Last modified: 2013-12-14 01:07:13 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T59546, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 57546 - Security review of Wikimania Scholarship
Security review of Wikimania Scholarship
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
Wikimania Scholarships (Other open bugs)
wmf-deployment
All All
: Normal normal (vote)
: ---
Assigned To: Chris Steipp
https://git.wikimedia.org/tree/wikime...
:
Depends on: 58295 58305 58306 58307
Blocks: 57545 57870
  Show dependency treegraph
 
Reported: 2013-11-25 17:03 UTC by Bryan Davis
Modified: 2013-12-14 01:07 UTC (History)
2 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Bryan Davis 2013-11-25 17:03:43 UTC 
Security review needed before initial production deployment.
Comment 1 Bryan Davis 2013-11-25 17:05:32 UTC 
Assigning security review to Chris Steipp based on prior conversations with Chris and Greg.
Comment 3 Chris Steipp 2013-12-10 21:48:31 UTC 
In general, everything looks good. Just a few things:

Wikimania/Scholarship/Controllers/Login.php
* handlePost - sanity check $next before you redirect

Wikimania/Scholarship/Controllers/Review/Application.php
* handleGet - $id = $this->request->get( 'id' ); seems like this isn't validated

Wikimania/Scholarship/Controllers/Review/Phase1List.php and Phase2List.php
* handleGet - Please strip any leading "=". Probably want to quote entries in case they contain commas.

Wikimania/Scholarship/Forms/Apply.php
* Do you really need IP in the db? Is there a cleanup job to remove them to comply with privacy policy?


Can I get source of js/flexigrid.pack.js?
Comment 4 Bryan Davis 2013-12-10 22:36:31 UTC 
(In reply to comment #3)
> Wikimania/Scholarship/Forms/Apply.php
> * Do you really need IP in the db? Is there a cleanup job to remove them to
> comply with privacy policy?

This was the behavior of the legacy application. From what I can see the IP is never actually used in an business logic. It is shown in the full application dump and would theoretically be exported to the spreadsheet dump (that doesn't currently exist).

I'm ok with removing it all together. The only thing I could see it viably being used for is spam moderation (eg mark all applications from a particular IP as spam).
Comment 5 Chris Steipp 2013-12-10 22:39:16 UTC 
(In reply to comment #4)
> I'm ok with removing it all together. The only thing I could see it viably
> being used for is spam moderation (eg mark all applications from a particular
> IP as spam).

I'd say remove it, or make it a config option that we turn off by default.
Comment 6 Bryan Davis 2013-12-10 22:40:10 UTC 
(In reply to comment #3)
> Can I get source of js/flexigrid.pack.js?

I assume this was the original source: https://git.wikimedia.org/blob/wikimedia%2Fwikimania-scholarships/b2442423dc1dfcb555910b013bc775ffb3777a5f/public%2Fjs%2Fflexigrid.js

I did not pack the script myself. The packed and unpacked versions were part of the original legacy application files.
Comment 7 Chris Steipp 2013-12-14 01:07:13 UTC 
Oh, as for flexigrid, it looks ok using it as your currently are. If you want to do anything else with it, that would need another check. The library itself does a lot of stuff that is probably not safe.

So as is, with the updates, LGTM.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links