: Security Issue Access Request for 2020 Stewards from Untriaged to Low priority on the Stewards-and-global-tools board.
Mon, Oct 19, 4:28 PM · Operations, Security-Team, Stewards-and-global-tools, Security, User-revi
sbassett moved T246449: Security Issue Access Request for 2020 Stewards from Waiting to Our Part Is Done on the Security-Team board.
Mon, Oct 19, 4:28 PM · Operations, Security-Team, Stewards-and-global-tools, Security, User-revi
sbassett closed T246449: Security Issue Access Request for 2020 Stewards as Resolved.
Mon, Oct 19, 4:28 PM · Operations, Security-Team, Stewards-and-global-tools, Security, User-revi
sbassett added a comment to T246449: Security Issue Access Request for 2020 Stewards.

@Krd - you are now added. Resolving this task for now.

Mon, Oct 19, 4:26 PM · Operations, Security-Team, Stewards-and-global-tools, Security, User-revi
sbassett added a member for acl*security_steward: Krd.
Mon, Oct 19, 4:25 PM
sbassett added a comment to T265147: Offboard Chase Pettet from Security Team.

Thanks, @MoritzMuehlenhoff. I think we just have the two open subtasks left and then we can close this out.

Mon, Oct 19, 4:25 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Mon, Oct 19, 4:24 PM · Operations, Security-Team
sbassett added a comment to T265440: Cosmos skin: Mix used of wfMessage() calls with no output mode and Html::rawElement (CVE-2020-27620).

@SamanthaNguyen - I'm not seeing anything on the task that would necessitate this remaining private, so we can make it public if you'd like, just let us know (if you don't have permissions to do so). Also, we can track this at T263810 for increased visibility if you'd like.

Mon, Oct 19, 4:19 PM · Cosmos, Vuln-XSS, Security
sbassett assigned T265147: Offboard Chase Pettet from Security Team to Reedy.
Mon, Oct 19, 3:20 PM · Operations, Security-Team
sbassett removed a project from T154133: Allow acl*otrs-admins to access hidden OTRS Tasks: Security-Team.
Mon, Oct 19, 3:11 PM · Phabricator

Fri, Oct 16

sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 16, 7:53 PM · Operations, Security-Team
sbassett removed a member for Trusted-Contributors: chasemp.
Fri, Oct 16, 7:53 PM
sbassett removed a member for Security-Team: chasemp.
Fri, Oct 16, 7:50 PM
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 16, 7:47 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 16, 7:31 PM · Operations, Security-Team

Thu, Oct 15

sbassett moved T260236: Security Readiness Review For Section Translation from In Progress to Backlog on the user-sbassett board.
Thu, Oct 15, 4:43 PM · user-sbassett, SectionTranslation, Security, secscrum, Security Readiness Reviews
sbassett changed the status of T260236: Security Readiness Review For Section Translation from Open to Stalled.

Ok, thanks for the update, @Pginer-WMF. I'm going to stall this task for now and drop it into our backlog for the time being. If you or one of the developers can ping me on-task sometime by the middle or end of November, signaling when significant development has been completed, we can agree to some commit shas as a freezing point and a more specific timeline for the review to be completed.

Thu, Oct 15, 4:43 PM · user-sbassett, SectionTranslation, Security, secscrum, Security Readiness Reviews
sbassett updated subscribers of T265606: CheckUserLog invisible on meta, mediawiki.org, wikidata, but visible on kowiki.
Thu, Oct 15, 2:34 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), User-Urbanecm, CheckUser, Regression, User-revi, Security, Security-Team
sbassett added a comment to T265606: CheckUserLog invisible on meta, mediawiki.org, wikidata, but visible on kowiki.

This was caused by https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CheckUser/+/494638, and merely reverting that patch should fix this.

Thu, Oct 15, 2:34 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), User-Urbanecm, CheckUser, Regression, User-revi, Security, Security-Team

Wed, Oct 14

sbassett closed T264501: "toggle Desktop/Mobile view" misbehaves on HTTP sites as Resolved.
Wed, Oct 14, 8:52 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), Reading-Web-Third-Party-Support, Security-Team, MobileFrontend
sbassett added a comment to T260236: Security Readiness Review For Section Translation.

@Pginer-WMF - this review is technically in progress. Is there a specific date you're targeting for deployment in October?

Wed, Oct 14, 2:06 PM · user-sbassett, SectionTranslation, Security, secscrum, Security Readiness Reviews

Tue, Oct 13

sbassett added a comment to T154133: Allow acl*otrs-admins to access hidden OTRS Tasks.

If it were, I imagine upstream would find a way to break this as, as far as I know, they don't allow an object's project list to change visibility policy.

Tue, Oct 13, 7:49 PM · Phabricator

Fri, Oct 9

sbassett moved T260466: Security Readiness Review For GlobalWatchlist extension from Back Orders to In Progress on the secscrum board.
Fri, Oct 9, 8:47 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett added a comment to T260466: Security Readiness Review For GlobalWatchlist extension.

All - it appears the ordering stems from an edit about 4 years ago, quite a bit prior to several changes which were made to our security readiness review service, currently governed by this SOP. I'm going to try out an edit for the Preparing for deployment section which changes the list to a <ul>, removes the security review beta deployment "requirement" and attempts to provide a few additional, helpful notes.

Fri, Oct 9, 8:05 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett removed a project from T265175: Remove Chase Pettet from security@ alias in Google: Operations.

@Dzahn - ah, I forgot about that. Thanks. I'll plan to reach out to OIT.

Fri, Oct 9, 7:51 PM · Security-Team
sbassett renamed T265175: Remove Chase Pettet from security@ alias in Google from Remove Chase Pettet from security@ alias in exim to Remove Chase Pettet from security@ alias in Google.
Fri, Oct 9, 7:50 PM · Security-Team
sbassett updated the task description for T265175: Remove Chase Pettet from security@ alias in Google.
Fri, Oct 9, 7:49 PM · Security-Team
sbassett triaged T265147: Offboard Chase Pettet from Security Team as Medium priority.
Fri, Oct 9, 7:48 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 7:47 PM · Operations, Security-Team
sbassett updated the task description for T265175: Remove Chase Pettet from security@ alias in Google.
Fri, Oct 9, 7:47 PM · Security-Team
sbassett added a subtask for T265147: Offboard Chase Pettet from Security Team: T265175: Remove Chase Pettet from security@ alias in Google.
Fri, Oct 9, 7:46 PM · Operations, Security-Team
sbassett added a parent task for T265175: Remove Chase Pettet from security@ alias in Google: T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 7:46 PM · Security-Team
sbassett created T265175: Remove Chase Pettet from security@ alias in Google.
Fri, Oct 9, 7:46 PM · Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:50 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:50 PM · Operations, Security-Team
sbassett added a comment to T265147: Offboard Chase Pettet from Security Team.

@MoritzMuehlenhoff - I'll plan to follow up on that group and any other security-related ones that I find. Thanks.

Fri, Oct 9, 2:46 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:46 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:42 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:33 PM · Operations, Security-Team
sbassett updated subscribers of T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:32 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:31 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:31 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:29 PM · Operations, Security-Team
sbassett updated subscribers of T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:29 PM · Operations, Security-Team
sbassett updated the task description for T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:28 PM · Operations, Security-Team
sbassett created T265147: Offboard Chase Pettet from Security Team.
Fri, Oct 9, 2:27 PM · Operations, Security-Team

Thu, Oct 8

sbassett added a comment to T260466: Security Readiness Review For GlobalWatchlist extension.

Per https://www.mediawiki.org/wiki/Wikimedia_Performance_Team/Performance_Review, the prerequesite for a performance review is deployment to the beta cluster. Deployment to the beta cluster is dependent on the security review, thus until this security review is completed the performance review cannot begin. This is also the order used at https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment#Preparing_for_deployment

Thu, Oct 8, 7:53 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett added a comment to T260466: Security Readiness Review For GlobalWatchlist extension.

Hi @sbassett. We do not have WMF team as steward. However, @MusikAnimal, me and some others are willing to help out in our volunteer time. There is a well-known demand for the GlobalWatchlist extension - both from the community and staff. In an ideal world teams would have some operating capacity to support the incredible work our volunteers do. However given the existing workload our teams operate under, it is highly unlikely that any team would want to pick up the extra work of shepherding this through.

Thu, Oct 8, 7:26 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett closed T260466: Security Readiness Review For GlobalWatchlist extension as Resolved.

The performance review is usually done after the security review

Thu, Oct 8, 7:13 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett reopened T260466: Security Readiness Review For GlobalWatchlist extension, a subtask of T260862: Deploy GlobalWatchlist extension to production (Meta only), as Open.
Thu, Oct 8, 7:13 PM · User-DannyS712, User-notice, MediaWiki-extensions-GlobalWatchlist, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
sbassett reopened T260466: Security Readiness Review For GlobalWatchlist extension as "Open".
Thu, Oct 8, 7:13 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett closed T260466: Security Readiness Review For GlobalWatchlist extension, a subtask of T260862: Deploy GlobalWatchlist extension to production (Meta only), as Resolved.
Thu, Oct 8, 7:13 PM · User-DannyS712, User-notice, MediaWiki-extensions-GlobalWatchlist, Wikimedia-extension-review-queue, Wikimedia-Extension-setup
sbassett added a comment to T260466: Security Readiness Review For GlobalWatchlist extension.

Thanks. I don't understand why a WMF steward is necessary though

Thu, Oct 8, 7:03 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett added a comment to T260466: Security Readiness Review For GlobalWatchlist extension.

@Urbanecm - based upon the comments starting at T260860#6523535, at the very least we'd need to see a solution for T264833 before any security review commenced, since that blocks deployment of the extension. Have we also confirmed a Foundation-based steward of the code? Is Community-Tech or Anti-Harassment filling that capacity, @Niharika?

Thu, Oct 8, 4:37 PM · MediaWiki-extensions-GlobalWatchlist, Security, secscrum, User-DannyS712, Security Readiness Reviews
sbassett moved T257734: Security Readiness Review For Vue version 3 from Backlog to In Progress on the user-sbassett board.
Thu, Oct 8, 3:45 PM · user-sbassett, secscrum, Security Readiness Reviews, Security, Vue.js
sbassett added a project to T257734: Security Readiness Review For Vue version 3: user-sbassett.
Thu, Oct 8, 3:44 PM · user-sbassett, secscrum, Security Readiness Reviews, Security, Vue.js
sbassett moved T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search from Backlog to In Progress on the user-sbassett board.
Thu, Oct 8, 3:44 PM · user-sbassett, Readers-Web-Backlog (Tracking), secscrum, Security, Vue.js (Vue.js-Search)
sbassett edited projects for T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search, added: user-sbassett; removed Patch-For-Review.
Thu, Oct 8, 3:44 PM · user-sbassett, Readers-Web-Backlog (Tracking), secscrum, Security, Vue.js (Vue.js-Search)
sbassett moved T255208: Catalog and evaluate methods of analysis for Wikimedia captcha performance from Waiting to Postponed on the user-sbassett board.
Thu, Oct 8, 3:42 PM · observability, user-sbassett, ConfirmEdit (CAPTCHA extension), Security-Team, Security
sbassett moved T101017: Early security release access for Lcawte (ShoutWiki) from Waiting to Postponed on the user-sbassett board.
Thu, Oct 8, 3:42 PM · user-sbassett, Security-Team, ShoutWiki, WMF-Legal, WMF-NDA-Requests

Mon, Oct 5

sbassett claimed T264501: "toggle Desktop/Mobile view" misbehaves on HTTP sites.
Mon, Oct 5, 3:24 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), Reading-Web-Third-Party-Support, Security-Team, MobileFrontend
sbassett moved T264501: "toggle Desktop/Mobile view" misbehaves on HTTP sites from Incoming to In Progress on the Security-Team board.
Mon, Oct 5, 3:24 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), Reading-Web-Third-Party-Support, Security-Team, MobileFrontend
sbassett triaged T264501: "toggle Desktop/Mobile view" misbehaves on HTTP sites as Medium priority.

Due to commit 8b754f, the stopMobileRedirect cookie wouldn't be sent to servers without HTTPS

Mon, Oct 5, 3:23 PM · MW-1.36-notes (1.36.0-wmf.13; 2020-10-12), Reading-Web-Third-Party-Support, Security-Team, MobileFrontend
sbassett changed the visibility for T258129: Password Reset interface @ diff.wikimedia.org is insecure.
Mon, Oct 5, 3:20 PM · Privacy Engineering, Diff-blog, User-revi, Security
sbassett moved T258129: Password Reset interface @ diff.wikimedia.org is insecure from Incoming to Completed on the Privacy Engineering board.
Mon, Oct 5, 3:20 PM · Privacy Engineering, Diff-blog, User-revi, Security
sbassett reassigned T258129: Password Reset interface @ diff.wikimedia.org is insecure from sbassett to JFishback_WMF.
Mon, Oct 5, 2:05 PM · Privacy Engineering, Diff-blog, User-revi, Security
sbassett added a comment to T262628: FileImporter imports the file even when the target page is protected on Commons and the importer should not be able to create it (CVE-2020-26121).

Thanks a lot for the detailed response. I'm still curious what "requesting a CVE" means, but understand it's not something my team is asked to do. :-)

Mon, Oct 5, 2:04 PM · WMDE-QWERTY-Sprint-2020-09-23, MW-1.36-notes (1.36.0-wmf.10; 2020-09-22), Unplanned-Sprint-Work, WMDE-QWERTY-Sprint-2020-09-09, Security-Team, Security, Move-Files-To-Commons

Fri, Oct 2

sbassett added a comment to T261696: MW REST Framework support for authenticated CORS.

@WDoranWMF et al - Sorry for the delay on acknowledging this. I've added an entry within our risk register for your acceptance at T261696#6450752. I went with medium risk for now, since https://gerrit.wikimedia.org/r/621900 is a bit less granular (even if it may currently be restricted within production for a specific use case) that what I had discussed at T261358#6424759.

Fri, Oct 2, 8:08 PM · Platform Team Sprints Board (Sprint 3), Patch-For-Review, Platform Team Workboards (Green), MediaWiki-extensions-WikimediaApiPortalOAuth, Platform Team Initiatives (API Gateway)
sbassett moved T257579: Security Readiness Review For WVUI and Vector dependencies needed for Vue.js search from Waiting to In Progress on the secscrum board.
Fri, Oct 2, 4:03 PM · user-sbassett, Readers-Web-Backlog (Tracking), secscrum, Security, Vue.js (Vue.js-Search)
sbassett moved T257734: Security Readiness Review For Vue version 3 from Waiting to In Progress on the secscrum board.
Fri, Oct 2, 4:03 PM · user-sbassett, secscrum, Security Readiness Reviews, Security, Vue.js

Sep 28 2020

sbassett added a comment to T101017: Early security release access for Lcawte (ShoutWiki).

@ArielGlenn - There is an internal draft policy (I just gave you access) which I feel is mostly complete save clarification on a couple of the actual technical controls and processes. This needs some push from the Security-Team but I believe it is considered fairly low priority for us at this time.

Sep 28 2020, 6:54 PM · user-sbassett, Security-Team, ShoutWiki, WMF-Legal, WMF-NDA-Requests
sbassett renamed T256342: Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0) from Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.x) to Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0).
Sep 28 2020, 6:33 PM · Security-Team, user-sbassett, MediaWiki-Releasing, Security
sbassett changed the visibility for T256342: Write and send supplementary release announcement for extensions and skins with security patches (1.31.9/1.34.3/1.35.0).
Sep 28 2020, 6:32 PM · Security-Team, user-sbassett, MediaWiki-Releasing, Security