[Wikidata-bugs] [Maniphest] [Unblock] T111231: [Story] Take Hovercards out of beta features on Wikidata

csteipp closed blocking task T129177: Security review of Hovercards before beta->default conversion as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T111231 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Yair_r

[Wikidata-bugs] [Maniphest] [Unblock] T114443: EventBus MVP

csteipp closed blocking task T120212: Security review of EventBus extension as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T114443 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Ottomata, csteipp Cc: yuvipanda, JanZerebecki

[Wikidata-bugs] [Maniphest] [Unblock] T112087: [Bug] m.wikidata.org is not CORS whitelisted

csteipp closed blocking task T100413: "You are centrally logged in." toast on every page view on commons as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T112087 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Be

[Wikidata-bugs] [Maniphest] [Closed] T65808: Allow cross-site domain access from (tools) Labs via CORS

csteipp closed this task as "Resolved". csteipp added a comment. Herald added a subscriber: JEumerus. It looks like general labs access is being worked on in https://phabricator.wikimedia.org/T62835, and the specific requests (wikidata, pageviews) is working. So closing this for n

[Wikidata-bugs] [Maniphest] [Unblock] T117965: Review and deploy of the ArticlePlaceholder extension

csteipp closed blocking task T118268: Security Review of Article Placeholder as "Resolved". TASK DETAIL https://phabricator.wikimedia.org/T117965 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucie, csteipp Cc: Nemo_bis, greg.

[Wikidata-bugs] [Maniphest] [Closed] T118268: Security Review of Article Placeholder

csteipp closed this task as "Resolved". csteipp claimed this task. csteipp added a comment. Fixes look good, thanks! TASK DETAIL https://phabricator.wikimedia.org/T118268 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc:

[Wikidata-bugs] [Maniphest] [Changed Project Column] T118268: Security Review of Article Placeholder

csteipp moved this task to In Progress on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T118268 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucie

[Wikidata-bugs] [Maniphest] [Changed Project Column] T118268: Security Review of Article Placeholder

csteipp moved this task to Waiting/Blocked on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T118268 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Updated] T85368: [Story] Search for Wikidata should give meaningful results on mobile as well

csteipp removed a project: Security. TASK DETAIL https://phabricator.wikimedia.org/T85368 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Bene, csteipp Cc: Tobi_WMDE_SW, JanZerebecki, Bene, Liuxinyu970226, gerritbot, Florian, thiemowmde, adrianheine

[Wikidata-bugs] [Maniphest] [Updated] T118268: Security Review of Article Placeholder

csteipp added a comment. Hi @Lucie, I took a look at this again from commit https://phabricator.wikimedia.org/rEARPc0c5b0c84ef27e91cbcc2791f3f07cdff1dfd74a. Two minor issues that need to be fixed before this gets deployed: - Line 103: `$this->getOutput()->setPageTitle( $thi

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master

csteipp moved this task to Waiting/Blocked on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T99358 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Changed Project Column] T65808: Allow cross-site domain access from (tools) Labs via CORS

csteipp moved this task to Waiting/Blocked on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T65808 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master

csteipp moved this task to Backlog on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T99358 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Changed Project Column] T118268: Security Review of Article Placeholder

csteipp moved this task to Scheduled on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T118268 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Lucie

[Wikidata-bugs] [Maniphest] [Changed Project Column] T65808: Allow cross-site domain access from (tools) Labs via CORS

csteipp moved this task to Scheduled on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T65808 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dpatrick

[Wikidata-bugs] [Maniphest] [Updated] T117272: Wikidata: Possibilty to add comments with more than 255 bytes, potenzial db issue

csteipp removed a project: Security. csteipp changed the visibility from "Custom Policy" to "Public (No Login Required)". csteipp changed the edit policy from "Custom Policy" to "All Users". csteipp changed Security from Software security bug to None.

[Wikidata-bugs] [Maniphest] [Changed Project Column] T90115: BlazeGraph Security Review

csteipp moved this task to Done on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T90115 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Commented On] T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master

csteipp added a comment. In https://phabricator.wikimedia.org/T99358#1579459, @Lydia_Pintscher wrote: > @csteipp: Is this good to go from your side once > https://phabricator.wikimedia.org/T103912 is closed? Yes TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL PREFE

[Wikidata-bugs] [Maniphest] [Triaged] T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master

csteipp triaged this task as "High" priority. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Lydia_Pintscher, gerritbot, soeren.oldag, JanZerebecki, Jonaskeutel, Tamsl

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99358: [Task] Security review of Wikibase-Quality-External-Validation branch master

csteipp moved this task to Ready on the Security-Reviews workboard. TASK DETAIL https://phabricator.wikimedia.org/T99358 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Changed Project Column] T69118: Security review of PubSubHubbub extension

Herald added a subscriber: Aklapper. TASK DETAIL https://phabricator.wikimedia.org/T69118 WORKBOARD https://phabricator.wikimedia.org/project/board/944/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Aklapper, Jimkont, Liuxinyu970226

[Wikidata-bugs] [Maniphest] [Updated] T65808: Allow cross-site domain access from (tools) Labs via CORS

csteipp edited projects, added Security-Reviews; removed Security. TASK DETAIL https://phabricator.wikimedia.org/T65808 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: hoo, csteipp Cc: Aklapper, csteipp, Matanya, Jdlrobson, Krenair, hoo, JanZerebecki

[Wikidata-bugs] [Maniphest] [Updated] T65808: Allow cross-site domain access from (tools) Labs via CORS

csteipp added a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T65808 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: hoo, csteipp Cc: Aklapper, csteipp, Matanya, Jdlrobson, Krenair, hoo, JanZerebecki, He7d3r, Petrb, Magnus

[Wikidata-bugs] [Maniphest] [Commented On] T108101: Isolate wikidata.org cookies and CORS policies

csteipp added a comment. m.wikidata.org will get fixed with a general mobile fix-- it should already work for non-js browsers. I just haven't had the time to put in the js fix, but if wikidata is getting significant mobile traffic, I can up the priority of that. TASK DETAIL https

[Wikidata-bugs] [Maniphest] [Updated] T108101: Isolate wikidata.org cookies and CORS policies

csteipp added a comment. Thanks Lydia. https://phabricator.wikimedia.org/T100413 is the task for that work. TASK DETAIL https://phabricator.wikimedia.org/T108101 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Legoktm, csteipp Cc: jeremyb, Matanya

[Wikidata-bugs] [Maniphest] [Commented On] T109038: [Bug] Users are unable to login on wikidata.org until they clear their cookies

csteipp added a comment. In https://phabricator.wikimedia.org/T109038#1540332, @JanZerebecki wrote: @csteipp Sorry I missed that. I don't have the tab open anymore. I don't remember the order but in the Cookie HTTP header there where two key-value pairs for centralauth_Token with different

[Wikidata-bugs] [Maniphest] [Commented On] T109038: [Bug] Users are unable to login on wikidata.org until they clear their cookies

csteipp added a comment. @bblack, if you're able to reproduce, can you capture the headers and send them to me? Or post here if you're comfortable. I'm guessing you ended up with two token/session cookies, and either guy the wrong one or the browser sends both and we're parsing the wrong one out

[Wikidata-bugs] [Maniphest] [Unblock] T85159: [EPIC] Deploy a Wikidata Query Service into production

csteipp closed blocking task T90115: BlazeGraph Security Review as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T85159 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Addshore, Laddo, bd808, MBlissett, Krenair, waldyrious

[Wikidata-bugs] [Maniphest] [Closed] T90115: BlazeGraph Security Review

csteipp closed this task as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Deskana, ksmith, JanZerebecki, Bene, MoritzMuehlenhoff, GWicke, Thompsonbry.systap, Smalyshev, Joe

[Wikidata-bugs] [Maniphest] [Unblock] T105196: Security review for Wikidata Query Service code before deploying to production hardware

csteipp closed blocking task T90115: BlazeGraph Security Review as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T105196 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: csteipp, Smalyshev, Legoktm, Lydia_Pintscher, ksmith

[Wikidata-bugs] [Maniphest] [Updated] T90115: BlazeGraph Security Review

csteipp added a comment. @Deskana, waiting for the patch on https://phabricator.wikimedia.org/T108101 to get merged TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Deskana, ksmith

[Wikidata-bugs] [Maniphest] [Commented On] T90115: BlazeGraph Security Review

csteipp added a comment. This doesn't need to be present in the initial deployment, but it would be good to add in a followup step. Stas, how much time is Discovery going to be dedicating to this in Q2? I was under the impression that once it's in production, Discovery was planning to move

[Wikidata-bugs] [Maniphest] [Created] T108410: Add confinement around Blazegraph

csteipp created this task. csteipp added a subscriber: csteipp. csteipp added a project: Wikidata-Query-Service. Herald added a subscriber: Aklapper. Herald added projects: Wikidata, Discovery. TASK DESCRIPTION From T90115 I don't have any concerns/objections about setting this up, I

[Wikidata-bugs] [Maniphest] [Updated] T90115: BlazeGraph Security Review

csteipp added a comment. So it looks like the only remaining issue is mitigating https://phabricator.wikimedia.org/T105427, which @Smalyshev has a warning message for (and process to involve an ops person if someone accidentally does a suppressed delete). Once we're sure that is going to get

[Wikidata-bugs] [Maniphest] [Updated] T90115: BlazeGraph Security Review

csteipp added a comment. @csteipp: Discovery plans to deploy this in beta status, and then (based on my understanding), we plan to shift to other priorities while we wait for feedback to come in. Our level of effort after that will depend in part on that feedback. It will be up

[Wikidata-bugs] [Maniphest] [Commented On] T105638: RFC: Streamlining Composer usage

csteipp added a comment. 1 2 are probably related, so I'll add some comment here. Happy to move to another forum if needed. The threats I've seen laid out, and my (very rough) evaluation of their risk. Happy to be corrected if it seems like I have assumptions that are wrong, or you disagree

[Wikidata-bugs] [Maniphest] [Commented On] T90115: BlazeGraph Security Review

csteipp added a comment. @Joe / @MoritzMuehlenhoff, ping again on this-- are you guys comfortable that we can detect/contain Blazegraph if it gets exploited? TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel

[Wikidata-bugs] [Maniphest] [Commented On] T107602: Set up a public interface to the wikidata query service

csteipp added a comment. @Smalyshev, before we deploy this, can we task someone with updating $wgCrossSiteAJAXdomains to remove it from CORS domains, and set cookies for only the specific wikidata subdomains from CentralAuth? TASK DETAIL https://phabricator.wikimedia.org/T107602 EMAIL

[Wikidata-bugs] [Maniphest] [Created] T108101: Isolate wikidata.org cookies and CORS policies

csteipp created this task. csteipp added subscribers: JohnLewis, hoo, GWicke, greg, Lydia_Pintscher, csteipp, jcrespo, Legoktm, gerritbot, Smalyshev, BBlack, Joe, daniel, RobLa-WMF, Aklapper, aude, JanZerebecki, JeroenDeDauw, MrStradivarius, waldyrious, Krenair, MBlissett, bd808, Laddo

[Wikidata-bugs] [Maniphest] [Commented On] T107602: Set up a public interface to the wikidata query service

csteipp added a comment. In https://phabricator.wikimedia.org/T107602#1507585, @JanZerebecki wrote: The intent is for the service to allow CORS, but I'm not sure about the implications. Anyway that that means it is not an argument for wikimedia.org and against wikidata.org. So we are left

[Wikidata-bugs] [Maniphest] [Changed Subscribers] T107602: Set up a public interface to the wikidata query service

csteipp added a subscriber: hoo. csteipp added a comment. In https://phabricator.wikimedia.org/T107602#1508326, @Smalyshev wrote: Aren't our tokens HTTP only? Our session cookies are, but anti-csrf tokens are available via API call. So javascript running on a wikidata.org subdomain can edit

[Wikidata-bugs] [Maniphest] [Commented On] T107602: Set up a public interface to the wikidata query service

csteipp added a subscriber: csteipp. csteipp added a comment. @Stas, is wikidata.org required for some reason? Or was that just ok with them? Running on wikimedia.org would have a number of benefits for security-- no cookies, and no CORS accepted from the service. TASK DETAIL https

[Wikidata-bugs] [Maniphest] [Commented On] T98029: Launch PageBanner extension on Wikivoyage projects

csteipp added a comment. I'm out this week, but I should be able to get to it next week. Do you have an external driver on this? TASK DETAIL https://phabricator.wikimedia.org/T98029 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Updated] T105196: Security review for Wikidata Query Service code before deploying to production hardware

csteipp added a comment. https://phabricator.wikimedia.org/T105427 in progress TASK DETAIL https://phabricator.wikimedia.org/T105196 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: csteipp, Smalyshev, Legoktm, Lydia_Pintscher, ksmith

[Wikidata-bugs] [Maniphest] [Commented On] T105196: Security review for Wikidata Query Service code before deploying to production hardware

csteipp added a comment. Yes, I'll be doing the review. Who on SD is primarily working on this piece? Can I get a link to the existing design docs and code so I can do an initial scoping? After that, I'd like to meet with the people working on this to make sure we have a dataflow diagram

[Wikidata-bugs] [Maniphest] [Commented On] T90115: BlazeGraph Security Review

csteipp added a comment. @ksmith, there should be a separate task for that, depending on this. Any other code to be deployed should have a separate security review request. TASK DETAIL https://phabricator.wikimedia.org/T90115 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings

[Wikidata-bugs] [Maniphest] [Commented On] T99358: Security review of Wikibase-Quality-External-Validation branch v1

csteipp added a comment. In https://phabricator.wikimedia.org/T99358#1404599, @gerritbot wrote: https://gerrit.wikimedia.org/r/221107 That looks right. Thanks. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel

[Wikidata-bugs] [Maniphest] [Commented On] T99358: Security review of Wikibase-Quality-External-Validation branch v1

csteipp added a comment. In ComparisonResult you guard setting the result to a list of constant strings, but in ReferenceResult that only happens on object creation. ReferenceResult should do the same as ComparisonResult. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL

[Wikidata-bugs] [Maniphest] [Commented On] T99358: Security review of Wikibase-Quality-External-Validation branch v1

csteipp added a comment. In https://phabricator.wikimedia.org/T99358#1402101, @csteipp wrote: SpecialCrossCheck::buildResultTable $referenceStatus = $this-msg( wbqev-crosscheck-status- . $result-getReferenceResult()-getStatus() )-text(); Either user escaped() or don't use rawhtml

[Wikidata-bugs] [Maniphest] [Commented On] T99358: Security review of Wikibase-Quality-External-Validation branch v1

csteipp added a comment. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: soeren.oldag, JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper

[Wikidata-bugs] [Maniphest] [Created] T103912: Ex:WikibaseQualityExternalValidation - performance review of Special:CrossCheck

csteipp created this task. csteipp assigned this task to aaron. csteipp added subscribers: soeren.oldag, JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation, aaron. csteipp added projects: Wikibase-Quality, Security-Team

[Wikidata-bugs] [Maniphest] [Created] T103905: Ex:WikibaseQualityExternalValidation - rate limit Special:CrossCheck

csteipp created this task. csteipp added subscribers: soeren.oldag, JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation. csteipp added projects: Wikibase-Quality, Security-Team, Wikidata, Security-Reviews, Wikibase

[Wikidata-bugs] [Maniphest] [Commented On] T99358: Security review of Wikibase-Quality-External-Validation branch v1

csteipp added a comment. SpecialCrossCheck::buildResultTable $referenceStatus = $this-msg( wbqev-crosscheck-status- . $result-getReferenceResult()-getStatus() )-text(); Either user escaped() or don't use rawhtml in the table cell. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99358: Security review of Wikibase-Quality-External-Validation branch v1

csteipp moved this task to Waiting on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99358 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Closed] T103439: Ex:WikibaseQualityExternalValidation - DumpMetaInformationRepo needs to strictly validate table names

csteipp closed this task as Resolved. csteipp claimed this task. csteipp added a comment. Constants are ok TASK DETAIL https://phabricator.wikimedia.org/T103439 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: soeren.oldag, Wikibase

[Wikidata-bugs] [Maniphest] [Unblock] T99358: Security review of Wikibase-Quality-External-Validation

csteipp closed blocking task T103439: Ex:WikibaseQualityExternalValidation - DumpMetaInformationRepo needs to strictly validate table names as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Created] T103633: Ex:WikibaseQualityExternalValidation - SpecialExternalDbs escape or don't use raw cells

csteipp created this task. csteipp claimed this task. csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation. csteipp added projects: Wikibase-Quality, Security-Team, Wikidata, Security-Reviews

[Wikidata-bugs] [Maniphest] [Updated] T99355: Security review of Wikibase-Quality-Constraints

csteipp removed a blocking task: Restricted Task. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: JanZerebecki, aaron, Andreasburmeister, csteipp, Tamslo, Liuxinyu970226

[Wikidata-bugs] [Maniphest] [Commented On] T101306: Ex:WikidataQualityConstraints - (hardening) use escaped() instead of text() output when inserting messages into HTML

csteipp added a comment. Fix looks good TASK DETAIL https://phabricator.wikimedia.org/T101306 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dominic.sauer, csteipp Cc: soeren.oldag, Wikibase-Quality-Constraints, Aklapper, Lydia_Pintscher, Tamslo

[Wikidata-bugs] [Maniphest] [Retitled] T99355: Security review of Wikibase-Quality-Constraints - v1 branch

csteipp changed the title from Security review of Wikibase-Quality-Constraints to Security review of Wikibase-Quality-Constraints - v1 branch. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99358: Security review of Wikibase-Quality-External-Validation

csteipp moved this task to In Progress on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99358 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Created] T103439: Ex:WikibaseQualityExternalValidation - DumpMetaInformationRepo needs to strictly validate table names

csteipp created this task. csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation. csteipp added projects: Wikibase-Quality, Wikidata, Security-Reviews, Wikibase-Quality-External-Validation. TASK

[Wikidata-bugs] [Maniphest] [Commented On] T103439: Ex:WikibaseQualityExternalValidation - DumpMetaInformationRepo needs to strictly validate table names

csteipp added a comment. ExternalDataRepo should also validate its $tableName TASK DETAIL https://phabricator.wikimedia.org/T103439 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikibase-Quality-External-Validation, Aklapper

[Wikidata-bugs] [Maniphest] [Created] T103438: Ex:WikibaseQualityExternalValidation - don't use .tar / phar to transfer files to production

csteipp created this task. csteipp added subscribers: JanZerebecki, Jonaskeutel, Tamslo, csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikibase-Quality-External-Validation. csteipp added projects: Wikibase-Quality, Wikidata, Wikibase-Quality-External-Validation. TASK DESCRIPTION

[Wikidata-bugs] [Maniphest] [Unblock] T99354: Review and deploy Wikibase-Quality-Constraints on wikidata.org

csteipp closed blocking task T99355: Security review of Wikibase-Quality-Constraints - v1 branch as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99354 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: JanZerebecki

[Wikidata-bugs] [Maniphest] [Closed] T99355: Security review of Wikibase-Quality-Constraints - v1 branch

csteipp closed this task as Resolved. csteipp claimed this task. csteipp added a comment. OK, blockers have all been resolved for v1. We will need another review before violations are deployed. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99352: Security review of Wikibase-Quality

csteipp moved this task to Done on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99352 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Closed] T99352: Security review of Wikibase-Quality

csteipp closed this task as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99352 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: JanZerebecki, csteipp, Andreasburmeister, Liuxinyu970226, Lydia_Pintscher, Wikibase-Quality

[Wikidata-bugs] [Maniphest] [Unblock] T99351: Review and deploy Wikibase-Quality on wikidata.org

csteipp closed blocking task T99352: Security review of Wikibase-Quality as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99351 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Tamslo, JanZerebecki, Yair_rand, Liuxinyu970226

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99352: Security review of Wikibase-Quality

csteipp moved this task to Ready on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99352 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99352: Security review of Wikibase-Quality

csteipp moved this task to Waiting on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99352 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Commented On] T101467: Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker

csteipp added a comment. Yes, that's ok for now TASK DETAIL https://phabricator.wikimedia.org/T101467 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Jonaskeutel, csteipp Cc: thiemowmde, Jonaskeutel, Wikibase-Quality-Constraints, Aklapper

[Wikidata-bugs] [Maniphest] [Commented On] T99358: Security review of Wikibase-Quality-External-Validation

csteipp added a comment. @Tamslo, are you asking if this can be closed? Definitely not. Both of the other extensions have serious issues that need to be addressed before they can be deployed, and I've only started reviewing this one. If plans change on wmde's side, please let me know. TASK

[Wikidata-bugs] [Maniphest] [Created] T102649: Ex:WikibaseQuality - Needs to escape output by default

csteipp created this task. csteipp claimed this task. csteipp added subscribers: csteipp, Andreasburmeister, Liuxinyu970226, Lydia_Pintscher, Wikidata-Quality, Aklapper. csteipp added projects: Security-Team, Wikidata, Security-Reviews, Wikidata-Quality. TASK DESCRIPTION As a library

[Wikidata-bugs] [Maniphest] [Unblock] T99355: Security review of Wikibase-Quality-Constraints

csteipp closed blocking task T101469: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Unblock] T99355: Security review of Wikibase-Quality-Constraints

csteipp closed blocking task T101308: Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences

[Wikidata-bugs] [Maniphest] [Closed] T101468: Ex: WikibaseQualityConstraints - CommonsLinkChecker makes unsafe connections

csteipp closed this task as Resolved. csteipp claimed this task. csteipp added a comment. Fix looks good TASK DETAIL https://phabricator.wikimedia.org/T101468 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: gerritbot, Wikidata-Quality

[Wikidata-bugs] [Maniphest] [Unblock] T99355: Security review of Wikibase-Quality-Constraints

csteipp closed blocking task T101468: Ex: WikibaseQualityConstraints - CommonsLinkChecker makes unsafe connections as Resolved. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: aaron

[Wikidata-bugs] [Maniphest] [Closed] T101469: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls

csteipp closed this task as Resolved. csteipp claimed this task. csteipp added a comment. Fixes look good TASK DETAIL https://phabricator.wikimedia.org/T101469 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: gerritbot, Wikidata-Quality

[Wikidata-bugs] [Maniphest] [Commented On] T101467: Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker

csteipp added a comment. I'm not sure what kinds of regexes are expected here, so can't give great guidance on the best solution. Theomowmde's solution of only allowing admins to add them will prevent mass exploitation, but would still allow admins to attack the server in the case of another

[Wikidata-bugs] [Maniphest] [Closed] T101308: Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML

csteipp closed this task as Resolved. csteipp added a comment. Fix looks correct TASK DETAIL https://phabricator.wikimedia.org/T101308 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: dominic.sauer, csteipp Cc: gerritbot, soeren.oldag, Wikidata

[Wikidata-bugs] [Maniphest] [Created] T101469: T101468: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls

csteipp created this task. csteipp added subscribers: Andreasburmeister, csteipp, Tamslo, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata-Quality-Constraints. csteipp added projects: Wikidata, Wikidata-Quality-Constraints, Security-Reviews. TASK DESCRIPTION User input is added to the url

[Wikidata-bugs] [Maniphest] [Updated] T101306: Ex:WikidataQualityConstraints - (hardening) use escaped() instead of text() output when inserting messages into HTML

csteipp removed a project: Security-Reviews. csteipp set Security to None. TASK DETAIL https://phabricator.wikimedia.org/T101306 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikidata-bugs, dominic.sauer, Jonaskeutel, soeren.oldag

[Wikidata-bugs] [Maniphest] [Created] T101468: Ex: WikibaseQualityConstraints - CommonsLinkChecker makes unsafe connections

csteipp created this task. csteipp added subscribers: Andreasburmeister, csteipp, Tamslo, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata-Quality-Constraints. csteipp added projects: Wikidata, Wikidata-Quality-Constraints, Security-Reviews. TASK DESCRIPTION CommonsLinkChecker needs to use

[Wikidata-bugs] [Maniphest] [Commented On] T99355: Security review of Wikibase-Quality-Constraints

csteipp added a comment. I'm done with the initial review. All the blockers need to get resolved before this is closed. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: aaron

[Wikidata-bugs] [Maniphest] [Retitled] T101469: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls

csteipp changed the title from T101468: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls to Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls. csteipp set Security to None. TASK DETAIL https

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99358: Security review of Wikibase-Quality-External-Validation

csteipp moved this task to Ready on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99358 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Claimed] T99358: Security review of Wikibase-Quality-External-Validation

csteipp claimed this task. csteipp added a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T99358 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: csteipp, Andreasburmeister, Liuxinyu970226, Aklapper, Wikidata-bugs

[Wikidata-bugs] [Maniphest] [Claimed] T99352: Security review of Wikibase-Quality

csteipp claimed this task. TASK DETAIL https://phabricator.wikimedia.org/T99352 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: csteipp, Andreasburmeister, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata-bugs, aude, Krenair, Ainali

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99352: Security review of Wikibase-Quality

csteipp moved this task to Ready on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99352 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Updated] T99352: Security review of Wikibase-Quality

csteipp added a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T99352 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: csteipp, Andreasburmeister, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata-bugs, aude

[Wikidata-bugs] [Maniphest] [Created] T101467: Ex: WikibaseQualityConstraints - remove or sanitize regex for FormatChecker

csteipp created this task. csteipp added subscribers: Andreasburmeister, csteipp, Tamslo, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata-Quality-Constraints. csteipp added projects: Wikidata, Wikidata-Quality-Constraints, Security-Reviews. TASK DESCRIPTION As is, the CSV value can

[Wikidata-bugs] [Maniphest] [Edited] T99355: Security review of Wikibase-Quality-Constraints

csteipp edited the task description. csteipp added a subscriber: aaron. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: aaron, Andreasburmeister, csteipp, Tamslo, Liuxinyu970226

[Wikidata-bugs] [Maniphest] [Updated] T101303: Document architectural decisions for WikidataQuality extensions

csteipp removed a project: Security-Reviews. csteipp set Security to None. TASK DETAIL https://phabricator.wikimedia.org/T101303 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: aude, Aklapper, Lydia_Pintscher, Liuxinyu970226, Tamslo

[Wikidata-bugs] [Maniphest] [Changed Project Column] T99355: Security review of Wikibase-Quality-Constraints

csteipp moved this task to Waiting on the Security-Team workboard. TASK DETAIL https://phabricator.wikimedia.org/T99355 WORKBOARD https://phabricator.wikimedia.org/project/board/1179/ EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc

[Wikidata-bugs] [Maniphest] [Updated] T99355: Security review of Wikibase-Quality-Constraints

csteipp added a project: Security-Team. TASK DETAIL https://phabricator.wikimedia.org/T99355 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: aaron, Andreasburmeister, csteipp, Tamslo, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata

[Wikidata-bugs] [Maniphest] [Updated] T101469: Ex: WikibaseQualityConstraints - CommonsLinkChecker should sanitize / escape user input in urls

csteipp removed a project: Security-Reviews. TASK DETAIL https://phabricator.wikimedia.org/T101469 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikidata-bugs, dominic.sauer, Jonaskeutel, soeren.oldag, Tamslo, Tobi_WMDE_SW, Aklapper

[Wikidata-bugs] [Maniphest] [Updated] T101308: Ex:WikidataQualityConstraints - EntityId::getSerialization() is not guaranteed to be safe for HTML

csteipp removed a project: Security-Reviews. csteipp set Security to None. TASK DETAIL https://phabricator.wikimedia.org/T101308 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikidata-bugs, dominic.sauer, Jonaskeutel, soeren.oldag

[Wikidata-bugs] [Maniphest] [Updated] T101305: Ex:WikidataQualityConstraints - (hardening) escape sql closer to the output.

csteipp removed a project: Security-Reviews. csteipp set Security to None. TASK DETAIL https://phabricator.wikimedia.org/T101305 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: csteipp Cc: Wikidata-bugs, dominic.sauer, Jonaskeutel, soeren.oldag

[Wikidata-bugs] [Maniphest] [Created] T101303: Document architectural decisions for WikidataQuality extensions

csteipp created this task. csteipp added subscribers: Andreasburmeister, csteipp, Tamslo, Liuxinyu970226, Lydia_Pintscher, Aklapper, Wikidata-Quality-Constraints, aude. csteipp added projects: Wikidata, Wikidata-Quality-Constraints, Security-Reviews. TASK DESCRIPTION In it's current form

  1   2   >