Re: [Wikitech-l] Linker::link() rewrite

Is there any way we can default to having the body of the link not be passed as html? It's called $html, well documented that it's raw html, and I've lost track of the number of times people pass unsanitized text to it. I'd rather it not be something developers have to worry about, unless they

Re: [Wikitech-l] Reviving SVG client-side rendering task

On Thu, May 5, 2016 at 6:49 AM, Brion Vibber wrote: > > And then there are long term goals of taking more advantage of SVGs dynamic > nature -- making things animated or interactive. That's a much bigger > question and has implementation and security issues! Sorry for

Re: [Wikitech-l] REL1_27 branches up

On Thu, May 5, 2016 at 8:50 AM, Chad wrote: > On Thu, May 5, 2016 at 8:19 AM Gergo Tisza wrote: > > > On Thu, May 5, 2016 at 4:31 PM, Chad wrote: > > > > > Well then it sounds like it won't make the 1.27 release. We've

Re: [Wikitech-l] Docs, use of, and admin privileges for wikimedia github project?

On Mon, Apr 25, 2016 at 8:34 AM, Bryan Davis wrote: > Not that I am aware of. Rights there tend to work a lot like getting > elevated rights on mediawiki.org: the rights are handed out by > existing admins when somebody asks for something that will be easily > solved by

[Wikitech-l] Wikitech two-factor authentication

Hi all, tl,dr; if you enabled two-factor authentication on your wikitech.wikimedia.org account this past week (since 23 March, 22:03 UTC), the second factor may have been removed, and you should re-enable it. The long version: Several users in the past few days reported that they had 2FA

Re: [Wikitech-l] How to do redirect 'the right way' when OutputPage::prepareErrorPage is triggered

On Mon, Mar 7, 2016 at 10:32 AM, Victor Danilchenko < vdanilche...@cimpress.com> wrote: > My simple solution to this is to forcibly invoke OutputPage::Output on the > spot, right there in the 'BeforeInitialize' hook: > > $this->output->redirect($https_url, 301); > $this->output->output(); >

Re: [Wikitech-l] Unable to log into phabricator

Hi Devang, I see from https://phabricator.wikimedia.org/p/dg711/ that the MediaWiki account you're associated with is https://www.mediawiki.org/wiki/User:Devang_gaur. Just making sure that's the account you're logging in with on wiki, right? Due to issues with sessionmanager on wiki, you might

Re: [Wikitech-l] Tech Talk: Secure Coding For MediaWiki Developers: December 09

Just a reminder this is starting in one hour! On Thu, Dec 3, 2015 at 1:54 PM, Rachel Farrand wrote: > Please join for the following tech talk: > > *Tech Talk**:* Secure Coding For MediaWiki Developers > *Presenter:* Darian Patrick > *Date:* December 09, 2015 > *Time:

Re: [Wikitech-l] The case for a MediaWiki LTS release

On Thursday, December 3, 2015, Chad wrote: > On Thu, Dec 3, 2015 at 1:25 AM Legoktm > wrote: > > > I think it would be helpful if other people who use LTS could share > > their motivations for doing so, and if the

Re: [Wikitech-l] Peer-to-peer sharing of the content of Wikipedia through WebRTC

On Sat, Nov 28, 2015 at 1:36 PM, Yeongjin Jang wrote: > > *Privacy concerns - Would a malicious person be able to force > > themselves to be someone's preferred peer, and spy on everything they > > read, etc. > > > > *DOS concerns - Would a malicious peer or peers be

Re: [Wikitech-l] Gerrit +1 now executes the code you reviewed

Just to clarify, this is a +1 from a user who has +2 rights? Whereas a +1 from some random user will not initiate the tests? On Tue, Nov 17, 2015 at 10:20 AM, Jan Zerebecki wrote: > I just merged and deployed https://gerrit.wikimedia.org/r/#/c/184886/ , > which

Re: [Wikitech-l] Random rant

On Wed, Oct 28, 2015 at 9:10 AM, Aaron Halfaker wrote: > Is there a clearly good reason that we need to continue this review > process? If not, I find it very frustrating that we're slowing things down > so much because of imagined boogie-men. The idea of >

Re: [Wikitech-l] OAuth issue -- adding new consumer

Ivo, Can you maybe describe what issues you're having? There are several people who can help with OAuth, but finding the right person based on, what language your Consumer is written, what framework you're using, or the exact issue you're having, will be easier with more details. On Fri, Oct 16,

Re: [Wikitech-l] LDAP extension ownership

On Sep 19, 2015 11:15 AM, "bawolff" wrote: > > maintain is an ambiguous word. WMF has some responsibility to all the > extensions deployed on cluster (imo). If Devunt (and any others who > were knowledgeable of the Josa extension) disappeared, WMF would > default to becoming

Re: [Wikitech-l] [ Writing a MediaWiki extension for deployment ]

On Tue, Jul 7, 2015 at 9:17 AM, Paula paula...@gmail.com wrote: Hello again, May I have the contact of somebody from the developing team under the OAuth extension? Hi Paula, I'm one of the developers on that extension. As bawolff said, feel free to ask here. If you're curious about

[Wikitech-l] [MediaWiki-announce] MediaWiki bug fix release 1.25.1

Hello everyone, The ConfirmEdit extension in the 1.25.0 tarball contained a syntax error in two JSON files. We deeply apologize for this error, and thanks to Paul Villiger for reporting the issue. A new 1.25.1 tarball has been released which fixes the issue. Users using git can update to the

Re: [Wikitech-l] sshd config: using newer ciphers and protocols

On Fri, May 22, 2015 at 1:37 PM, MZMcBride z...@mzmcbride.com wrote: Re: https://gerrit.wikimedia.org/r/199936, do you know if there's any documentation about what has replaced agent forwarding for deployments? It's been replace by having deployers use a shared ssh agent (accessed through a

[Wikitech-l] Welcome Darian Patrick

Hi all, I'd like to introduce Darian Anthony Patrick, our new Application Security Engineer for the foundation! Darian joins me as a member of the newly formed Security Team. He comes from Aspect Security, where he provided code/architecture reviews and pen testing to large national and

Re: [Wikitech-l] Why doesn't en.m.wikipedia.org allow framing?

On May 15, 2015 2:14 PM, Jacek Wielemborek d33...@gmail.com wrote: Hello, I tried to discuss this on #wikimedia-mobile on Freenode, but nobody could explain this to me: I'm building a website that allows the users to view Wikipedia changes correlated to rDNS names of their editors and I

Re: [Wikitech-l] [Social-media] Improving the security of our users on Wikimedia sites

, Chris Steipp cste...@wikimedia.org wrote: On Apr 20, 2015 4:13 PM, Andrew Sherman asher...@wikimedia.org wrote: Hello Everyone, We just published Improving the security of our users on Wikimedia sites to the blog. URL: https://blog.wikimedia.org/2015/04/20/improving

Re: [Wikitech-l] [Social-media] Improving the security of our users on Wikimedia sites

On Mon, Apr 27, 2015 at 2:32 PM, Strainu strain...@gmail.com wrote: 2015-04-27 18:51 GMT+03:00 Chris Steipp cste...@wikimedia.org: Hi Strainu, Thanks for the additional information Chris! We were trying to balance how much data vs summary information to give to people, but you can

[Wikitech-l] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2

I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email. == Security fixes == * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for

[Wikitech-l] Pre-Release Announcement for MediaWiki 1.19.24, 1.23.9, 1.24.2

This is a notice that on Tuesday, March 31st between 21:00-22:00 UTC (2-3pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time. ___

Re: [Wikitech-l] [GSoC] An enhanced cross-wiki watchlist as an OAuth tool - looking for mentors

If any potential mentors are worried about the OAuth piece, I can help with that. Although I think OAuth is a pretty small piece of this project. On Thu, Mar 19, 2015 at 5:21 AM, Quim Gil q...@wikimedia.org wrote: (Jan is looking for GSoC mentors, and the deadline for submitting proposals with

Re: [Wikitech-l] Tor proxy with blinded tokens

On Mar 11, 2015 2:23 AM, Gergo Tisza gti...@wikimedia.org wrote: On Tue, Mar 10, 2015 at 5:40 PM, Chris Steipp cste...@wikimedia.org wrote: I'm actually envisioning that the user would edit through the third party's proxy (via OAuth, linked to the new, Special Account), so no special

[Wikitech-l] Tor proxy with blinded tokens

Jacob Applebaum made another remark about editing Wikipedia via tor this morning. Since it's been a couple months since the last tor bashing thread, I wanted to throw out a slightly more modest proposal to see what people think. This is getting some interest from a few people:

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 2:58 PM, Risker risker...@gmail.com wrote: snip AlsoI'm a little unclear about something. If a Tor-enabled account creates new accounts, will those accounts be able to edit through Tor, too? The account creation would come from the proxy, so the

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 10:16 AM, Giuseppe Lavagetto glavage...@wikimedia.org wrote: Hi Chris, I like the idea in general, in particular the fact that only established editors can ask for the tokens. What I don't get is why this proxy should be run by someone that is not the WMF, given - I

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 5:06 PM, Kevin Wayne Williams kwwilli...@kwwilliams.com wrote: Wikipedia isn't worth endangering oneself over, and we shouldn't encourage the delusion that any technical measure will change that. How do you know today what topics are going to endanger you next week?

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 7:45 AM, Kevin Wayne Williams kwwilli...@kwwilliams.com wrote: Chris Steipp schreef op 2015/03/10 om 7:23: Jacob Applebaum made another remark about editing Wikipedia via tor this morning. Since it's been a couple months since the last tor bashing thread, I wanted

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 10:39 AM, Risker risker...@gmail.com wrote: A few questions on this: - So, this would result in the creation of a new account, correct? If so, most of the security is lost by the enwiki policy of requiring linking to one's other accounts, and if the user

Re: [Wikitech-l] Tor proxy with blinded tokens

creates new accounts, will those accounts be able to edit through Tor, too? The account creation would come from the proxy, so the wiki would have to trust that the proxy is only handing out accounts to users who have been Risker/Anne On 10 March 2015 at 14:33, Chris Steipp cste...@wikimedia.org

Re: [Wikitech-l] E-mail login to wiki - needs feedback

On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier m...@uberbox.org wrote: That would be a catastrophe, from a privacy standpoint; even if we restrict this to verified email addresses, there is no possible guarantee that the person who controled email address x@y in the past is the person who

Re: [Wikitech-l] Who moved my cheese?

I don't think we need to announce every change that requires running update.php-- that's pretty common, and (most importantly, imho) the error messages you get when that happens make it pretty obvious what you need to do. But +1 for standardizing where breaking changes are announced. I hit the

Re: [Wikitech-l] Why there is no authentication mechanism for desktop applications

On Wednesday, February 11, 2015, Guillaume Paumier gpaum...@wikimedia.org wrote: Hello, Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit : We have OAuth for browser based programs. But nothing for desktop applications that are being used by users. (Like AWB etc). It sounds

Re: [Wikitech-l] New feature: tool edit

On Wed, Feb 11, 2015 at 5:07 AM, This, that and the other at.li...@live.com.au wrote: How does a user prove that they're using a particular tool a way that can't be faked? Something like OAuth comes to mind. All edits made via an OAuth consumer are already tagged with a unique tag, and I would

Re: [Wikitech-l] Changing contentmodel of pages

On Jan 23, 2015 8:43 PM, Matthew Flaschen mflasc...@wikimedia.org wrote: On 01/22/2015 10:00 PM, Legoktm wrote: I disagree that we need a editcontentmodel user right. I think all users should be allowed to change the content model of a page (provided they have the right to edit it, etc.).

Re: [Wikitech-l] Our CAPTCHA is very unfriendly

On Wed, Dec 3, 2014 at 9:15 PM, Chad innocentkil...@gmail.com wrote: On Wed Dec 03 2014 at 8:18:53 PM MZMcBride z...@mzmcbride.com wrote: svetlana wrote: On Thu, 4 Dec 2014, at 15:02, MZMcBride wrote: We disabled the CAPTCHA entirely on test.wikipedia.org a few weeks ago. The wiki seems

[Wikitech-l] Visibility of action in API for deleted log entries

Hi list, I wanted to get some feedback about https://phabricator.wikimedia.org/T74222. In the last security release, I changed the return of the api to remove the action for log entries that had been revdeleted with Hide action and target. However, ever since 2009 / r46917, we've assumed that

Re: [Wikitech-l] Our CAPTCHA is very unfriendly

On Sunday, November 9, 2014, Platonides platoni...@gmail.com wrote: On 07/11/14 02:52, Jon Harald Søby wrote: The main concern is obviously that it is really hard to read, but there are also some other issues, namely that all the fields in the user registration form (except for the

Re: [Wikitech-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

On Thursday, November 6, 2014, Daniel Friesen dan...@nadir-seen-fire.com wrote: On 2014-11-06 4:45 PM, Chris Steipp wrote: On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott datzr...@alizeepathology.com javascript:; wrote: This seems completely reasonable to me. I'd merge is personally

Re: [Wikitech-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott datzr...@alizeepathology.com wrote: This seems completely reasonable to me. I'd merge is personally. Is there any reason not to? It's fairly easy to inject javascript via css, so merging that patch means an admin can run javascript on the

[Wikitech-l] Changing edit token length

Hi list, tl;dr: If you use a fixed length buffer to store edit tokens, you'll need to update your code. I'm planning to +2 https://gerrit.wikimedia.org/r/#/c/156336/ in the next day or so. That provides for two hardening measures: * Tokens can be time limited. By default they won't be, but this

Re: [Wikitech-l] Changing edit token length

On Mon, Oct 20, 2014 at 11:00 AM, Zack Weinberg za...@cmu.edu wrote: On Mon, Oct 20, 2014 at 1:38 PM, Chris Steipp cste...@wikimedia.org wrote: * Tokens can be time limited. By default they won't be, but this puts the plumbing in place if it makes sense to do that on any token checks

Re: [Wikitech-l] Tor and Anonymous Users (I know, we've had this discussion a million times)

On Mon, Oct 13, 2014 at 9:10 AM, Derric Atzrott datzr...@alizeepathology.com wrote: Although my suggestion is similar in kind to what had already been proposed, the main object to it was that it would create too much work for our already constrained resources. The addition of rate limiting is a

[Wikitech-l] Security fixes for CentralAuth and MobileFrontend extensions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 A number of security issues in MediaWiki extensions have been fixed. Users of these extensions should update to the latest version. * CentralAuth: Internal review found multiple issues that have been resolved: ** (bug 70469) Special:MergeAccount

[Wikitech-l] OAuth and callbacks

For those who run one of our 76(!) approved OAuth apps, or are using OAuth extension on their own wiki.. We have a patch [1] from Mitar to allow OAuth apps to pass a configurable callback during the OAuth handshake. This will probably make a lot of app author's lives easier, but can also open up

Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords

On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo tylerro...@gmail.com wrote: In terms of external authentication, we need Extension:OpenID to catch up to the OpenID standard in order to do that. In terms of two-factor, I have like eight patches for Extension:OATHAuth attempting to make it

Re: [Wikitech-l] Release Engineering team (new! improved!)

On Tue, Jul 29, 2014 at 11:58 AM, Pine W wiki.p...@gmail.com wrote: To clarify, is the QA team now under Release Engineering as Chris' comment seems to imply, and how does this org change effect security engineering? For now, I (the only security engineer) am staying in core, although much of

Re: [Wikitech-l] Release Engineering team (new! improved!)

On Tue, Jul 29, 2014 at 2:06 PM, Pine W wiki.p...@gmail.com wrote: The everyday difference that this change makes may be trivial, but it makes sense to me to think of QA (and Security Engineering) as being part of RelEng. I doubt we disagree too much, but I'll put on my security evangelist hat

Re: [Wikitech-l] logging out on one device logs user out everywhere

On Tuesday, July 22, 2014, MZMcBride z...@mzmcbride.com wrote: Chris Steipp wrote: I think this should be managed similar to https-- a site preference, and users can override the site config with a user preference. Please no. There's been a dedicated effort in 2014 to reduce the number

Re: [Wikitech-l] logging out on one device logs user out everywhere

Cool. My $.02 on the feature, I think this should be managed similar to https-- a site preference, and users can override the site config with a user preference. I'd prefer if we could make the site preference (logout all sessions, or logout only the current session) to be configurable, so we can

Re: [Wikitech-l] Anonymous editors IP addresses

On Friday, July 11, 2014, Daniel Kinzler dan...@brightbyte.de wrote: Am 11.07.2014 17:19, schrieb Tyler Romeo: Most likely, we would encrypt the IP with AES or something using a configuration-based secret key. That way checkusers can still reverse the hash back into normal IP addresses

Re: [Wikitech-l] MediaWiki Bug Bounty Program

On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo tylerro...@gmail.com wrote: Hey everybody, So today at the iSEC Partners security open forum I heard a talk from Zane Lackey, the former security lead for Etsy, concerning the effectiveness of bug bounties. He made two points: 1) Bug bounties

Re: [Wikitech-l] MediaWiki Bug Bounty Program

On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk kren...@gmail.com wrote: Chris, why don't we leave privacy policy compliance to the users posting on the bug? Wikimedia personal user data shouldn't be going to the security product. There are a few cases where there may be legitimate private data in

[Wikitech-l] Browser tests for core

I just +2'ed a change to add a few basic selenium tests to core [1]. I think it will benefit us all to have a set of automated tests to quickly make sure mediawiki is working correctly. From a security perspective, this also takes a step towards more efficient security testing, which I'm also a

Re: [Wikitech-l] Browser tests for core

On Jun 24, 2014 6:13 PM, Dan Garry dga...@wikimedia.org wrote: On 24 June 2014 17:05, Risker risker...@gmail.com wrote: Sorry to be a bit OT, but if you guys are going to test, please don't do it in article space on enwiki, or this is what is going to happen to the accounts. We've had

Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href should support http(s) resources

On Thu, Jun 19, 2014 at 11:15 PM, Christian Müller cmu...@gmx.de wrote: Sent: Dienstag, 27. Mai 2014 um 21:21 Uhr From: Chris Steipp cste...@wikimedia.org To: Wikimedia developers wikitech-l@lists.wikimedia.org Subject: Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href

Re: [Wikitech-l] Getting phpunit working with Vagrant

On Fri, Jun 13, 2014 at 10:44 AM, Jon Robson jdlrob...@gmail.com wrote: Has anyone had success with this...? This is what happens when I try to run: master x ~/git/vagrant/mediawiki/tests/phpunit $ php phpunit.php Warning: require_once(/vagrant/LocalSettings.php): failed to open stream: No

Re: [Wikitech-l] MW-Vagrant improvements at the Zürich Hackathon

: CentralAuth/Multiwiki: Bryan Davis, Chris Steipp, and Reedy spent a lot of time hacking on this, and we now have support for multiwiki/CentralAuth in Vagrant! There is still some cleanup work being done for the role to remove kludge/hacks/etc (see https://gerrit.wikimedia.org/r/#/c

Re: [Wikitech-l] Upgrading to 1.23

On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J bee...@battelle.org wrote: 4. General security vulnerabilities. - I would love to have any specifics here. You can start with

Re: [Wikitech-l] Help: Needed in OAuth

On Thursday, June 5, 2014, Amanpreet Singh amanpreet.iitr2...@gmail.com wrote: Thanks for quick reply, I am just getting NULL after making an OAuth call and that callback wasn't confirmed, I hope I am making call to correct url which is

Re: [Wikitech-l] Hardening WP/WM against traffic analysis (take two)

On Thu, Jun 5, 2014 at 9:45 AM, Zack Weinberg za...@cmu.edu wrote: I'd like to restart the conversation about hardening Wikipedia (or possibly Wikimedia in general) against traffic analysis. I brought this up ... last November, I think, give or take a month? but it got lost in a larger

Re: [Wikitech-l] Help: Needed in OAuth

to walk you through. You may want to try this script here: https://www.mediawiki.org/wiki/User:CSteipp/OAuth_debug_client That should at least prove it's not a connectivity / curl issue. On Thu, Jun 5, 2014 at 9:14 PM, Chris Steipp cste...@wikimedia.org wrote: On Thursday, June 5, 2014

Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href should support http(s) resources

On Tue, May 27, 2014 at 10:10 PM, Matthew Flaschen mflasc...@wikimedia.orgwrote: On 05/27/2014 10:52 PM, Brian Wolff wrote: I specifically said bits.wikimedia.org and upload.wikimedia.org (and not commons.wikimedia.org), neither of which host user JavaScript. Matt Flaschen Gadgets are

Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href should support http(s) resources

On Tue, May 27, 2014 at 9:37 AM, Christian Müller cmu...@gmx.de wrote: Hi, a recent discussion in https://bugzilla.wikimedia.org/show_bug.cgi?id=65724#c3 revealed that parts of the SVG standard are deliberately broken on commons. While I see some reasons to not adhere fully to the

Re: [Wikitech-l] Bot flags and human-made edits

On Tue, May 20, 2014 at 6:05 AM, Jon Robson jdlrob...@gmail.com wrote: I'm confused. Why wouldn't you just mark a user account as being a bot and simply determine bot edits from username alone? Volume? Cluebot does a high volume of edits, but as mentioned, doesn't want the edit hidden from

Re: [Wikitech-l] Login to Wikimedia Phabricator with a GitHub/Google/etc account?

On May 15, 2014 3:56 PM, hoo h...@online.de wrote: On Thu, 2014-05-15 at 14:20 -0700, Quim Gil wrote: This is a casual request for comments about the use of 3rd party authentication providers for our future Wikimedia Phabricator instance. Wikimedia Phabricator is expected to replace

Re: [Wikitech-l] Login to Wikimedia Phabricator with a GitHub/Google/etc account?

On May 16, 2014 5:20 PM, Chad innocentkil...@gmail.com wrote: On Fri, May 16, 2014 at 4:38 PM, MZMcBride z...@mzmcbride.com wrote: Chris Steipp wrote: Accounts are kinda namespaced, so github user foo and sul user foo can both have phabricator accounts. Since we're using OAuth though

[Wikitech-l] Vagrant CentralAuth role

Hi all, I'm planning to spend some time in Zurich getting a centralauth role for vagrant working (part of https://www.mediawiki.org/wiki/Z%C3%BCrich_Hackathon_2014/Topics#Production-like_Vagrant). I wanted to get opinions (probably more bikeshed) about how you would like to access multiple wikis

Re: [Wikitech-l] Vagrant CentralAuth role

I just found out about that from Ori too. Problem solved. Thanks! On Mon, May 5, 2014 at 12:42 PM, Bryan Davis bd...@wikimedia.org wrote: On Mon, May 5, 2014 at 1:17 PM, Chris Steipp cste...@wikimedia.org wrote: Different domains is closer to how we run thing in production, but it would

Re: [Wikitech-l] Fwd: Security precaution - Resetting all user sessions today

Due to the speed of the script, it will take a while for everyone to be logged out. If you hit this issue, logging out and logging in again seems to fix the problem. I'm still trying to track down why this is happening. On Tue, Apr 8, 2014 at 4:43 PM, Greg Grossmeier g...@wikimedia.org wrote:

Re: [Wikitech-l] Optimizing our captcha images

I'm fairly sure not, although you might be able to run those from the logs. I would really like to see a feedback mechanism in fancycaptcha (or all captchas for that matter) so we could automatically run those numbers. On Tue, Apr 1, 2014 at 11:30 AM, Ryan Kaldari rkald...@wikimedia.orgwrote:

Re: [Wikitech-l] CentralAuth questions

On Thu, Mar 27, 2014 at 6:01 PM, John phoenixoverr...@gmail.com wrote: You can also use the localuser table in the CA database. Yep. Localuser keeps track of the attachments, so any entry there for a username + wiki means the global username of the same name is attached on that wiki. It's all

Re: [Wikitech-l] HTML templating systems MediaWiki - is this summary right?

, Chris Steipp cste...@wikimedia.org wrote: On Tue, Mar 18, 2014 at 8:27 PM, Sumana Harihareswara suma...@wikimedia.org wrote: I'm trying to understand what our current situation is and what our choices are around HTML templating systems and MediaWiki, so I'm gonna note what I think

Re: [Wikitech-l] HTML templating systems MediaWiki - is this summary right?

On Wed, Mar 26, 2014 at 9:44 AM, Daniel Friesen dan...@nadir-seen-fire.comwrote: On 2014-03-26, 9:32 AM, Nuria Ruiz wrote: The issue is that they apply the same escaping, regardless of the html context. So, in Twig and mustache, div class={{something}}/div is vulnerable, if something is

Re: [Wikitech-l] HTML templating systems MediaWiki - is this summary right?

than purely templating and on my opinion it does little to separate data and markup. Which is the very point of having a template engine. But if you consider that one a lawful use case, you are right. The example I provided does not help you. On Wed, Mar 26, 2014 at 6:15 PM, Chris Steipp cste

Re: [Wikitech-l] HTML templating systems MediaWiki - is this summary right?

:15 PM, Chris Steipp cste...@wikimedia.org wrote: On Wed, Mar 26, 2014 at 9:44 AM, Daniel Friesen dan...@nadir-seen-fire.comwrote: On 2014-03-26, 9:32 AM, Nuria Ruiz wrote: The issue is that they apply the same escaping, regardless of the html context. So, in Twig and mustache, div

Re: [Wikitech-l] OAuth upload

I'm guessing the crop tool developer figured it out. That's not one use case I have code for. If anyone has writing code, I'd love a link to it so I can get a demo posted. There is a trick to getting the form type right, since OAuth's spec explicitly specified out doesn't work with multipart

Re: [Wikitech-l] HTML templating systems MediaWiki - is this summary right?

meeting. https://www.mediawiki.org/wiki/Requests_for_comment/MVC_framework * mustache.js stuff - Ryan Kaldari and Chris Steipp mentioned this I think? * Knockout-compatible implementation in Node.js PHP https://www.mediawiki.org/wiki/Requests_for_comment/HTML_templating_library

Re: [Wikitech-l] MediaWiki, Cookies and EU Privacy Policy 95/46/EG

On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider manuel.schnei...@wikimedia.ch wrote: Dear all, not sure if this discussion already happens somewhere else, I couldn't find it on MediaWiki.org or by googling. The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only

Re: [Wikitech-l] Gerrit Commit Wars

On Thu, Mar 6, 2014 at 4:08 PM, Erik Bernhardson ebernhard...@wikimedia.org wrote: Does core have any policies related to merging? The core features team has adopted a methodology(although slightly different) that we learned of from the VE team. Essentially +2 for 24 hours before a

Re: [Wikitech-l] MediaWiki Security and Maintenance Releases: 1.22.3, 1.21.6 and 1.19.12

That was a mistake this release. We'll continue those going forward. On Feb 27, 2014 7:56 PM, Matthew Walker mwal...@wikimedia.org wrote: I note that there are security fixes in these release's -- did I miss Chris' email about these patches or are we moving away from the model where we send

Re: [Wikitech-l] Two factor auth reset needed on wikitech

Correct, the scratch codes are the only way to login. If you don't have this, you'll have to get someone to remove your preference in the db. On Feb 28, 2014 1:32 PM, Matthew Walker mwal...@wikimedia.org wrote: Don't have them :p ~Matt Walker Wikimedia Foundation Fundraising Technology Team

Re: [Wikitech-l] Drop support for PHP 5.3

I know a few people who will be happy if they can keep running on stock rhel6 (5.3). That would also mean epel can package 1.23. After 1.19 is when we went to 5.3, so I think following president is good too. On Feb 23, 2014 6:04 PM, Chad innocentkil...@gmail.com wrote: +1 here as well. Let's

Re: [Wikitech-l] deploying the most recent MediaWiki code: which branch?

On Thu, Feb 20, 2014 at 2:37 PM, Ryan Lane rlan...@gmail.com wrote: Note that unless you're willing to keep up to date with WMF's relatively fast pace of branching, you're going to miss security updates. No matter what, if you use git you're going to get security updates slower, since they

Re: [Wikitech-l] Let's improve our password policy

On Sat, Feb 8, 2014 at 8:14 AM, Brian Wolff bawo...@gmail.com wrote: On 2/7/14, Steven Walling steven.wall...@gmail.com wrote: If feel like I should reiterate why I proposed this change. Maybe no one cares, but I think it might help convince folks this is NOT an argument for let's reduce

Re: [Wikitech-l] Let's improve our password policy

On Wed, Feb 5, 2014 at 8:00 PM, MZMcBride z...@mzmcbride.com wrote: Hi. Tyler Romeo wrote: On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride z...@mzmcbride.com wrote: Ultimately, account security is a user's prerogative. [...] Banks and even e-mail providers have reason to implement stricter

Re: [Wikitech-l] Password Hash

On Wed, Feb 5, 2014 at 8:26 PM, C. Scott Ananian canan...@wikimedia.orgwrote: Password hashing algorithms are not the same as general hash algorithms. I would prefer we didn't use whirlpool; it is recommended by NESSIE and ISO as a hash function, but as a password hash. CWE916 recommends

[Wikitech-l] Password Hash

Hi all, I wanted to bikeshed just a little bit, to make sure there is some consensus. tl;dr We're upgrading the password hash used to store passwords to make offline cracking more difficult. In doing that, we need to set one of the options as default. Speak up if you have strong feelings about

Re: [Wikitech-l] Password Hash

-issue? Note that some non-Latin strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most passwords, but some people like passphrases. :) It's an issue with bcrypt itself (only uses 18 32 bit keys). Good point. -- brion On Wed, Feb 5, 2014 at 12:53 PM, Chris Steipp cste

Re: [Wikitech-l] Password Hash

On Wed, Feb 5, 2014 at 3:08 PM, Zachary Harris zacharyhar...@hotmail.comwrote: tl;dr PBKDF2 and bcrypt are both perfectly acceptable for security. PBKDF2 and bcrypt, as well as scrypt, are all well regarded by current infosec industry standards (with current being a key word). While there

[Wikitech-l] Please update for the latest security patch

Hi lists, If you haven't patched with the last security release, or know of a wiki that hasn't patched yet, please do so immediately. An exploit was released on the full disclosure mailing list over the weekend[1] that targets the vulnerability in the PdfHandler extension. If you're not able to

[Wikitech-l] MediaWiki Security Releases: 1.22.2, 1.21.5 and 1.19.11

I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and 1.19.11. Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandler

[Wikitech-l] Pre-Release Announcement for MediaWiki 1.22.2, 1.21.5, and 1.19.11

This is a notice that on Tuesday, Jan 28th between 21:00-22:00 UTC (1-2pm PST) Wikimedia Foundation will release critical security updates for current and supported branches of the MediaWiki software and extensions. Downloads and patches will be available at that time, with the git repositories

Re: [Wikitech-l] How to collaborate when writing OAuth applications?

Yeah, it's not possible to drop it yourself yet. Let me, or any oauth admin (stewards) know that you wasn't it dropped, and we can reject it. On Jan 21, 2014 6:31 AM, Dan Andreescu dandree...@wikimedia.org wrote: Another question is: i would like to drop my first test-app consumer. How can

Re: [Wikitech-l] Jake requests enabling access and edit access to Wikipedia via TOR

On Mon, Jan 13, 2014 at 8:32 AM, Zack Weinberg za...@cmu.edu wrote: To satisfy Applebaum's request, there needs to be a mechanism whereby someone can edit even if *all of their communications with Wikipedia, including the initial contact* are coming over Tor or equivalent. Blinded,

[Wikitech-l] MediaWiki Security Releases: 1.22.1, 1.21.4 and 1.19.10

I would like to announce the release of MediaWiki 1.22.1, 1.21.4 and 1.19.10. These releases fix a number of security related bugs that could affect users of MediaWiki. In addition, MediaWiki 1.22.1 is a maintenance release. It fixes several bugs. You can consult the RELEASE-NOTES-1.22 file for

[Wikitech-l] Pre-Release Announcement for MediaWiki 1.19.10, 1.21.4, and 1.22.1

This is a notice that on Tuesday, January 14th between 00:00-01:00 UTC (*Monday* January 13th, 4-5pm PST) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software, as well as several extensions. Downloads and patches will be available at that

Re: [Wikitech-l] RFC cluster summary: HTML templating

On Fri, Dec 27, 2013 at 5:48 PM, Matthew Walker mwal...@wikimedia.orgwrote: For the fundraising thank you letters, I pass a dictionary to the template containing the currency string VND 2.23; via callback that gets transformed into 20,000.23*₫* via a i18n library that I wrote. I pass in

  1   2   3   >