Re: [Wikitech-l] IE 6/7 MIME type sniffing checks on uploads - is it time to retire them?

[Kunal Mehta]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

On 1/28/19 3:58 PM, Brion Vibber wrote:
> Years ago, we added security checks for IE 5/6/7 to work around
> IE's mime type sniffing: if you went to view a .png file directly
> in IE (as opposed to in an ) the browser would check the first
> few bytes of the file to detect its type, overriding the HTTP
> Content-Type header. HTML would be detected with a higher priority
> than the actual image formats, making it possible to create an
> actual .png image which when viewed as an image looked like an
> image, but when viewed as a web page was interpreted as HTML,
> including any embedded JavaScript.

Tim wrote a nice blog post about how he reverse-engineered this:
.

I don't have any comments on whether it's still needed, but if it's
determined that MediaWiki can drop the checks, I'd like to see it
turned into a PHP library...mostly because it's some neat code.

- -- Legoktm
-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEE2MtZ8F27ngU4xIGd8QX4EBsFJpsFAlxP+W4ACgkQ8QX4EBsF
Jps8hRAAvU19l6PPh7twy4JQyeHHzEs6AIVXXmQ9HhXjDoV+zu6EpqUO/SW1dxMc
sjFiqrTwkdvKhthgevXbjLu9oO0HDVcosV01vdo0qt+p5ZO1Lave6QMWbkbfn9vk
rdQ8vEuN/s0NWaXQcYnVHIF+ERwMQ8wR1+xWFZ6H9i7ID03oPVtwrWeDbPivq6n/
hsX+BP8ZOaYvaOH/pCC4Z1dIcaJvD8Wc+3fQiW9BgmfFKHaPT/ZrnggyYKHKDyX9
eJl9oq2jSJ9AefMJVmyEufnctEtFOmJCW/Tv0gmrKgNhnvHYb4FMf5Mwe8HMglVY
kKzpQkkNW34xpBvUKeeqPX2GV6MkbQMqsL9bLgAesv+VFxEo7ULYON47drTzyMzo
K9MY1ypxqTXEyleXmKBKKsw6P5So13vfKrT4iTJnVNJiu9G+LaEr6p34HcVi8JUn
wA1im7UbJ4TeQxiLwe7KNihggXN4AtWGAxszqYXDs9scLk7Wz5eghqIGGijlnmHf
xzyPxhmiUB/KaaNQXNR+3kKNW5wLBuLOAubg1ZjnSEf3+V3j4ZIT9UFGebz0p0iv
Akm/WnMs8R/tUlGOOX3+Pg78cJTVRtCy6CSUyVA53GqUAae++rvQelP5xa5eyt4r
mQhnDQlJaiDjcWe1kip+I5c7WcUVIc1rnsrukb2eAOjH4Dkr7G4=
=fcwi
-END PGP SIGNATURE-

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] What would you like to see in gerrit?

[Paladox via Wikitech-l]

Hi, what would you like to see in gerrit or improved? I've been working been 
working on developing a plugin that pull's in zuul's status into PolyGerrit. 
See the running demo at https://imgur.com/a/uBk2oxQ . Im also planning on 
adding "recheck" and "check experimental" as buttons to PolyGerrit's ui to 
improve CI. This will help new users who can recheck (and existing users that 
either forgot they can type this or haven't learned yet).
Note that i cannot promise that anything suggested in this thread will be 
worked on, but i can try my best.
See tasks https://phabricator.wikimedia.org/T214068 and 
https://phabricator.wikimedia.org/T214631 .







___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] IE 6/7 MIME type sniffing checks on uploads - is it time to retire them?

[Brion Vibber]

There's been some comments on some old tasks such as T27707
 about problems with uploading
files that include text metadata that looks like HTML elements.

Years ago, we added security checks for IE 5/6/7 to work around IE's mime
type sniffing: if you went to view a .png file directly in IE (as opposed
to in an ) the browser would check the first few bytes of the file to
detect its type, overriding the HTTP Content-Type header. HTML would be
detected with a higher priority than the actual image formats, making it
possible to create an actual .png image which when viewed as an image
looked like an image, but when viewed as a web page was interpreted as
HTML, including any embedded JavaScript.

(This was defense in depth in addition to hosting files on a separate
domain; among other things, we sometimes serve files out from the main
domain when dealing with archived (deleted) versions, and third-party
installs are not guaranteed to have a second domain.)

Browsers have moved on, but the code remains and it trips up legitimate
files containing links in metadata, or sometimes just random compressed
data that looks like an element!

I've done a quick research check on feasibility:
* IE 6 and earlier can no longer access Wikimedia sites due to lack of SNI
and TLS 1.0 or later
* IE 7 on Windows XP can no longer access Wikimedia sites due to lack of SNI
* IE 7 on Windows Vista **can** access Wikimedia sites.
* IE 8 and higher support X-Content-Options: nosniff to disable sniffing,
which we already use on all MediaWiki requests.

At some point Microsoft dropped the sniffing, but I'm not sure if it was a
later IE version or an Edge version. No other browsers in reasonably
current versions seem to have this problem.

So the only remaining browser version that might be affected is IE 7 on
Windows Vista, which supports SNI and TLS 1.0. It might or might not still
work once we drop TLS 1.0 some time in the future. (Per our TLS dashboard

about
1.2% of our connections still use TLS 1.0, but this isn't broken down
between logged-in-user views and anon views.)

Open questions:
* Should we drop the anti-sniff checks on upload?
* If we do, should we forbid logins with IE 7, or something else to protect
the occasional IE 7 logged-in user from a hypothetical targeted drive-by
attack? (Is it actually worth doing work and testing it for this?)
* Should we add X-Content-Options: nosniff on files served from
upload.wikimedia.org too?

-- brion
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Sunsetting VP8 version of WebM for video playback

[Brion Vibber]

A few months ago I switched our TimedMediaHandler's config to support the
newer, more bandwidth-efficient VP9/Opus variant of WebM and to use these
preferably over the older VP8/Vorbis version when creating scaled,
playback-ready derivatives.

(This does not affect upload support -- you may continue to upload video
files in WebM VP9, WebM VP8, or Ogg Theora formats, with either Vorbis or
Opus audio.)

Conversions of existing files on Commons ran in the background for some
weeks, finishing in November. I'm now running a final pass for
high-resolution files and any files on other wikis that didn't get a
conversion yet, in preparation for removing the VP8 derivatives in the next
couple of weeks to free storage space.

This should have relatively little visible effect for users, unless someone
is relying on the particular derivative files with extensions like
".360p.webm"; the new versions are named like ".360p.vp9.webm".

Note that IE 11 users using the "WebM Media Foundation Components for IE
" will not be able to play back the new
VP9/Opus files natively, as this driver has never been updated for VP9 or
Opus.  IE 11 users will receive low-resolution, slow JavaScript-based video
playback instead. If you find this is troublesome, the recommended solution
is to switch to any other browser.

Third-party MediaWiki + TimedMediaHandler users should be aware that the
defaults are changing, and in future the VP8-specific support and code
paths may be removed. TimedMediaHandler will probably change a lot in the
coming months with upcoming WebVTT subtitle format, a streamlined
videojs-based player, and hopefully more!

-- brion
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] Request for comment: Themes in core

[Isarra Yos]

For those who weren't aware, Jack Phoenix and I have drafted a Request 
for Comment[1] and related initial patch[2] proposing to merge the logic 
from the Theme extension[3] into MediaWiki core.


From the RfC: This will provide built-in functionality that skins can 
implement in a simple and consistent manner, enabling user- or 
site-selection of css variations of a given skin, such as a dark version 
or a layout with more colours.


The RfC itself covers in detail the distinction between skins and themes 
as well as several use cases and issues surrounding the current 
situation, but the key point here is thus: with this functionality, we 
will be able to not just more easily implement night[4], winter, and 
accessibility[5] modes in skins such as Vector and Timeless, but also 
much more consistently, and in a manner that can then be developed to 
better and more consistently use the variables defined by the skins even 
outside of the themes themselves.


Currently, the Theme functionality is limited to the extension itself 
and a few skins that replicate key parts with varying amounts of 
fidelity, which not only results in a bit of a mess in terms of code 
fragmentation, but also limits what we can do with the skins themselves 
due to the added dependency. We would like to fix this, and thus invite 
everyone interested to review our proposal and please, comment if you 
have concerns or see any issues.


-I

See:
[1] https://www.mediawiki.org/wiki/Requests_for_comment/Themes_in_core
[2] https://gerrit.wikimedia.org/r/#/c/465451/
[3] https://www.mediawiki.org/wiki/Extension:Theme
[4] 
https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2019/Reading/Night_mode
[5] 
https://meta.wikimedia.org/wiki/Community_Wishlist_Survey_2019/Reading/Accessibility_settings_for_everyone



___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Rough Project idea (suggestion)

[K. Kaushik Reddy]

Greetings Daniel,

Thanks, I'll check them out.

On Mon, Jan 28, 2019 at 8:20 PM Daniel Kinzler 
wrote:

> Hello Kaushik!
>
> If you don't get any responses here, perhaps try the wiki-research-l
> mailing
> list .
>
> Good luck!
>
> -- daniel
>
> Am 27.01.19 um 14:45 schrieb K. Kaushik Reddy:
> > Hi developers,
> >
> > This is Kaushik Reddy. I am currently working on few data science tools,
> > naming few pandas, seaborn, Matplotlib,NumPy etc with python.
> > Can I propose projects for wikimedia dealing with data science?
> > If you people agree to have projects in data science, I would like to
> > propose few within 3 days.
> >
> > Will be waiting for your response.
> >
> >
> > Regards,
> > Kaushik.
> > ___
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
>
>
> --
> Daniel Kinzler
> Principal Software Engineer, Core Platform
> Wikimedia Foundation
>
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] PHP 7 is now a beta feature

[Mohd Yuhairi tzm]

--
Sent from Hotmail Email App for Android Monday, 28 January 2019, 11:37pm +08:00 
from Victoria Coleman  vcole...@wikimedia.org :

>This is fantastic news Giuseppe! A terrific milestone representing tons of 
>work by many people! Kudos to all involved!
>
>Best regards,
>
>Victoria
>
>Sent from my iPhone
>
> On Jan 28, 2019, at 6:31 AM, Giuseppe Lavagetto < glavage...@wikimedia.org> 
> wrote:
>
> Hi all,
>
> as some of you might know, HHVM has decided some time ago to drop support
> for PHP, choosing to only support Hack (Facebook's own PHP-derivative
> language)[1].
>
> This forced us to consider alternatives. In particular the last major
> upgrade to PHP, PHP 7, was supposed to have greatly improved the
> performance of the runtime, guaranteeing performance on par with HHVM.
>
> Given that early tests[2] showed promising performance, we decided to work
> on PHP7 support and on its rollout in production.
>
> I'm happy to announce that PHP 7 is now available as a beta feature on all
> wikis, and I encourage everyone to try it out and report bugs using the
> #php7.2-support tag.
>
> After this period of beta testing, we will proceed with a progressive
> rollout to a growing percentage of users, and hopefully we'll complete the
> transition in the next four months.
>
> A huge thank you to all the people who worked hard to reach this goal!
>
> Thanks,
>
> Giuseppe
> [1]  https://hhvm.com/blog/2017/09/18/the-future-of-hhvm.html
> [2]
> https://lists.wikimedia.org/pipermail/wikitech-l/2017-September/088854.html
> -- 
> Giuseppe Lavagetto
> Principal Site Reliability Engineer, Wikimedia Foundation
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>___
>Wikitech-l mailing list
>Wikitech-l@lists.wikimedia.org
>https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] PHP 7 is now a beta feature

[Victoria Coleman]

This is fantastic news Giuseppe! A terrific milestone representing tons of work 
by many people! Kudos to all involved!

Best regards,

Victoria

Sent from my iPhone

> On Jan 28, 2019, at 6:31 AM, Giuseppe Lavagetto  
> wrote:
> 
> Hi all,
> 
> as some of you might know, HHVM has decided some time ago to drop support
> for PHP, choosing to only support Hack (Facebook's own PHP-derivative
> language)[1].
> 
> This forced us to consider alternatives. In particular the last major
> upgrade to PHP, PHP 7, was supposed to have greatly improved the
> performance of the runtime, guaranteeing performance on par with HHVM.
> 
> Given that early tests[2] showed promising performance, we decided to work
> on PHP7 support and on its rollout in production.
> 
> I'm happy to announce that PHP 7 is now available as a beta feature on all
> wikis, and I encourage everyone to try it out and report bugs using the
> #php7.2-support tag.
> 
> After this period of beta testing, we will proceed with a progressive
> rollout to a growing percentage of users, and hopefully we'll complete the
> transition in the next four months.
> 
> A huge thank you to all the people who worked hard to reach this goal!
> 
> Thanks,
> 
> Giuseppe
> [1] https://hhvm.com/blog/2017/09/18/the-future-of-hhvm.html
> [2]
> https://lists.wikimedia.org/pipermail/wikitech-l/2017-September/088854.html
> -- 
> Giuseppe Lavagetto
> Principal Site Reliability Engineer, Wikimedia Foundation
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] Rough Project idea (suggestion)

[Daniel Kinzler]

Hello Kaushik!

If you don't get any responses here, perhaps try the wiki-research-l mailing
list .

Good luck!

-- daniel

Am 27.01.19 um 14:45 schrieb K. Kaushik Reddy:
> Hi developers,
> 
> This is Kaushik Reddy. I am currently working on few data science tools,
> naming few pandas, seaborn, Matplotlib,NumPy etc with python.
> Can I propose projects for wikimedia dealing with data science?
> If you people agree to have projects in data science, I would like to
> propose few within 3 days.
> 
> Will be waiting for your response.
> 
> 
> Regards,
> Kaushik.
> ___
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> 


-- 
Daniel Kinzler
Principal Software Engineer, Core Platform
Wikimedia Foundation

___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Re: [Wikitech-l] PHP 7 is now a beta feature

[Mohd Yuhairi tzm]

--
Sent from Hotmail Email App for Android Monday, 28 January 2019, 10:31pm +08:00 
from Giuseppe Lavagetto  glavage...@wikimedia.org :

>Hi all,
>
>as some of you might know, HHVM has decided some time ago to drop support
>for PHP, choosing to only support Hack (Facebook's own PHP-derivative
>language)[1].
>
>This forced us to consider alternatives. In particular the last major
>upgrade to PHP, PHP 7, was supposed to have greatly improved the
>performance of the runtime, guaranteeing performance on par with HHVM.
>
>Given that early tests[2] showed promising performance, we decided to work
>on PHP7 support and on its rollout in production.
>
>I'm happy to announce that PHP 7 is now available as a beta feature on all
>wikis, and I encourage everyone to try it out and report bugs using the
>#php7.2-support tag.
>
>After this period of beta testing, we will proceed with a progressive
>rollout to a growing percentage of users, and hopefully we'll complete the
>transition in the next four months.
>
>A huge thank you to all the people who worked hard to reach this goal!
>
>Thanks,
>
>Giuseppe
>[1]  https://hhvm.com/blog/2017/09/18/the-future-of-hhvm.html
>[2]
>https://lists.wikimedia.org/pipermail/wikitech-l/2017-September/088854.html
>-- 
>Giuseppe Lavagetto
>Principal Site Reliability Engineer, Wikimedia Foundation
>___
>Wikitech-l mailing list
>Wikitech-l@lists.wikimedia.org
>https://lists.wikimedia.org/mailman/listinfo/wikitech-l
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] PHP 7 is now a beta feature

[Giuseppe Lavagetto]

Hi all,

as some of you might know, HHVM has decided some time ago to drop support
for PHP, choosing to only support Hack (Facebook's own PHP-derivative
language)[1].

This forced us to consider alternatives. In particular the last major
upgrade to PHP, PHP 7, was supposed to have greatly improved the
performance of the runtime, guaranteeing performance on par with HHVM.

Given that early tests[2] showed promising performance, we decided to work
on PHP7 support and on its rollout in production.

I'm happy to announce that PHP 7 is now available as a beta feature on all
wikis, and I encourage everyone to try it out and report bugs using the
#php7.2-support tag.

After this period of beta testing, we will proceed with a progressive
rollout to a growing percentage of users, and hopefully we'll complete the
transition in the next four months.

A huge thank you to all the people who worked hard to reach this goal!

Thanks,

Giuseppe
[1] https://hhvm.com/blog/2017/09/18/the-future-of-hhvm.html
[2]
https://lists.wikimedia.org/pipermail/wikitech-l/2017-September/088854.html
-- 
Giuseppe Lavagetto
Principal Site Reliability Engineer, Wikimedia Foundation
___
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l