https://bugzilla.wikimedia.org/show_bug.cgi?id=60178

--- Comment #19 from Chris Steipp <cste...@wikimedia.org> ---
(In reply to comment #18)
> > Security re-review: no
> 
> https://bugzilla.wikimedia.org/show_bug.cgi?id=57270 (RESOLVED FIXED)
> 
> Is it worth re-doing the security review? Large code changes don't always
> require it, case by case and such. I'll let Chris comment/decide.

Bug 60218 was bad, and should have been caught by someone before it hit
production, but it was missed until lego pointed it out. These vulnerabilities
happen, and I'm happy with the teams response to the discovery.

At this point, I don't think another full review is going to be worth my time,
until/unless there is an architectural shift in how they are doing security.
For example, if we can choose a template engine this week, and Flow is willing
to implement it, then I would definitely want another full review to ensure
their coding patterns are safe.

On the admin tools integration, I personally would have liked to see all of the
admin tool integration done before the extension was installed. However, the
team decided it was worth the risk, and it seems like they are making good
progress integrating with the tools. Erik Bernhardson conveyed it is a priority
for them, and they are making progress towards the integration.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to