Re: [Wikitech-l] Linker::link() rewrite

Is there any way we can default to having the body of the link not be passed as html? It's called $html, well documented that it's raw html, and I've lost track of the number of times people pass unsanitized text to it. I'd rather it not be something developers have to worry about, unless they know

Re: [Wikitech-l] Reviving SVG client-side rendering task

On Thu, May 5, 2016 at 6:49 AM, Brion Vibber wrote: > > And then there are long term goals of taking more advantage of SVGs dynamic > nature -- making things animated or interactive. That's a much bigger > question and has implementation and security issues! Sorry for the late response (and if

Re: [Wikitech-l] REL1_27 branches up

On Thu, May 5, 2016 at 8:50 AM, Chad wrote: > On Thu, May 5, 2016 at 8:19 AM Gergo Tisza wrote: > > > On Thu, May 5, 2016 at 4:31 PM, Chad wrote: > > > > > Well then it sounds like it won't make the 1.27 release. We've known > > > this branching was coming for the last 6 months :) > > > > > > >

Re: [Wikitech-l] Docs, use of, and admin privileges for wikimedia github project?

On Mon, Apr 25, 2016 at 8:34 AM, Bryan Davis wrote: > Not that I am aware of. Rights there tend to work a lot like getting > elevated rights on mediawiki.org: the rights are handed out by > existing admins when somebody asks for something that will be easily > solved by giving them rights. I thin

[Wikitech-l] Wikitech two-factor authentication

Hi all, tl,dr; if you enabled two-factor authentication on your wikitech.wikimedia.org account this past week (since 23 March, 22:03 UTC), the second factor may have been removed, and you should re-enable it. The long version: Several users in the past few days reported that they had 2FA required

Re: [Wikitech-l] How to do redirect 'the right way' when OutputPage::prepareErrorPage is triggered

On Mon, Mar 7, 2016 at 10:32 AM, Victor Danilchenko < vdanilche...@cimpress.com> wrote: > My simple solution to this is to forcibly invoke OutputPage::Output on the > spot, right there in the 'BeforeInitialize' hook: > > $this->output->redirect($https_url, 301); > $this->output->output(); > That'

Re: [Wikitech-l] Unable to log into phabricator

Hi Devang, I see from https://phabricator.wikimedia.org/p/dg711/ that the MediaWiki account you're associated with is https://www.mediawiki.org/wiki/User:Devang_gaur. Just making sure that's the account you're logging in with on wiki, right? Due to issues with sessionmanager on wiki, you might tr

Re: [Wikitech-l] Tech Talk: Secure Coding For MediaWiki Developers: December 09

Just a reminder this is starting in one hour! On Thu, Dec 3, 2015 at 1:54 PM, Rachel Farrand wrote: > Please join for the following tech talk: > > *Tech Talk**:* Secure Coding For MediaWiki Developers > *Presenter:* Darian Patrick > *Date:* December 09, 2015 > *Time: *23:00 UTC > < > http://www.

Re: [Wikitech-l] The case for a MediaWiki LTS release

On Thursday, December 3, 2015, Chad wrote: > On Thu, Dec 3, 2015 at 1:25 AM Legoktm > wrote: > > > I think it would be helpful if other people who use LTS could share > > their motivations for doing so, and if the release/security teams could > > share what issues make LTS release support proble

Re: [Wikitech-l] Peer-to-peer sharing of the content of Wikipedia through WebRTC

On Sat, Nov 28, 2015 at 1:36 PM, Yeongjin Jang wrote: > > *Privacy concerns - Would a malicious person be able to force > > themselves to be someone's preferred peer, and spy on everything they > > read, etc. > > > > *DOS concerns - Would a malicious peer or peers be able to prevent an > > honest

Re: [Wikitech-l] Gerrit +1 now executes the code you reviewed

Just to clarify, this is a +1 from a user who has +2 rights? Whereas a +1 from some random user will not initiate the tests? On Tue, Nov 17, 2015 at 10:20 AM, Jan Zerebecki wrote: > I just merged and deployed https://gerrit.wikimedia.org/r/#/c/184886/ , > which means: > A +1 in gerrit.w.o didn't

Re: [Wikitech-l] Random rant

On Wed, Oct 28, 2015 at 9:10 AM, Aaron Halfaker wrote: > Is there a clearly good reason that we need to continue this review > process? If not, I find it very frustrating that we're slowing things down > so much because of imagined boogie-men. The idea of > permission-just-in-case-someone-does-

Re: [Wikitech-l] Random rant

On Tue, Oct 27, 2015 at 11:23 PM, Brian Wolff wrote: > On 10/27/15, Ricordisamoa wrote: > > ALL of my OAuth applications expired without anyone noticing. Whom am I > > supposed to lobby to get one approved? > > > > ___ > > Wikitech-l mailing list > > W

Re: [Wikitech-l] OAuth issue -- adding new consumer

Ivo, Can you maybe describe what issues you're having? There are several people who can help with OAuth, but finding the right person based on, what language your Consumer is written, what framework you're using, or the exact issue you're having, will be easier with more details. On Fri, Oct 16,

Re: [Wikitech-l] LDAP extension ownership

On Sep 19, 2015 11:15 AM, "bawolff" wrote: > > maintain is an ambiguous word. WMF has some responsibility to all the > extensions deployed on cluster (imo). If Devunt (and any others who > were knowledgeable of the Josa extension) disappeared, WMF would > default to becoming responsible for the se

Re: [Wikitech-l] [ Writing a MediaWiki extension for deployment ]

On Tue, Jul 7, 2015 at 9:17 AM, Paula wrote: > Hello again, > May I have the contact of somebody from the developing team under the OAuth > extension? > Hi Paula, I'm one of the developers on that extension. As bawolff said, feel free to ask here. If you're curious about something, someone else

[Wikitech-l] [MediaWiki-announce] MediaWiki bug fix release 1.25.1

Hello everyone, The ConfirmEdit extension in the 1.25.0 tarball contained a syntax error in two JSON files. We deeply apologize for this error, and thanks to Paul Villiger for reporting the issue. A new 1.25.1 tarball has been released which fixes the issue. Users using git can update to the lates

Re: [Wikitech-l] sshd config: using newer ciphers and protocols

On Fri, May 22, 2015 at 1:37 PM, MZMcBride wrote: > Re: , do you know if there's any > documentation about what has replaced agent forwarding for deployments? > It's been replace by having deployers use a shared ssh agent (accessed through a proxy to log us

[Wikitech-l] Welcome Darian Patrick

Hi all, I'd like to introduce Darian Anthony Patrick, our new Application Security Engineer for the foundation! Darian joins me as a member of the newly formed Security Team. He comes from Aspect Security, where he provided code/architecture reviews and pen testing to large national and internatio

Re: [Wikitech-l] Why doesn't en.m.wikipedia.org allow framing?

On May 15, 2015 2:14 PM, "Jacek Wielemborek" wrote: > > Hello, > > I tried to discuss this on #wikimedia-mobile on Freenode, but nobody > could explain this to me: > > I'm building a website that allows the users to view Wikipedia changes > correlated to rDNS names of their editors and I wanted to

Re: [Wikitech-l] [Social-media] Improving the security of our users on Wikimedia sites

On Mon, Apr 27, 2015 at 2:32 PM, Strainu wrote: > 2015-04-27 18:51 GMT+03:00 Chris Steipp : > > Hi Strainu, > > Thanks for the additional information Chris! > > > > > We were trying to balance how much data vs summary information to give to > > people, but yo

Re: [Wikitech-l] [Social-media] Improving the security of our users on Wikimedia sites

nu > > 2015-04-21 4:41 GMT+03:00 Pine W : > > Thanks for your work on this, Chris. > > > > Forwarding to Wikitech-l. > > > > Pine > > On Apr 20, 2015 4:58 PM, "Chris Steipp" wrote: > > > >> > >> On Apr 20, 2015 4:13 PM, &qu

[Wikitech-l] MediaWiki Security and Maintenance Releases: 1.19.24, 1.23.9, and 1.24.2

I would like to announce the release of MediaWiki 1.24.2, 1.23.9 and 1.19.24. These releases fix 10 security issues, in addition to other bug fixes. Download links are given at the end of this email. == Security fixes == * iSEC Partners discovered a way to circumvent the SVG MIME blacklist for e

[Wikitech-l] Pre-Release Announcement for MediaWiki 1.19.24, 1.23.9, 1.24.2

This is a notice that on Tuesday, March 31st between 21:00-22:00 UTC (2-3pm PDT) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software. Downloads and patches will be available at that time. ___ Wik

Re: [Wikitech-l] [GSoC] An enhanced cross-wiki watchlist as an OAuth tool - looking for mentors

If any potential mentors are worried about the OAuth piece, I can help with that. Although I think OAuth is a pretty small piece of this project. On Thu, Mar 19, 2015 at 5:21 AM, Quim Gil wrote: > (Jan is looking for GSoC mentors, and the deadline for submitting proposals > with mentors is 27 Ma

Re: [Wikitech-l] Tor proxy with blinded tokens

On Mar 11, 2015 2:23 AM, "Gergo Tisza" wrote: > > On Tue, Mar 10, 2015 at 5:40 PM, Chris Steipp wrote: > > > I'm actually envisioning that the user would edit through the third party's > > proxy (via OAuth, linked to the new, "Special Account"

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 5:06 PM, Kevin Wayne Williams < kwwilli...@kwwilliams.com> wrote: > Wikipedia isn't worth endangering oneself over, and we shouldn't encourage > the delusion that any technical measure will change that. How do you know today what topics are going to endanger you next week

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 2:58 PM, Risker wrote: > > > > > > > > > > AlsoI'm a little unclear about something. If a "Tor-enabled" > account > > > creates new accounts, will those accounts be able to edit through Tor, > > > too? > > > > The account creation would come from the proxy, so the wik

Re: [Wikitech-l] Tor proxy with blinded tokens

r, > too? The account creation would come from the proxy, so the wiki would have to trust that the proxy is only handing out accounts to users who have been > > Risker/Anne > > On 10 March 2015 at 14:33, Chris Steipp wrote: > > > On Tue, Mar 10, 2015 at 10:39 AM, Ris

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 10:39 AM, Risker wrote: > A few questions on this: > > >- So, this would result in the creation of a new account, correct? If >so, most of the security is lost by the enwiki policy of requiring > linking >to one's other accounts, and if the user edited in the

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 10:16 AM, Giuseppe Lavagetto < glavage...@wikimedia.org> wrote: > Hi Chris, > > I like the idea in general, in particular the fact that only > "established" editors can ask for the tokens. What I don't get is why > this proxy should be run by someone that is not the WMF, gi

Re: [Wikitech-l] Tor proxy with blinded tokens

On Tue, Mar 10, 2015 at 7:45 AM, Kevin Wayne Williams < kwwilli...@kwwilliams.com> wrote: > Chris Steipp schreef op 2015/03/10 om 7:23: > >> Jacob Applebaum made another remark about editing Wikipedia via tor this >> morning. Since it's been a couple months since t

[Wikitech-l] Tor proxy with blinded tokens

Jacob Applebaum made another remark about editing Wikipedia via tor this morning. Since it's been a couple months since the last tor bashing thread, I wanted to throw out a slightly more modest proposal to see what people think. This is getting some interest from a few people: https://zyan.scripts

Re: [Wikitech-l] E-mail login to wiki - needs feedback

On Thu, Feb 19, 2015 at 6:44 AM, Marc A. Pelletier wrote: > That would be a catastrophe, from a privacy standpoint; even if we restrict > this to verified email addresses, there is no possible guarantee that the > person who controled email address x@y in the past is the person who > controls it t

Re: [Wikitech-l] Who moved my cheese?

I don't think we need to announce every change that requires running update.php-- that's pretty common, and (most importantly, imho) the error messages you get when that happens make it pretty obvious what you need to do. But +1 for standardizing where breaking changes are announced. I hit the iss

Re: [Wikitech-l] Why there is no authentication mechanism for desktop applications

On Wednesday, February 11, 2015, Guillaume Paumier wrote: > Hello, > > Le mercredi 11 février 2015, 16:59:45 Petr Bena a écrit : > > > > We have OAuth for browser based programs. But nothing for desktop > > applications that are being used by users. (Like AWB etc). > > > It sounds pretty simple t

Re: [Wikitech-l] New feature: tool edit

On Wed, Feb 11, 2015 at 5:07 AM, This, that and the other wrote: > How does a user prove that they're using a particular tool a way that can't > be faked? Something like OAuth comes to mind. All edits made via an OAuth > consumer are already tagged with a unique tag, and I would assume that it is

Re: [Wikitech-l] Changing contentmodel of pages

On Jan 23, 2015 8:43 PM, "Matthew Flaschen" wrote: > > On 01/22/2015 10:00 PM, Legoktm wrote: >> >> I disagree that we need a "editcontentmodel" user right. I think all >> users should be allowed to change the content model of a page (provided >> they have the right to edit it, etc.). > > > I thin

Re: [Wikitech-l] Our CAPTCHA is very unfriendly

On Wed, Dec 3, 2014 at 9:15 PM, Chad wrote: > On Wed Dec 03 2014 at 8:18:53 PM MZMcBride wrote: > >> svetlana wrote: >> >On Thu, 4 Dec 2014, at 15:02, MZMcBride wrote: >> >> >> >> We disabled the CAPTCHA entirely on test.wikipedia.org a few weeks ago. >> >> The wiki seems to be about the same. It

[Wikitech-l] Visibility of "action" in API for deleted log entries

Hi list, I wanted to get some feedback about https://phabricator.wikimedia.org/T74222. In the last security release, I changed the return of the api to remove the "action" for log entries that had been revdeleted with "Hide action and target". However, ever since 2009 / r46917, we've assumed that

Re: [Wikitech-l] Our CAPTCHA is very unfriendly

On Sunday, November 9, 2014, Platonides wrote: > On 07/11/14 02:52, Jon Harald Søby wrote: > >> The main concern is obviously that it is really hard to read, but there >> are >> also some other issues, namely that all the fields in the user >> registration >> form (except for the username) are wi

Re: [Wikitech-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

On Thursday, November 6, 2014, Daniel Friesen wrote: > On 2014-11-06 4:45 PM, Chris Steipp wrote: > > On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott > > > wrote: > >> This seems completely reasonable to me. I'd merge is personally. Is > there > >>

Re: [Wikitech-l] MediaWiki:Common.js and MediaWiki:Common.css blocked on Special:Login and Special:Preferences

On Thu, Nov 6, 2014 at 11:41 AM, Derric Atzrott wrote: > This seems completely reasonable to me. I'd merge is personally. Is there > any reason not to? It's fairly easy to inject javascript via css, so merging that patch means an admin can run javascript on the login/preferences page, while we s

Re: [Wikitech-l] Changing edit token length

On Mon, Oct 20, 2014 at 11:00 AM, Zack Weinberg wrote: > On Mon, Oct 20, 2014 at 1:38 PM, Chris Steipp wrote: >> * Tokens can be time limited. By default they won't be, but this puts >> the plumbing in place if it makes sense to do that on any token checks >> in t

[Wikitech-l] Changing edit token length

Hi list, tl;dr: If you use a fixed length buffer to store edit tokens, you'll need to update your code. I'm planning to +2 https://gerrit.wikimedia.org/r/#/c/156336/ in the next day or so. That provides for two hardening measures: * Tokens can be time limited. By default they won't be, but this

Re: [Wikitech-l] Tor and Anonymous Users (I know, we've had this discussion a million times)

On Mon, Oct 13, 2014 at 9:10 AM, Derric Atzrott wrote: >> Although my suggestion is similar in kind to what had already been proposed, >> the main object to it was that it would create too much work for our >> already constrained resources. The addition of rate limiting is a technical >> solution

[Wikitech-l] Security fixes for CentralAuth and MobileFrontend extensions

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 A number of security issues in MediaWiki extensions have been fixed. Users of these extensions should update to the latest version. * CentralAuth: Internal review found multiple issues that have been resolved: ** (bug 70469) Special:MergeAccount fa

[Wikitech-l] OAuth and callbacks

For those who run one of our 76(!) approved OAuth apps, or are using OAuth extension on their own wiki.. We have a patch [1] from Mitar to allow OAuth apps to pass a configurable callback during the OAuth handshake. This will probably make a lot of app author's lives easier, but can also open up a

Re: [Wikitech-l] News about stolen Internet credentials; reducing Wikimedia reliance on usernames and passwords

On Wed, Aug 6, 2014 at 8:26 AM, Tyler Romeo wrote: > In terms of external authentication, we need Extension:OpenID to catch up to > the OpenID standard in order to do that. > > In terms of two-factor, I have like eight patches for Extension:OATHAuth > attempting to make it production-worthy. > >

Re: [Wikitech-l] Release Engineering team (new! improved!)

On Tue, Jul 29, 2014 at 2:06 PM, Pine W wrote: > The everyday difference that this change makes may be trivial, but it makes > sense to me to think of QA (and Security Engineering) as being part of > RelEng. I doubt we disagree too much, but I'll put on my security evangelist hat and get on my so

Re: [Wikitech-l] Release Engineering team (new! improved!)

On Tue, Jul 29, 2014 at 11:58 AM, Pine W wrote: > To clarify, is the QA team now under Release Engineering as Chris' comment > seems to imply, and how does this org change effect security engineering? For now, I (the only security engineer) am staying in core, although much of my role spans both

Re: [Wikitech-l] logging out on one device logs user out everywhere

On Tuesday, July 22, 2014, MZMcBride wrote: > Chris Steipp wrote: > >I think this should be managed similar to https-- a site preference, > >and users can override the site config with a user preference. > > Please no. There's been a dedicated effort in 2014 to r

Re: [Wikitech-l] logging out on one device logs user out everywhere

Cool. My $.02 on the feature, I think this should be managed similar to https-- a site preference, and users can override the site config with a user preference. I'd prefer if we could make the site preference (logout all sessions, or logout only the current session) to be configurable, so we can

Re: [Wikitech-l] Anonymous editors & IP addresses

On Friday, July 11, 2014, Daniel Kinzler wrote: > Am 11.07.2014 17:19, schrieb Tyler Romeo: > > Most likely, we would encrypt the IP with AES or something using a > > configuration-based secret key. That way checkusers can still reverse the > > hash back into normal IP addresses without having to

Re: [Wikitech-l] MediaWiki Bug Bounty Program

On Wed, Jun 25, 2014 at 5:49 PM, Alex Monk wrote: > Chris, why don't we leave privacy policy compliance to the users posting on > the bug? Wikimedia personal user data shouldn't be going to the security > product. There are a few cases where there may be legitimate private data in a security bug

Re: [Wikitech-l] MediaWiki Bug Bounty Program

On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo wrote: > Hey everybody, > > So today at the iSEC Partners security open forum I heard a talk from Zane > Lackey, > the former security lead for Etsy, concerning the effectiveness of bug > bounties. > > He made two points: > > 1) Bug bounties are unlikel

Re: [Wikitech-l] Browser tests for core

On Jun 24, 2014 6:13 PM, "Dan Garry" wrote: > > On 24 June 2014 17:05, Risker wrote: > > > > Sorry to be a bit OT, but if you guys are going to test, please don't do it > > in article space on enwiki, or this is what is going to happen to the > > accounts. We've had to almost kick WMF staff off

[Wikitech-l] Browser tests for core

I just +2'ed a change to add a few basic selenium tests to core [1]. I think it will benefit us all to have a set of automated tests to quickly make sure mediawiki is working correctly. From a security perspective, this also takes a step towards more efficient security testing, which I'm also a fan

Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href should support http(s) resources

On Thu, Jun 19, 2014 at 11:15 PM, "Christian Müller" wrote: >> Sent: Dienstag, 27. Mai 2014 um 21:21 Uhr >> From: "Chris Steipp" >> To: "Wikimedia developers" >> Subject: Re: [Wikitech-l] SVG linking of external images/bitmaps - >> x

Re: [Wikitech-l] MW-Vagrant improvements at the Zürich Hackathon

n Davis wrote: > >> On Fri, May 16, 2014 at 2:40 PM, Arthur Richards >> wrote: >> > >> > CentralAuth/Multiwiki: >> > Bryan Davis, Chris Steipp, and Reedy spent a lot of time hacking on this, >> > and we now have support for multiwiki/CentralAuth in

Re: [Wikitech-l] Getting phpunit working with Vagrant

On Fri, Jun 13, 2014 at 10:44 AM, Jon Robson wrote: > Has anyone had success with this...? > > This is what happens when I try to run: > > master x ~/git/vagrant/mediawiki/tests/phpunit $ php phpunit.php > > Warning: require_once(/vagrant/LocalSettings.php): failed to open > stream: No such file o

Re: [Wikitech-l] Upgrading to 1.23

On Thu, Jun 12, 2014 at 10:15 AM, Beebe, Mary J wrote: > 4. General security vulnerabilities. - I would love to have any > specifics here. You can start with https://bugzilla.wikimedia.org/buglist.cgi?f1=product&f2=product&f3=creation_ts&f4=resolution&list_id=321311&o1=changedfrom&o2=equal

Re: [Wikitech-l] Help: Needed in OAuth

T). Feel free to ping me on IRC (csteipp) and I can try to walk you through. You may want to try this script here: https://www.mediawiki.org/wiki/User:CSteipp/OAuth_debug_client That should at least prove it's not a connectivity / curl issue. > > > On Thu, Jun 5, 2014 at 9:14 PM,

Re: [Wikitech-l] Hardening WP/WM against traffic analysis (take two)

On Thu, Jun 5, 2014 at 9:45 AM, Zack Weinberg wrote: > I'd like to restart the conversation about hardening Wikipedia (or > possibly Wikimedia in general) against traffic analysis. I brought > this up ... last November, I think, give or take a month? but it got > lost in a larger discussion abo

Re: [Wikitech-l] Help: Needed in OAuth

On Thursday, June 5, 2014, Amanpreet Singh wrote: > Thanks for quick reply, > I am just getting NULL after making an OAuth call and that callback wasn't > confirmed, I hope I am making call to correct url which is > > https://mediawiki.org/wiki/index.php?title=Special:OAuth/initiate&format=json&o

Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href should support http(s) resources

On Tue, May 27, 2014 at 10:10 PM, Matthew Flaschen wrote: > On 05/27/2014 10:52 PM, Brian Wolff wrote: > >> I specifically said bits.wikimedia.org and upload.wikimedia.org (and not >>> >> commons.wikimedia.org), neither of which host user JavaScript. >> >>> >>> Matt Flaschen >>> >>> >>> >> Gadgets

Re: [Wikitech-l] SVG linking of external images/bitmaps - xlink:href should support http(s) resources

On Tue, May 27, 2014 at 9:37 AM, "Christian Müller" wrote: > Hi, > > > a recent discussion in > https://bugzilla.wikimedia.org/show_bug.cgi?id=65724#c3 > > revealed that parts of the SVG standard are deliberately broken on > commons. While I see some reasons to not adhere fully to the standard

Re: [Wikitech-l] Bot flags and human-made edits

On Tue, May 20, 2014 at 6:05 AM, Jon Robson wrote: > I'm confused. Why wouldn't you just mark a user account as being a bot and > simply determine bot edits from username alone? > Volume? Cluebot does a high volume of edits, but as mentioned, doesn't want the edit hidden from RC. > > Any other

Re: [Wikitech-l] Login to Wikimedia Phabricator with a GitHub/Google/etc account?

On May 16, 2014 5:20 PM, "Chad" wrote: > > On Fri, May 16, 2014 at 4:38 PM, MZMcBride wrote: > > > Chris Steipp wrote: > > >Accounts are kinda namespaced, so github user foo and sul user foo can > > >both have phabricator accounts. > > >

Re: [Wikitech-l] Login to Wikimedia Phabricator with a GitHub/Google/etc account?

On May 15, 2014 3:56 PM, "hoo" wrote: > > On Thu, 2014-05-15 at 14:20 -0700, Quim Gil wrote: > > This is a casual request for comments about the use of 3rd party > > authentication providers for our future Wikimedia Phabricator instance. > > > > Wikimedia Phabricator is expected to replace Bugzill

Re: [Wikitech-l] Vagrant CentralAuth role

I just found out about that from Ori too. Problem solved. Thanks! On Mon, May 5, 2014 at 12:42 PM, Bryan Davis wrote: > On Mon, May 5, 2014 at 1:17 PM, Chris Steipp > wrote: > > Different domains is closer to how we run thing in production, but it > would > > require co

[Wikitech-l] Vagrant CentralAuth role

Hi all, I'm planning to spend some time in Zurich getting a centralauth role for vagrant working (part of https://www.mediawiki.org/wiki/Z%C3%BCrich_Hackathon_2014/Topics#Production-like_Vagrant). I wanted to get opinions (probably more bikeshed) about how you would like to access multiple wikis o

Re: [Wikitech-l] Fwd: Security precaution - Resetting all user sessions today

Due to the speed of the script, it will take a while for everyone to be logged out. If you hit this issue, logging out and logging in again seems to fix the problem. I'm still trying to track down why this is happening. On Tue, Apr 8, 2014 at 4:43 PM, Greg Grossmeier wrote: > Chris S is active

Re: [Wikitech-l] Optimizing our captcha images

I'm fairly sure not, although you might be able to run those from the logs. I would really like to see a feedback mechanism in fancycaptcha (or all captchas for that matter) so we could automatically run those numbers. On Tue, Apr 1, 2014 at 11:30 AM, Ryan Kaldari wrote: > Has anyone ever collect

Re: [Wikitech-l] CentralAuth questions

On Thu, Mar 27, 2014 at 6:01 PM, John wrote: > You can also use the localuser table in the CA database. > Yep. Localuser keeps track of the attachments, so any entry there for a username + wiki means the global username of the same name is attached on that wiki. It's all done via username, not u

Re: [Wikitech-l] HTML templating systems & MediaWiki - is this summary right?

hat one a lawful use case, you are right. The example > I provided does not help you. > > > On Wed, Mar 26, 2014 at 6:15 PM, Chris Steipp > wrote: > > > On Wed, Mar 26, 2014 at 9:44 AM, Daniel Friesen > > wrote: > > > > > On 2014-03-26, 9:32 AM,

Re: [Wikitech-l] HTML templating systems & MediaWiki - is this summary right?

ouldn't quote the text, but should instead remove space characters? > The line above is doing a lot > more than purely templating and on my opinion it does little to separate > data and markup. Which is the very point of having a template engine. > > But if you consider that one a

Re: [Wikitech-l] HTML templating systems & MediaWiki - is this summary right?

On Wed, Mar 26, 2014 at 9:44 AM, Daniel Friesen wrote: > On 2014-03-26, 9:32 AM, Nuria Ruiz wrote: > >> The issue is that they apply the same escaping, regardless of the > >> html context. So, in Twig and mustache, > is > >> vulnerable, if something is set to "1234 onClick=doSomething()". > > Rig

Re: [Wikitech-l] HTML templating systems & MediaWiki - is this summary right?

rable, if something is set to "1234 onClick=doSomething()". So policy/code review is needed to say that attributes with user-supplied data must be quoted in a way compatible with the templating engine (' or " for Twig, " for Mustache since Mustache doesn't escape single quot

Re: [Wikitech-l] HTML templating systems & MediaWiki - is this summary right?

templating system. > > Template approaches which are competing?: > * MVC framework - Wikia has written their own templating library that > Wikia uses (Nirvana). Owen Davis is talking about this tomorrow in the > RFC review meeting. > https://www.mediawiki.org/wiki/Requests_for_comme

Re: [Wikitech-l] OAuth upload

I'm guessing the crop tool developer figured it out. That's not one use case I have code for. If anyone has writing code, I'd love a link to it so I can get a demo posted. There is a trick to getting the form type right, since OAuth's spec explicitly specified out doesn't work with multipart forms

Re: [Wikitech-l] MediaWiki, Cookies and EU Privacy Policy 95/46/EG

On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schnei...@wikimedia.ch> wrote: > Dear all, > > not sure if this discussion already happens somewhere else, I couldn't > find it on MediaWiki.org or by googling. > > The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of > cook

Re: [Wikitech-l] Gerrit Commit Wars

On Thu, Mar 6, 2014 at 4:08 PM, Erik Bernhardson wrote: > > Does core have any policies related to merging? The core features team > has adopted a methodology(although slightly different) that we learned of > from the VE team. Essentially +2 for 24 hours before a deployment branch > is cut is l

Re: [Wikitech-l] Two factor auth reset needed on wikitech

Correct, the scratch codes are the only way to login. If you don't have this, you'll have to get someone to remove your preference in the db. On Feb 28, 2014 1:32 PM, "Matthew Walker" wrote: > Don't have them :p > > ~Matt Walker > Wikimedia Foundation > Fundraising Technology Team > > > On Fri,

Re: [Wikitech-l] MediaWiki Security and Maintenance Releases: 1.22.3, 1.21.6 and 1.19.12

That was a mistake this release. We'll continue those going forward. On Feb 27, 2014 7:56 PM, "Matthew Walker" wrote: > I note that there are security fixes in these release's -- did I miss > Chris' email about these patches or are we moving away from the model where > we send out an email to the

Re: [Wikitech-l] Drop support for PHP 5.3

I know a few people who will be happy if they can keep running on stock rhel6 (5.3). That would also mean epel can package 1.23. After 1.19 is when we went to 5.3, so I think following president is good too. On Feb 23, 2014 6:04 PM, "Chad" wrote: > +1 here as well. Let's look at this for 1.24 :)

Re: [Wikitech-l] deploying the most recent MediaWiki code: which branch?

On Thu, Feb 20, 2014 at 2:37 PM, Ryan Lane wrote: > Note that unless you're willing to keep up to date with WMF's relatively > fast pace of branching, you're going to miss security updates. No matter > what, if you use git you're going to get security updates slower, since > they are released int

Re: [Wikitech-l] Let's improve our password policy

On Sat, Feb 8, 2014 at 8:14 AM, Brian Wolff wrote: > On 2/7/14, Steven Walling wrote: > > If feel like I should reiterate why I proposed this change. Maybe no one > > cares, but I think it might help convince folks this is NOT an argument > for > > "let's reduce user freedom in the name of secur

Re: [Wikitech-l] Password Hash

On Wed, Feb 5, 2014 at 8:26 PM, C. Scott Ananian wrote: > Password hashing algorithms are not the same as general hash algorithms. I > would prefer we didn't use whirlpool; it is "recommended by NESSIE and ISO" > as a hash function, but as a password hash. CWE916 recommends "bcrypt, > scrypt, an

Re: [Wikitech-l] Let's improve our password policy

On Wed, Feb 5, 2014 at 8:00 PM, MZMcBride wrote: > Hi. > > Tyler Romeo wrote: > >On Wed, Feb 5, 2014 at 2:20 AM, MZMcBride wrote: > >> Ultimately, account security is a user's prerogative. [...] Banks and > >>even e-mail providers have reason to implement stricter authentication > >>requirements

Re: [Wikitech-l] Password Hash

On Wed, Feb 5, 2014 at 3:08 PM, Zachary Harris wrote: > tl;dr PBKDF2 and bcrypt are both perfectly acceptable for security. > > > PBKDF2 and bcrypt, as well as scrypt, are all well regarded by current > infosec industry standards (with "current" being a key word). " While > there is active debate

Re: [Wikitech-l] Password Hash

specific to > password_hash()? Any concerns or a non-issue? Note that some non-Latin > strings can only fit 24 chars in 72 bytes of UTF-8. Long enough for most > passwords, but some people like passphrases. :) > It's an issue with bcrypt itself (only uses 18 32 bit keys). Good

[Wikitech-l] Password Hash

Hi all, I wanted to bikeshed just a little bit, to make sure there is some consensus. tl;dr We're upgrading the password hash used to store passwords to make offline cracking more difficult. In doing that, we need to set one of the options as default. Speak up if you have strong feelings about one

[Wikitech-l] Please update for the latest security patch

Hi lists, If you haven't patched with the last security release, or know of a wiki that hasn't patched yet, please do so immediately. An exploit was released on the full disclosure mailing list over the weekend[1] that targets the vulnerability in the PdfHandler extension. If you're not able to p

[Wikitech-l] MediaWiki Security Releases: 1.22.2, 1.21.5 and 1.19.11

I would like to announce the release of MediaWiki 1.22.2, 1.21.5 and 1.19.11. Your MediaWiki installation is affected by a remote code execution vulnerability if you have enabled file upload support for DjVu (natively supported by MediaWiki) or PDF files (in combination with the PdfHandler extensi

[Wikitech-l] Pre-Release Announcement for MediaWiki 1.22.2, 1.21.5, and 1.19.11

This is a notice that on Tuesday, Jan 28th between 21:00-22:00 UTC (1-2pm PST) Wikimedia Foundation will release critical security updates for current and supported branches of the MediaWiki software and extensions. Downloads and patches will be available at that time, with the git repositories upd

Re: [Wikitech-l] How to collaborate when writing OAuth applications?

Yeah, it's not possible to drop it yourself yet. Let me, or any oauth admin (stewards) know that you wasn't it dropped, and we can reject it. On Jan 21, 2014 6:31 AM, "Dan Andreescu" wrote: > > > > Another question is: i would like to drop my first "test-app" > > consumer. How can I do it? > > >

[Wikitech-l] MediaWiki Security Releases: 1.22.1, 1.21.4 and 1.19.10

I would like to announce the release of MediaWiki 1.22.1, 1.21.4 and 1.19.10. These releases fix a number of security related bugs that could affect users of MediaWiki. In addition, MediaWiki 1.22.1 is a maintenance release. It fixes several bugs. You can consult the RELEASE-NOTES-1.22 file for the

Re: [Wikitech-l] Jake requests enabling access and edit access to Wikipedia via TOR

On Mon, Jan 13, 2014 at 8:32 AM, Zack Weinberg wrote: > To satisfy Applebaum's request, there needs to be a mechanism whereby > someone can edit even if *all of their communications with Wikipedia, > including the initial contact* are coming over Tor or equivalent. > Blinded, costly-to-create han

[Wikitech-l] Pre-Release Announcement for MediaWiki 1.19.10, 1.21.4, and 1.22.1

This is a notice that on Tuesday, January 14th between 00:00-01:00 UTC (*Monday* January 13th, 4-5pm PST) Wikimedia Foundation will release security updates for current and supported branches of the MediaWiki software, as well as several extensions. Downloads and patches will be available at that t

  1   2   3   >