Tasks By Project

Project: Security-Team

Switch to Active Tasks 29 Phabricator task(s).

Phabricator Link	Wiki Link	Status	Priority	Projects	Subtasks	Parent Tasks
T106762	T106762: Security review for firebase/php-jwt	resolved	High (red)	LE-CX6-Sprint 1 (Done) ContentTranslation-Release6 (Tech Debt) Patch-For-Review WorkType-Maintenance ContentTranslation (CX6) MediaWiki-Vendor (Backlog) Security-Team (Our Part Is Done)		T97113: MT Api - provide an identification mechanism to allow requests only from a valid MW context
T120888	T120888: Create optional XSS filter step for the parser	open	Medium (orange)	MediaWiki-Parser (Backlog) Security-Team (Back Orders)		T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki
T125382	T125382: Ensure DOMPurify meets our SVG sanitization requirements for Graphs	resolved	Medium (orange)	User-mobrovac (Backlog) Services (watching) Graphoid (Backlog) Security-Team (Our Part Is Done)		T96461: Systematic sanitization for SVGs and HTML
T135963	T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki	open	Medium (orange)	Security-Team (Back Orders) MediaWiki-General Platform Team Legacy (Watching / External) Patch-For-Review TechCom-RFC (TechCom-RFC-Closed) (Implemented) Epic ContentSecurityPolicy (MediaWiki)	T209022: current CSP testing policy would block frames T208188: RFC: Partial opt-out method for Content security policy T120888: Create optional XSS filter step for the parser T208191: Set hhvm.virtual_host&#91 default&#93 &#91 always_decode_post_data&#93 = false T196923: CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox)
T196923	T196923: CSP Report: Triggered by mediawiki.js's domEval() function in Chrome and Safari (but not Firefox)	resolved	Medium (orange)	MW-1.32-notes (WMF-deploy-2018-08-07 (1.32.0-wmf.16)) Security-Team (Our Part Is Done) Performance-Team (Doing (old)) Core-Platform-Team-Old (Closed) Patch-For-Review MediaWiki-ResourceLoader (Backlog)		T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki
T208188	T208188: RFC: Partial opt-out method for Content security policy	open	Medium (orange)	Security-Team-Services (Privacy Engineering) (Watching) Platform Team Workboards (Clinic Duty Team) (External Code Review Completed) TechCom-RFC (P2: Resource) TechCom (Watching) Security-Team (Watching) Patch-For-Review ContentSecurityPolicy (MediaWiki) Security		T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki
T209022	T209022: current CSP testing policy would block frames	invalid	Needs Triage (violet)	Security-Team (Our Part Is Done)		T135963: Add support for Content-Security-Policy (CSP) headers in MediaWiki
T209083	T209083: Come up with a plan for community security reviews of MediaWiki extensions/skins	open	Low (yellow)	MediaWiki-Stakeholders-Group (Needs Volunteer (Organisational)) Security-Team (Back Orders)
T222598	T222598: NamespaceInfo::getRestrictionLevels() does not correctly handle namespace restrictions that require more than one permission	resolved	Needs Triage (violet)	MediaWiki-General Platform Engineering (Needs Cleaning - Security, stability, performance, and scalability (TEC1)) Platform Team Workboards (Done with CPT) Security-Team (Our Part Is Done) MediaWiki-User-management (Backlog) MediaWiki-Page-protection (Backlog) MW-1.34-notes (1.34.0-wmf.7; 2019-05-28)
T222720	T222720: NamespaceInfo::getRestrictionLevels does not correctly handle group permissions	duplicate	Needs Triage (violet)	Security-Team (Our Part Is Done) MediaWiki-User-management (Backlog) MediaWiki-Page-protection (Backlog) Platform Engineering (Inbox)
T232568	T232568: Special:UserRights exposes the existence of hidden users (CVE-2020-25813)	resolved	High (red)	Security MediaWiki-User-management (User list) Vuln-Infoleak MW-1.35-notes MW-1.34-notes Security-Team (In Progress) User-DannyS712 (Awaiting review and deployment)
T237852	T237852: System Administrator avoids CSRF attacks on MediaWiki REST API	resolved	Medium (orange)	Security-Team (Watching) MW-1.35-notes (1.35.0-wmf.26; 2020-03-31) Story MediaWiki-REST-API (Backlog) Platform Team Initiatives (MW REST API in PHP) Platform Team Workboards (Green) (Done)		T237565: REST API Infrastructure in MediaWiki
T246991	T246991: Memcached keys sometimes outlive their TTL (affects MW rate limit)	resolved	High (red)	MediaWiki-Cache (libs/objectcache) MW-1.34-notes MW-1.35-notes MediaWiki-User-management (Other) MW-1.31-release-notes Platform Team Workboards (Clinic Duty Team) (Done) Security-Team (Our Part Is Done) MW-1.36-notes (1.36.0-wmf.8; 2020-09-08)
T248339	T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future	open	Needs Triage (violet)	SecTeam Discussion MediaWiki-Authentication-and-authorization (Backlog) MediaWiki-extensions-OATHAuth (Backlog) Platform Engineering (Tracking/Watching) Security-Team (Watching)	T248367: Update messages to notify WebAuthn users that they need to login on the same wiki they registered	T244088: Logging in at another wiki than WebAuth was set up fails
T248367	T248367: Update messages to notify WebAuthn users that they need to login on the same wiki they registered	resolved	Needs Triage (violet)	Security-Team (Back Orders) MediaWiki-extensions-OATHAuth (Backlog) MW-1.35-notes (1.35.0-wmf.30; 2020-04-28)		T248339: Decide how to deal with WebAuthn login/registration flow on Wikimedia wikis in future
T251661	T251661: TOTP throttle not enforced cross-wiki (CVE-2020-25827)	resolved	High (red)	MediaWiki-Authentication-and-authorization (Backlog) MW-1.36-notes (1.36.0-wmf.8; 2020-09-08) Platform Team Workboards (Clinic Duty Team) (Waiting for deployment) Security-Team (Watching) Security MediaWiki-extensions-OATHAuth (Backlog)
T260485	T260485: CentralAuth uses wrong actor ID when locally suppressing the user (CVE-2020-25869)	resolved	High (red)	Security-Team (Watching) MediaWiki-User-management (Backlog) MediaWiki-extensions-CentralAuth (Incoming) MW-1.35-release (Not a blocker) Platform Engineering (Tracking/Watching) MW-1.36-notes (1.36.0-wmf.18; 2020-11-17) Anti-Harassment (Untriaged) User-Urbanecm (Analytics/Under discussion) MW-1.35-notes MW-1.34-notes MW-1.31-release-notes MediaWiki-Blocks (Backlog) Security	T261143: Fix misattribution of block due to bad values in the ipblocks ipb_by_actor field T261325: Fix rows in ipblocks that point to a non-existing user in ipb_by_actor field, due to T260485
T260631	T260631: BotPasswords doesn't validate length of resultant bp_restrictions JSON	resolved	Medium (orange)	MediaWiki-User-management (Backlog) Security-Team (Watching) Platform Team Workboards (External Code Reviews) (External Code Review Completed) Security
T260633	T260633: BotPasswords doesn't validate length of resultant bp_grants JSON	resolved	Medium (orange)	Security-Team (Watching) MW-1.31-release-notes Platform Team Workboards (External Code Reviews) (External Code Review Completed) MW-1.35-notes MW-1.36-notes (1.36.0-wmf.21; 2020-12-08) Security MediaWiki-User-management (Backlog)
T261358	T261358: Review CORS strategy for WikimediaApiPortalOAuth extension	resolved	Medium (orange)	Security-Team (Our Part Is Done) Patch-For-Review MediaWiki-extensions-WikimediaApiPortalOAuth Platform Team Initiatives (API Gateway) Platform Team Workboards (Green) (Blocked) Security	T261696: MW REST Framework support for authenticated CORS	T251283: Create extension to provide functionality for creating and managing OAuth 2.0 clients from API Portal
T264798	T264798: CentralAuth should not emit central cookies when creating a local session	open	Low (yellow)	Security-Team (Watching) MediaWiki-extensions-CentralAuth (Incoming) SecTeam-Processed (Completed) Platform Engineering (Icebox)
T270713	T270713: CVE-2021-30152: action=protect lets users with 'protect' permission protect to higher protection level	resolved	High (red)	MediaWiki-API (Unsorted) Vuln-MissingAuthz (Tracked) Patch-For-Review Security-Team (Our Part Is Done) MW-1.36-notes (Backlog) MW-1.37-notes (1.37.0-wmf.1; 2021-04-13) Platform Team Workboards (Clinic Duty Team) (Later) Security
T272386	T272386: CVE-2021-30159: Non-admin deleted enwiki page in fast double move	resolved	Low (yellow)	Security Security-Team (Our Part Is Done) MW-1.37-notes (1.37.0-wmf.1; 2021-04-13) Platform Team Workboards (Clinic Duty Team) (Later) MW-1.35-release (Blocker) MW-1.36-notes (Backlog) MediaWiki-Page-rename Patch-For-Review MW-1.31-release (Backlog)
T277687	T277687: Deprecated cross-wiki access to User. Expected: 'eswiki', Actual: the local wiki. Pass expected $wikiId. [Called from User::getId]	duplicate	Needs Triage (violet)	User-brennen (Logs/Train) MediaWiki-extensions-CentralAuth (Incoming) MW-1.36-notes (1.36.0-wmf.36; 2021-03-23) Patch-For-Review Security-Team (Incoming) Platform Team Workboards (MW Expedition) (Unsorted pile) Wikimedia-production-error (Mar 2021) Security
T281972	T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128)	resolved	Lowest (sky)	SecTeam-Processed (Completed) MediaWiki-extensions-CentralAuth (Incoming) Security-Team (Our Part Is Done) Security Wikimedia-production-error (May 2021) Patch-For-Review Platform Team Workboards (MW Expedition) (UserStore pile) MW-1.36-notes (Backlog) MediaWiki-User-management (Backlog) MW-1.38-notes (1.38.0-wmf.9; 2021-11-16) MW-1.36-release (Not a blocker) MW-1.37-notes Stewards-and-global-tools (Untriaged)	T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware.
T284274	T284274: action=history with a high limit like >= 2000, can be slow and might timeout	open	Needs Triage (violet)	Performance-Team (Radar) (Perf recommendation) Platform Team Workboards (Clinic Duty Team) (Later) Security Security-Team (Watching) Patch-For-Review Vuln-DoS (Tracked) Performance-Team-publish (Consider write up) MediaWiki-Page-history (Backlog)
T287542	T287542: API action=parse&prop=headhtml leaking user tokens and other private info in cross-origin requests (again)	resolved	Needs Triage (violet)	Platform Engineering (Inbox) Security Security-Team (Our Part Is Done) Regression Vuln-Infoleak MediaWiki-API (Unsorted) SecTeam-Processed (Completed) Vuln-CSRF (Tracked)
T292763	T292763: CVE-2021-44854: Rest API incorrectly publicly caches results from private wikis	resolved	High (red)	Security MW-1.37-notes Vector (Needs triage) API Platform (Done) MW-1.35-notes SRE (Backlog) SecTeam-Processed (Completed) Security-Team (Our Part Is Done) Vuln-Infoleak MW-1.36-notes (Backlog) Desktop Improvements (Incoming) Platform Engineering (Inbox) MediaWiki-REST-API (Backlog) MW-1.38-notes (1.38.0-wmf.6; 2021-10-26)
T50976	T50976: Update SecurePoll to use ResourceLoader	resolved	Medium (orange)	Security-Team (Incoming) MediaWiki-extensions-SecurePoll (Backlog)