Hi list, tl;dr: If you use a fixed length buffer to store edit tokens, you'll need to update your code.
I'm planning to +2 https://gerrit.wikimedia.org/r/#/c/156336/ in the next day or so. That provides for two hardening measures: * Tokens can be time limited. By default they won't be, but this puts the plumbing in place if it makes sense to do that on any token checks in the future. * The tokens returned in a request will change on each request. Any version of the token will be good for as long as the time limit is valid (which again, will default to infinite), but this protects against ssl-compression attacks (like BREACH) where plaintext in a request can be brute-forced by making many requests and watching the size of the response. To do this, the size of the token (which has been a fixed 32 bytes + token suffix for a very long time) will change to add up to 16 bytes of timestamp (although in practice, it will stay 8 bytes for the next several years) to the end of the token. If that's a problem for anyone, please add a review in gerrit, or respond here. Otherwise 1.25wmf5 will have the change included. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
