Page MenuHomePhabricator
Projects Security-Core

Security-CoreTag
ArchivedPublic
Watch Project

Members (1)

  • This project does not have any members.
  • View All

Watchers (4)

Details

Description

Replaced by Security - after creating a Security task, please add the corresponding code project(s) to the project tags of your task!

Please see https://www.mediawiki.org/wiki/Reporting_security_bugs for how to report Security issues.

Recent Activity
View All

Dec 27 2023

Winston_Sung moved T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) from Core to Security on the MediaWiki-Language-converter board.
Dec 27 2023, 6:18 PM · Security, MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Security-Team, MediaWiki-Language-converter, Security-Core
Winston_Sung removed a project from T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814): Patch-For-Review.
Dec 27 2023, 6:16 PM · Security, MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Security-Team, MediaWiki-Language-converter, Security-Core
Winston_Sung moved T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) from Backlog to Core on the MediaWiki-Language-converter board.
Dec 27 2023, 6:15 PM · Security, MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Security-Team, MediaWiki-Language-converter, Security-Core

Dec 1 2022

Aklapper set the color for Security-Core to Red.
Dec 1 2022, 11:06 AM

Nov 29 2021

Urbanecm added a comment to T29393: Special:UserLogout should require a token or confirmation from the user.

Published, as it is a duplicate of T25227: Use token when logging out.

Nov 29 2021, 1:31 PM · Security-Core
Urbanecm changed the visibility for T29393: Special:UserLogout should require a token or confirmation from the user.
Nov 29 2021, 1:31 PM · Security-Core

Jul 31 2021

Izno removed a subtask for T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default: T202842: Rename global interface editors to global interface admins.
Jul 31 2021, 12:43 AM · Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), User-Tgr, Trust-and-Safety, WMF-General-or-Unknown, Patch-For-Review, JavaScript, Security-Core

May 25 2021

Seddon closed T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions, a subtask of T190015: Create separate user group for editing sitewide CSS/JavaScript that does not include administrators by default, as Resolved.
May 25 2021, 2:45 PM · Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), User-Tgr, Trust-and-Safety, WMF-General-or-Unknown, Patch-For-Review, JavaScript, Security-Core

Feb 10 2020

Maintenance_bot removed a project from T177997: WikiImporter::notice echoing of unescaped values is a dangerous api: Patch-For-Review.
Feb 10 2020, 11:13 PM · Security, MW-1.31-release-notes (WMF-deploy-2018-01-02 (1.31.0-wmf.15)), Google-Code-in-2017, good first task, Security-Core, MediaWiki-Core-Snapshots
Maintenance_bot removed a project from T200176: Deletion of user js and css requires deletion and edituser* rights: Patch-For-Review.
Feb 10 2020, 11:11 PM · Security, MW-1.32-notes (WMF-deploy-2018-08-28 (1.32.0-wmf.19)), Security-Core, MediaWiki-User-management

Nov 26 2019

Maintenance_bot removed a project from T159611: thumb.php should use the ImgAuthBeforeStream hook: Patch-For-Review.
Nov 26 2019, 11:49 AM · Security, Multimedia, Commons, MediaWiki-File-management

Nov 24 2019

gerritbot added a comment to T159611: thumb.php should use the ImgAuthBeforeStream hook.

Change 341135 abandoned by markahershberger:
thumb.php should use the ImgAuthBeforeStream hook

Nov 24 2019, 1:52 AM · Security, Multimedia, Commons, MediaWiki-File-management

Nov 16 2019

Ammarpad merged T216459: Admin on nl.wp gets "You don't have the right to view a deleted page" after deleting a JS page into T202989: Administrators can no longer view deleted history of js/css pages.
Nov 16 2019, 5:57 PM · User-notice-archive, MW-1.36-notes (1.36.0-wmf.16; 2020-11-03), User-DannyS712, Security, User-Tgr, Trust-and-Safety, WMF-General-or-Unknown, JavaScript

Oct 16 2019

sbassett removed a project from T68404: New CSS syntax for attr() allows web bugs: Patch-For-Review.
Oct 16 2019, 5:50 PM · Security, MW-1.26-release, MW-1.23-release, MW-1.27-release-notes, MW-1.28-release (WMF-deploy-2016-10-04_(1.28.0-wmf.21)), MW-1.28-release-notes, Privacy, Security-Core
sbassett moved T68404: New CSS syntax for attr() allows web bugs from Intake to Done on the Privacy board.
Oct 16 2019, 5:50 PM · Security, MW-1.26-release, MW-1.23-release, MW-1.27-release-notes, MW-1.28-release (WMF-deploy-2016-10-04_(1.28.0-wmf.21)), MW-1.28-release-notes, Privacy, Security-Core
sbassett moved T115945: status.wikimedia.org should not load Google Analytics from Intake to Done on the Privacy board.
Oct 16 2019, 5:48 PM · Security-Core, SRE, Privacy, observability

Sep 26 2019

sbassett moved T68404: New CSS syntax for attr() allows web bugs from Patch pending deployment to Done on the acl*security board.
Sep 26 2019, 2:38 PM · Security, MW-1.26-release, MW-1.23-release, MW-1.27-release-notes, MW-1.28-release (WMF-deploy-2016-10-04_(1.28.0-wmf.21)), MW-1.28-release-notes, Privacy, Security-Core
sbassett moved T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out from Patch pending deployment to Done on the acl*security board.
Sep 26 2019, 2:37 PM · Security, MW-1.27-release-notes, MW-1.28-release (WMF-deploy-2016-08-23_(1.28.0-wmf.16)), MW-1.28-release-notes, MW-1.23-release, MW-1.26-release, Patch-For-Review, Vuln-Infoleak, MediaWiki-Core-AuthManager, Security-Core
sbassett moved T171405: Cannot suppress pages while deleting following change to page deletion interface from Patch pending deployment to Done on the acl*security board.
Sep 26 2019, 2:36 PM · Security, MW-1.30-release-notes (WMF-deploy-2017-07-18_(1.30.0-wmf.10)), Patch-For-Review, MediaWiki-Revision-deletion, Security-Core, Vuln-Infoleak, Regression, MediaWiki-Page-deletion
sbassett moved T57548: Html::expandAttributes can be tricked into omitting necessary quotes from Pending deployment / release to Done on the acl*security board.
Sep 26 2019, 2:35 PM · Security, Patch-For-Review, Security-Core
sbassett moved T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition (CVE-2017-8814) from Patch needing revision/discussion to Done on the acl*security board.
Sep 26 2019, 2:28 PM · Security, MW-1.31-release-notes (WMF-deploy-2017-11-14 (1.31.0-wmf.8)), MW-1.29-release-notes, MW-1.30-release-notes, Security-Team, MediaWiki-Language-converter, Security-Core

Sep 4 2019

DannyS712 merged T232015: administrators are not able to view deleted js/css into T202989: Administrators can no longer view deleted history of js/css pages.
Sep 4 2019, 6:18 PM · User-notice-archive, MW-1.36-notes (1.36.0-wmf.16; 2020-11-03), User-DannyS712, Security, User-Tgr, Trust-and-Safety, WMF-General-or-Unknown, JavaScript

Aug 2 2019

Joe added a project to T179901: Create a tmp directory just for MediaWiki: serviceops.
Aug 2 2019, 7:05 AM · SecTeam-Processed, Security, Performance-Team (Radar), serviceops, MediaWiki-General
Joe added a comment to T179901: Create a tmp directory just for MediaWiki.

I would rather do what @Anomie suggested, that is using PrivateTmp=true for php-fpm. I'll look into it.

Aug 2 2019, 7:05 AM · SecTeam-Processed, Security, Performance-Team (Radar), serviceops, MediaWiki-General

Jul 5 2019

WDoranWMF moved T179901: Create a tmp directory just for MediaWiki from Later to Mop Column on the Platform Team Legacy board.
Jul 5 2019, 3:46 PM · SecTeam-Processed, Security, Performance-Team (Radar), serviceops, MediaWiki-General

Jun 11 2019

sbassett moved T181547: Regex DoS vulnerability in moment.js from To Follow Up to Our Part Is Done on the Security-Team board.
Jun 11 2019, 6:09 PM · Security, Growth-Team, Security-Team, ContentTranslation, Collaboration-Team-Triage, StructuredDiscussions, Notifications, Multimedia, Security-Core
Restricted Application added a project to T110143: strip markers can be used to get around html attribute escaping in (many?) parser tags: Multimedia.
Jun 11 2019, 6:06 PM · Security, Multimedia, Security-Team, Security-Core, MediaWiki-Gallery, MediaWiki-extensions-Poem, Security-Extensions

Jun 6 2019

Krinkle raised the priority of T60291: load.php should check read permissions on private wikis (exposes content of wiki pages part of a module) from Low to Medium.
Jun 6 2019, 8:34 AM · Performance-Team (Radar), Security, MediaWiki-ResourceLoader, Vuln-Infoleak

May 14 2019

DStrine moved T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions from Sprint +1 to Unscheduled on the Fundraising-Backlog board.
May 14 2019, 7:40 PM · Security, Security-Team, FR-CentralNotice-translations, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Trust-and-Safety, JavaScript

May 13 2019

DStrine moved T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions from Triage to Sprint +1 on the Fundraising-Backlog board.
May 13 2019, 8:05 PM · Security, Security-Team, FR-CentralNotice-translations, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Trust-and-Safety, JavaScript

May 9 2019

Tgr added a comment to T151011: Add password generator to account creation / password change form.

Google Chrome includes a password generator (and manager) these days that they prompt a user to use any time a password field with no saved passwords is focused:

google-password-generator.png (370×550 px, 36 KB)

May 9 2019, 6:09 PM · Security, User-Tgr, MediaWiki-User-login-and-signup
Tgr merged T96781: Suggest strong passwords into T151011: Add password generator to account creation / password change form.
May 9 2019, 5:01 PM · Security, User-Tgr, MediaWiki-User-login-and-signup

May 8 2019

DStrine moved T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions from Sprint +3 to Triage on the Fundraising-Backlog board.
May 8 2019, 8:24 PM · Security, Security-Team, FR-CentralNotice-translations, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Trust-and-Safety, JavaScript

Apr 26 2019

gerritbot added a comment to T163583: <video>/<source>/<track> sanitization for media.

Change 505644 merged by jenkins-bot:
[mediawiki/core@master] Synchronize allowed attributes for <audio> with Parsoid/TimedMediaHandler

Apr 26 2019, 7:10 PM · Security, MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), MediaWiki-Parser, TimedMediaHandler

Apr 22 2019

gerritbot added a comment to T163583: <video>/<source>/<track> sanitization for media.

Change 505644 had a related patch set uploaded (by C. Scott Ananian; owner: C. Scott Ananian):
[mediawiki/core@master] Synchronize allowed attributes for <audio> with Parsoid/TimedMediaHandler

Apr 22 2019, 5:07 PM · Security, MW-1.30-release-notes (WMF-deploy-2017-05-23_(1.30.0-wmf.2)), MediaWiki-Parser, TimedMediaHandler

Apr 17 2019

Ladsgroup updated subscribers of T40848: Security: CSS positioning can be used to break out of the content area.
Apr 17 2019, 11:49 AM · SecTeam-Processed, Vuln-Misconfiguration, Security, User-Tgr, TemplateStyles, MediaWiki-User-Interface

Feb 23 2019

Tgr moved T197153: Make some providers optional for reauthentication from Backlog to Next on the User-Tgr board.
Feb 23 2019, 7:20 AM · Patch-Needs-Improvement, Security, User-Tgr, MediaWiki-Core-AuthManager

Jan 26 2019

Phabricator_maintenance moved T158604: Investigate usefulness of SameSite cookies for logged-in accounts from Backlog to Acknowledged on the SRE board.
Jan 26 2019, 9:05 PM · Security, Security-Team, Traffic, SRE, MediaWiki-Core-AuthManager

Jan 7 2019

Tgr added a comment to T118774: No way to force a user to change their password if it's invalid.

The minimum viable version is merged now, you need to set the policy to [ 'value' => ..., 'forceChange' => true ] and you will not be allowed to skip the password change screen on login. We should also add a grace period but as discussed above that's rather more complex.

Jan 7 2019, 6:05 PM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup
ReleaseTaggerBot added a project to T118774: No way to force a user to change their password if it's invalid: MW-1.33-notes (1.33.0-wmf.12; 2019-01-08).
Jan 7 2019, 5:00 PM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup
gerritbot added a comment to T118774: No way to force a user to change their password if it's invalid.

Change 481819 merged by jenkins-bot:
[mediawiki/core@master] Add force option to password policy

Jan 7 2019, 5:00 PM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup

Jan 2 2019

gerritbot added a project to T118774: No way to force a user to change their password if it's invalid: Patch-For-Review.
Jan 2 2019, 6:45 AM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup
gerritbot added a comment to T118774: No way to force a user to change their password if it's invalid.

Change 481819 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Add force option to password policy

Jan 2 2019, 6:45 AM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup

Dec 27 2018

Tgr added a comment to T197136: Tie certain user rights to elevated security.
In T197136#4280122, @Bawolff wrote:

You would also have to be careful about the case where the right is just checked for asethic purposes (e.g. adding a link to the special page if the user has the right to do the action)

Dec 27 2018, 8:11 AM · Security, MediaWiki-User-management

Dec 21 2018

Tgr added a comment to T118774: No way to force a user to change their password if it's invalid.

I imagine the minimum viable version would look something like this:

  • Create a new $wgPasswordPolicyGracePeriod config setting that gives you how much time users have to change their password (maybe per user group? per policy check?). Or preferably reuse $wgPasswordExpireGrace which is more or less the same thing but for manually set password end-of-life.
  • If the grace setting needs to be set per policy check, look it up in UserPasswordPolicy and hack it into the status (set the value to [ 'grace' => <time> ] or something); otherwise just check it in the caller (LocalPasswordPrimaryAuthenticationProvider and the CentralAuth equivalent should be the only ones that care).
  • In LocalPasswordPrimaryAuthenticationProvider, when the password check fails with a non-fatal and there is a grace period, set the password expiration time (user_password_expires in core; CentralAuth has no equivalent and needs a schema change, short of some horrible hack to reuse gu_password_reset_expiration with gu_password_reset_key = NULL). If we reuse $wgPasswordExpireGrace, just set it to the current date, if there is a separate config value that's split by group or policy then calculate the end of the expiration period and set it to that.
  • Replicate LocalPasswordPrimaryAuthenticationProvider's expiry check in CentralAuthPrimaryAuthenticationProvider.
  • Add a big warning about the expiration period to the password change dialog.
  • Probably add password expiration time lookup as a User method, add some hook for CentralAuth, and use that method to show a warning on the preferences page and maybe do more aggressive things like showing it on every page when there is very little time left.
  • In LocalPasswordPrimaryAuthenticationProvider::getPasswordResetData and the CentralAuth equivalent, when the expiry check fails hard, do a password validity check and if that fails use it to modify the message so it's clearer to the user why they are required to change passwords.
Dec 21 2018, 1:13 AM · SecTeam-Processed, Security, MW-1.33-notes (1.33.0-wmf.21; 2019-03-12), MediaWiki-User-login-and-signup

Dec 20 2018

chasemp added a project to T150903: Alert sre/security on many 2FA failures: User-chasemp.
Dec 20 2018, 8:25 PM · Sustainability (Incident Followup), Security, MediaWiki-extensions-OATHAuth

Dec 12 2018

Ejegg closed Restricted Task, a subtask of T202244: CentralNotice provides a means for non interface-admins to bypass new CSS/JS restrictions, as Resolved.
Dec 12 2018, 3:21 AM · Security, Security-Team, FR-CentralNotice-translations, Fundraising-Backlog, MediaWiki-extensions-CentralNotice, Trust-and-Safety, JavaScript

Dec 11 2018

JBennett added a comment to T151011: Add password generator to account creation / password change form.
In T151011#4808817, @Tgr wrote:

There are two types of good password generation:

  1. A medium-length string of random uppercase/lowercase/numbers (say 12 or 16 characters), with easily confusable characters removed from the pool.
  2. A long human-readable text of space-separated random dictionary words (probably 5 or 6 words), e.g. diceware.

I'm not sure the first is worth doing as the only sane way to use such passwords is a password manager and that can generate random passwords just fine. (Maybe there are less technical users who have problems with password managers and just write the passwords down, but those are better served by diceware style passwords anyway since words are easier to type.) OTOH it is very trivial to implement.

The second is good for people who need to memorize the password for some reason, or need to type it in often (ie. often log in on foreign machines). The best library I have seen for it is grempe/diceware (test page), which has support for ~20 languages (of course it would be fairly trivial to add more). Word lists are around 100K which is a bit large but they don't exactly make an effort to reduce the size, which could be done pretty easily.

Dec 11 2018, 3:40 PM · Security, User-Tgr, MediaWiki-User-login-and-signup

Dec 10 2018

sbassett added a comment to T151011: Add password generator to account creation / password change form.

I'm not sure how worthwhile this would be if we ever got a decent password strength meter deployed. Though digging through the history, that might be a big if.

Dec 10 2018, 4:15 PM · Security, User-Tgr, MediaWiki-User-login-and-signup

Dec 9 2018

Tgr added a comment to T151011: Add password generator to account creation / password change form.

There are two types of good password generation:

  1. A medium-length string of random uppercase/lowercase/numbers (say 12 or 16 characters), with easily confusable characters removed from the pool.
  2. A long human-readable text of space-separated random dictionary words (probably 5 or 6 words), e.g. diceware.
Dec 9 2018, 9:23 PM · Security, User-Tgr, MediaWiki-User-login-and-signup
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits