Last modified: 2014-02-08 06:10:43 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T61921, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 59921 - Enabling Flickr upload shares Flickr API key with the world
Enabling Flickr upload shares Flickr API key with the world
Status: RESOLVED INVALID
Product: MediaWiki extensions
Classification: Unclassified
UploadWizard (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Tisza Gergő
:
Depends on:
Blocks: 43450
  Show dependency treegraph
 
Reported: 2014-01-10 20:09 UTC by Tisza Gergő
Modified: 2014-02-08 06:10 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Tisza Gergő 2014-01-10 20:09:39 UTC 
Right now if Flickr upload is set, the Flickr API key is just sent to the browser every time UploadWizard is loaded. This key allows full read/write access to the Flickr user who owns it and probably can be used to do nasty things.

It is probably possible to send an OAuth token instead [1], which would be limited to whatever operations are actually needed by UploadWizard.

Alternatively, we could just proxy all requests through the server, which is slower but also has privacy advantages.

(Or we could just decide that we do not care, which seems to be the status quo.)

The key is also available through the public configuration [2], so if this gets fixed, that should be changed too.


[1] http://www.flickr.com/services/api/auth.oauth.html
[2] https://github.com/wikimedia/operations-mediawiki-config/blob/master/wmf-config/CommonSettings.php#L1783
Comment 1 Ryan Kaldari 2014-01-10 22:21:39 UTC 
The Flickr importing in UploadWizard is a quick and dirty hack that I did a couple years ago. The API key is actually from an account that I created personally, rather than an official WMF account.

This code should definitely be cleaned up by the Multimedia Team. I was originally thinking we would have to proxy all the requests (which is a pain), but I hadn't considered your OAuth idea. That sounds like a promising solution to try out.

Also, we should set this up under some sort of official WMF Flickr account rather than a personal account (for Commons I mean).
Comment 2 Tisza Gergő 2014-01-10 23:11:00 UTC 
We could use a non-secret API key for vagrant and for unit tests, though. If you do not object, I might appropriate the old one for that purpose.
Comment 3 Tisza Gergő 2014-01-13 19:41:12 UTC 
Note to self: un-skip tests in https://gerrit.wikimedia.org/r/#/c/65109/ once this is solved (and there is a private API key for commons and a public one for the tests).
Comment 4 Tisza Gergő 2014-01-16 21:51:47 UTC 
As Gilles pointed out in the gerrit comments, the API key is not really sensitive as Flickr gives us another secret key which is required for operations that need authorization.
Comment 5 Matthew Flaschen 2014-02-08 06:10:43 UTC 
(In reply to comment #2)
> We could use a non-secret API key for vagrant and for unit tests, though. If
> you do not object, I might appropriate the old one for that purpose.

If the code is actually connecting to Flickr's servers, it's an integration test, not a unit test.  

A lot of the mileage (if not all) could probably be achieved by mocking the Flickr server's response in order to test the client-side code.  After all, it's not supposed to test Flickr's code.

I don't think UploadWizard should include a key.  However, at least the current one is not the same one used in production.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links