Tasks By Project

Project: Security

Switch to Active Tasks 54 Phabricator task(s).

Phabricator Link	Wiki Link	Status	Priority	Projects	Subtasks	Parent Tasks
T121240	T121240: Network isolation for production and semi-production services	open	Medium (orange)	Security SRE (Acknowledged)
T140813	T140813: Protect sensitive user-related information with a UserData / auth / session service	open	Medium (orange)	Security Services (next) Platform Team Legacy (Later) SRE (Acknowledged) Services-next (Backlog) Product-Infrastructure-Team-Backlog (Tracking)	T137272: Create BagOStuff subclass for HTTP T120484: Create password-authentication service for use by CentralAuth
T144467	T144467: Security review for Google MT for Content Translation	resolved	Medium (orange)	Language-Engineering July-September 2016 (CX10) ContentTranslation (CX-deployments) (MT deployment) Platform Team Legacy (Watching / External) Language-2017-Oct-Dec (Continued/Moved to future) Services (watching) Language-Q1-2016-17 Sprint 6 (Backlog) Language-Team (Language-2018-October-December) (Done) Security-Team-Services (Application Security Reviews) Security-Extensions Parsing-Team--ARCHIVED (Backlog) Security secscrum (Our Part Is Done)
T152972	T152972: Accessing private information through SecurePoll should be logged	open	Needs Triage (violet)	Platform Engineering (Icebox) Security Stewards-and-global-tools (Low priority) MediaWiki-extensions-SecurePoll (Backlog)	T271276: Log when admins access voter data in SecurePoll
T161647	T161647: RFC: Deprecate using php serialization inside MediaWiki	resolved	Medium (orange)	Patch-For-Review TechCom-RFC (TechCom-RFC-Closed) (Implemented) TechCom (In progress) Services (watching) Platform Team Legacy (Watching / External) Security	T181555: Remove use of PHP serialization in revision storage
T169328	T169328: Protect against PHP code execution via memcached/unserialize	open	Medium (orange)	MW-1.37-notes (1.37.0-wmf.3; 2021-04-27) Platform Team Workboards (Clinic Duty Team) (Waiting for Review) MediaWiki-Cache (libs/objectcache) Security Patch-For-Review		T274189: Remove usage of PHP serialization from WANObjectCache
T179901	T179901: Create a tmp directory just for MediaWiki	declined	Medium (orange)	Security Performance-Team (Radar) (Watching) serviceops (Unsorted) MediaWiki-General SecTeam-Processed (Completed)
T184458	T184458: Floats are badly interpreted in SQL when locale is not English	declined	Low (yellow)	Wikimedia-Rdbms (Rdbms library) Security
T189641	T189641: Service for checking the Pwned Passwords database	open	Low (yellow)	Platform Team Legacy (Watching / External) MediaWiki-Authentication-and-authorization (Backlog) Services (watching) MediaWiki-User-login-and-signup (Backlog) SecTeam-Processed (Completed) Security WMF-Legal (Backlog) User-Tgr (Next)
T199540	T199540: Forbid blocking IP ranges as big as /1 and /2, as done on ruwikiquote using the API	resolved	Needs Triage (violet)	MW-1.27-release-notes MediaWiki-User-management (Backlog) MW-1.32-notes (Backlog) MediaWiki-API (Needs Code) Security Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)) MW-1.33-notes MW-1.30-release-notes Patch-For-Review Platform Team Workboards (Done with CPT) MW-1.34-notes (1.34.0-wmf.10; 2019-06-18) MW-1.31-release-notes
T205810	T205810: Slow query in ApiQueryBacklinksprop when using an empty xxnamespace parameter	resolved	Needs Triage (violet)	Security MW-1.30-release (Backlog) MW-1.31-release (Core) Platform Team Workboards (Done with CPT) MW-1.27-release (Backlog) MW-1.32-notes (WMF-deploy-2018-10-16 (1.32.0-wmf.26)) MediaWiki-API (Done) Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1))
T207297	T207297: Phan SecurityCheck-XSS and SecurityCheck-SQLInjection errors in SecurePoll extension	resolved	High (red)	phan-taint-check-plugin (Done) MediaWiki-extensions-SecurePoll (Backlog) Platform Engineering (Tracking/Watching) Security
T208188	T208188: RFC: Partial opt-out method for Content security policy	open	Medium (orange)	Security-Team-Services (Privacy Engineering) (Watching) Platform Team Workboards (Clinic Duty Team) (External Code Review Completed) TechCom-RFC (P2: Resource) TechCom (Watching) Security-Team (Watching) Patch-For-Review ContentSecurityPolicy (MediaWiki) Security		T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki
T213362	T213362: Limit what URLs Proton can access	resolved	High (red)	Proton Patch-For-Review Services (watching) Product-Infrastructure-Team-Backlog (Kanban) (To Do) Platform Team Legacy (Watching / External) Security		T210651: Switch all PDF render traffic to new Proton service
T232568	T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)	resolved	High (red)	Security MediaWiki-User-management (User list) Vuln-Infoleak MW-1.35-notes MW-1.34-notes Security-Team (In Progress) User-DannyS712 (Awaiting review and deployment)
T232789	T232789: List active MediaWiki sessions for your account	duplicate	Medium (orange)	Security Platform Engineering (Future Initiatives/Small Projects) MediaWiki-Authentication-and-authorization (Backlog)
T234450	T234450: Special:Contributions requests with a high &limit= caused excessive database load	resolved	Low (yellow)	MediaWiki-Special-pages (Special:Contributions / Special:DeletedContributions) Wikimedia-production-error (Sep2019/1.34.wmf.21+) Platform Engineering (Tracking/Watching) MW-1.34-notes Vuln-DoS (Tracked) Security MW-1.35-notes (1.35.0-wmf.5; 2019-11-05) User-notice (Already announced/Archive) MW-1.33-notes MW-1.31-release-notes Performance Issue	T250527: Consider enabling max_statement_time on all production DB servers to limit impact of bad queries
T234862	T234862: Do not show oversighted edit summaries in CheckUser API (CVE-2019-18611)	resolved	Medium (orange)	Security Vuln-Infoleak CheckUser (Backlog) MW-1.35-notes (1.35.0-wmf.4; 2019-10-29) User-Urbanecm (Waiting on review) MediaWiki-API (Non-core-API stuff)
T236701	T236701: Consider enforcing read permissions at the storage layer	open	Medium (orange)	Security MediaWiki-User-management (User rights) Platform Team Workboards (MW Expedition) (Authority pile)
T239466	T239466: Possible to circumvent title-blacklist (CVE-2019-19709)	resolved	Medium (orange)	MediaWiki-API (Needs Review) TitleBlacklist (Backlog) Platform Team Workboards (Clinic Duty Team) (Done) Security
T241039	T241039: Create an API for sending yourself an arbitrary HTML email	open	Medium (orange)	Security MediaWiki-Email (Backlog) MediaWiki-API (Needs details or plan)
T248483	T248483: Security Readiness Review For MediaModeration	resolved	Medium (orange)	Security Platform Team Initiatives (Hash Checking) MediaWiki-extensions-MediaModeration (Backlog) secscrum (Our Part Is Done) Security-Team-Services (Application Security Reviews) user-sbassett (Done)		T247943: Deploy MediaModeration Extension to Wikimedia Production
T251661	T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)	resolved	High (red)	MediaWiki-Authentication-and-authorization (Backlog) MW-1.36-notes (1.36.0-wmf.8; 2020-09-08) Platform Team Workboards (Clinic Duty Team) (Waiting for deployment) Security-Team (Watching) Security MediaWiki-extensions-OATHAuth (Backlog)
T253067	T253067: API Portal: Document security best practices	resolved	Medium (orange)	Security Documentation (Backlog) API-Portal (Content)		T255034: Wikimedia API Gateway Long-term Use
T255370	T255370: Document best practices for user login if user is using 2FA	open	Low (yellow)	Platform Team Initiatives (API Gateway) Documentation (Backlog) MediaWiki-Documentation Security MediaWiki-Authentication-and-authorization (Backlog) MediaWiki-extensions-OATHAuth (Backlog)
T256395	T256395: Logged in with an account that doesn't belong to me	resolved	High (red)	SRE (Backlog) Wikimedia-Incident (Active investigation) Security Platform Team Workboards (Clinic Duty Team) (Later)
T256427	T256427: Normal admin cannot delete site-wide javascript page	invalid	Medium (orange)	MediaWiki-Page-deletion Security Platform Team Workboards (Clinic Duty Team) (Later) Regression Beta-Cluster-reproducible (Tag) MediaWiki-User-management (User rights)
T256535	T256535: Same-Origin policy prevents reading HTML pages cross-origin	open	Medium (orange)	Platform Team Workboards (External Code Reviews) (External Code Review Needed) Patch-For-Review Security MediaWiki-General
T257930	T257930: Security Readiness Review For OAuthRateLimiter	resolved	High (red)	Platform Team Sprints Board (Sprint 2) Security MediaWiki-Vendor (Backlog) secscrum (Our Part Is Done) Security-Team-Services (Application Security Reviews) Platform Team Workboards (Green) (Blocked) MediaWiki-extensions-OAuthRateLimiter	T260588: Security Readiness Review For Adding Private Claims To OAuth Extension T260587: Security Readiness Review For Wikimedia/oauth2-server	T257607: Develop OAuthRateLimiter extension
T258322	T258322: Open redirect in wikis that use http://domain.tld/index.php format	open	Low (yellow)	Platform Engineering (Tracking/Watching) Vuln-OpenRedirect (Tracked) MediaWiki-General SecTeam-Processed (Completed) Security
T259140	T259140: Decide if $wgRawHtml is needed, and if so, necessary mitigations	resolved	Needs Triage (violet)	Platform Team Workboards (Initiatives) (Later) Platform Team Initiatives (API Gateway) Security		T235270: Wikimedia API Gateway
T260485	T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)	resolved	High (red)	Security-Team (Watching) MediaWiki-User-management (Backlog) MediaWiki-extensions-CentralAuth (Incoming) MW-1.35-release (Not a blocker) Platform Engineering (Tracking/Watching) MW-1.36-notes (1.36.0-wmf.18; 2020-11-17) Anti-Harassment (Untriaged) User-Urbanecm (Analytics/Under discussion) MW-1.35-notes MW-1.34-notes MW-1.31-release-notes MediaWiki-Blocks (Backlog) Security	T261143: Fix misattribution of block due to bad values in the ipblocks ipb_by_actor field T261325: Fix rows in ipblocks that point to a non-existing user in ipb_by_actor field, due to T260485
T260587	T260587: Security Readiness Review For Wikimedia/oauth2-server	resolved	Medium (orange)	Security MediaWiki-Vendor (Backlog) Security-Team-Services (Application Security Reviews) Platform Team Workboards (Green) (Blocked) MediaWiki-extensions-OAuthRateLimiter Platform Team Sprints Board (Sprint 2) secscrum (Our Part Is Done)		T257930: Security Readiness Review For OAuthRateLimiter
T260588	T260588: Security Readiness Review For Adding Private Claims To OAuth Extension	resolved	Medium (orange)	Platform Team Sprints Board (Sprint 2) Security Platform Team Workboards (Green) (Blocked) secscrum (Our Part Is Done) MediaWiki-extensions-OAuth (Backlog) Security-Team-Services (Application Security Reviews) MediaWiki-extensions-OAuthRateLimiter		T257930: Security Readiness Review For OAuthRateLimiter
T260631	T260631: BotPasswords doesn't validate length of resultant bp_restrictions JSON	resolved	Medium (orange)	MediaWiki-User-management (Backlog) Security-Team (Watching) Platform Team Workboards (External Code Reviews) (External Code Review Completed) Security
T260633	T260633: BotPasswords doesn't validate length of resultant bp_grants JSON	resolved	Medium (orange)	Security-Team (Watching) MW-1.31-release-notes Platform Team Workboards (External Code Reviews) (External Code Review Completed) MW-1.35-notes MW-1.36-notes (1.36.0-wmf.21; 2020-12-08) Security MediaWiki-User-management (Backlog)
T261050	T261050: Frequent "Invalid CSRF token" errors on Wikimedia projects using Pywikibot since August 2020	open	High (red)	Pywikibot (Backlog) Security MediaWiki-API (Unsorted) Platform Engineering (Tracking/Watching)
T261143	T261143: Fix misattribution of block due to bad values in the ipblocks ipb_by_actor field	resolved	Medium (orange)	Platform Team Workboards (Clinic Duty Team) (Done) Wikimedia-Site-requests (Backlog) Security MediaWiki-extensions-CentralAuth (Incoming) Anti-Harassment (Untriaged)		T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)
T261325	T261325: Fix rows in ipblocks that point to a non-existing user in ipb_by_actor field, due to T260485	declined	High (red)	Platform Team Workboards (Clinic Duty Team) (Ready (WIP:5)) Security MW-1.36-notes (1.36.0-wmf.11; 2020-09-29) MediaWiki-extensions-CentralAuth (Incoming) MediaWiki-Blocks (Backlog) User-Urbanecm (Reviewing) Anti-Harassment (Untriaged)		T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)
T261358	T261358: Review CORS strategy for WikimediaApiPortalOAuth extension	resolved	Medium (orange)	Security-Team (Our Part Is Done) Patch-For-Review MediaWiki-extensions-WikimediaApiPortalOAuth Platform Team Initiatives (API Gateway) Platform Team Workboards (Green) (Blocked) Security	T261696: MW REST Framework support for authenticated CORS	T251283: Create extension to provide functionality for creating and managing OAuth 2.0 clients from API Portal
T262554	T262554: Don't run gadgets on Special:OAuth/authorize	resolved	Medium (orange)	Platform Team Workboards (External Code Reviews) (External Code Review Needed) MW-1.36-notes (1.36.0-wmf.18; 2020-11-17) Patch-For-Review Security MediaWiki-extensions-OAuth (Backlog)
T263220	T263220: Limit concurrency of DPL queries	open	High (red)	Vuln-DoS (Tracked) Sustainability (Incident Followup) Platform Team Workboards (Clinic Duty Team) (Later) Performance Issue PoolCounter (Backlog) DynamicPageList (Wikimedia) (Backlog) MW-1.36-notes (1.36.0-wmf.18; 2020-11-17) SRE (Backlog) serviceops (Incoming 🐫) Slow-DB-Query SecTeam-Processed (Completed) Security Patch-For-Review	T266775: Stalls on db1075 (s3) replica db
T263927	T263927: MediaWiki user and password fields should have the proper autocomplete value	open	Needs Triage (violet)	MW-1.36-notes (1.36.0-wmf.20; 2020-12-01) Platform Team Workboards (External Code Reviews) (External Code Review Completed) Security MediaWiki-User-login-and-signup (Backlog)	T150983: Support arbitrary autocomplete values in OOUI\TextInputWidget
T270713	T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level	resolved	High (red)	MediaWiki-API (Unsorted) Vuln-MissingAuthz (Tracked) Patch-For-Review Security-Team (Our Part Is Done) MW-1.36-notes (Backlog) MW-1.37-notes (1.37.0-wmf.1; 2021-04-13) Platform Team Workboards (Clinic Duty Team) (Later) Security
T272386	T272386: CVE-2021-30159: Non-admin deleted enwiki page in fast double move	resolved	Low (yellow)	Security Security-Team (Our Part Is Done) MW-1.37-notes (1.37.0-wmf.1; 2021-04-13) Platform Team Workboards (Clinic Duty Team) (Later) MW-1.35-release (Blocker) MW-1.36-notes (Backlog) MediaWiki-Page-rename Patch-For-Review MW-1.31-release (Backlog)
T276316	T276316: Argument 1 passed to MediaWiki\User\UserNameUtils::getCanonical() must be of the type string, null given, called in /srv/mediawiki/php-1.36.0-wmf.33/extensions/CentralAuth/includes/CentralAuthGroupMembershipProxy.php on line 48	resolved	High (red)	Security MediaWiki-extensions-CentralAuth (Incoming) Wikimedia-production-error (Mar 2021) Platform Team Workboards (MW Expedition) (On the train) Patch-For-Review MW-1.36-notes (1.36.0-wmf.34; 2021-03-09)
T277687	T277687: Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]	duplicate	Needs Triage (violet)	User-brennen (Logs/Train) MediaWiki-extensions-CentralAuth (Incoming) MW-1.36-notes (1.36.0-wmf.36; 2021-03-23) Patch-For-Review Security-Team (Incoming) Platform Team Workboards (MW Expedition) (Unsorted pile) Wikimedia-production-error (Mar 2021) Security
T281972	T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128)	resolved	Lowest (sky)	SecTeam-Processed (Completed) MediaWiki-extensions-CentralAuth (Incoming) Security-Team (Our Part Is Done) Security Wikimedia-production-error (May 2021) Patch-For-Review Platform Team Workboards (MW Expedition) (UserStore pile) MW-1.36-notes (Backlog) MediaWiki-User-management (Backlog) MW-1.38-notes (1.38.0-wmf.9; 2021-11-16) MW-1.36-release (Not a blocker) MW-1.37-notes Stewards-and-global-tools (Untriaged)	T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware.
T284274	T284274: action=history with a high limit like >= 2000, can be slow and might timeout	open	Needs Triage (violet)	Performance-Team (Radar) (Perf recommendation) Platform Team Workboards (Clinic Duty Team) (Later) Security Security-Team (Watching) Patch-For-Review Vuln-DoS (Tracked) Performance-Team-publish (Consider write up) MediaWiki-Page-history (Backlog)
T287542	T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again)	resolved	Needs Triage (violet)	Platform Engineering (Inbox) Security Security-Team (Our Part Is Done) Regression Vuln-Infoleak MediaWiki-API (Unsorted) SecTeam-Processed (Completed) Vuln-CSRF (Tracked)
T292763	T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis	resolved	High (red)	Security MW-1.37-notes Vector (Needs triage) API Platform (Done) MW-1.35-notes SRE (Backlog) SecTeam-Processed (Completed) Security-Team (Our Part Is Done) Vuln-Infoleak MW-1.36-notes (Backlog) Desktop Improvements (Incoming) Platform Engineering (Inbox) MediaWiki-REST-API (Backlog) MW-1.38-notes (1.38.0-wmf.6; 2021-10-26)
T32018	T32018: Require some user groups to have a periodically confirmed valid email address	open	Lowest (sky)	Platform Engineering (Feature Requests to Review) Security MediaWiki-User-management (User rights)
T6845	T6845: CAPTCHA doesn't work for people with visual impairments	open	Medium (orange)	WCAG-Level-A Platform Engineering (Inbox) Security Readers-Web-Backlog (Tracking) ConfirmEdit (CAPTCHA extension) (Backlog) Accessibility (Aural / Screen readers) Design (Incoming)
T92680	T92680: iptables firewall to limit access to Cassandra services	resolved	Medium (orange)	RESTBase-Cassandra (Backlog) SRE (Backlog) RESTBase (In progress) Patch-For-Review Security		T94329: secure Cassandra/RESTBase cluster