African-wikimedia-developers December 2017

african-wikimedia-developers@lists.wikimedia.org

10 participants
13 discussions

[MediaWiki-announce] MediaWiki 1.30 Available!
by Derick N. Alangi 12 Dec '17

12 Dec '17

Hello everyone, I am happy to announce the availability of the general release of MediaWiki 1.30! MediaWiki 1.30 includes all changes released in the smaller 1.30.0-wmf.* software deployments to Wikimedia sites over six months, totaling almost 1500 commits by around 116 unique authors. This is a large release that contains many new features and bug fixes. This is a summary of the major changes of interest to users and administrators: * https://www.mediawiki.org/wiki/MediaWiki_1.30 You can always consult the RELEASE-NOTES-1.30 file for the full list of changes in this version. Full release notes: * https://phabricator.wikimedia.org/diffusion/MW/browse/REL1_ 30/RELEASE-NOTES-1.30 * https://www.mediawiki.org/wiki/Release_notes/1.30 ********************************************************************** Download: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.0.tar.gz https://releases.wikimedia.org/mediawiki/1.30/mediawiki-core-1.30.0.tar.gz GPG signatures: https://releases.wikimedia.org/mediawiki/1.30/mediawiki-1.30.0.tar.gz.sig (signed by Chad Horohoe) https://releases.wikimedia.org/mediawiki/1.30/mediawiki- core-1.30.0.tar.gz.sig (signed by Chad Horohoe) Public keys: https://www.mediawiki.org/keys/keys.html ______________________________ Cindy Cicalese Product Manager, MediaWiki Platform Wikimedia Foundation

1 0

Fwd: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin"
by Egbe Eugene 11 Dec '17

11 Dec '17

---------- Forwarded message ---------- From: Brian Wolff <bwolff(a)wikimedia.org> Date: Mon, Dec 11, 2017 at 10:09 PM Subject: [Wikitech-l] Announcing a new security testing tool for MediaWiki extensions "phan-taint-check-plugin" To: wikitech-l(a)lists.wikimedia.org Hello everyone, For the last little while I have been working on a new tool to automatically detect common security issues in MediaWiki extensions. The tool can detect a number of issues, including: * XSS ** We include here using wfMessage( 'foo' )->text() when you should have used ->escaped() or ->parse(). * Sql injection * Shell injection * PHP deserialization vulnerabilities (A little buggy on this one) In the future, it will likely also detect double escaping issues. Of course, as with any static analysis tool, there will be instances of false positives, as well as things it cannot detect. I've now reached the stage where I feel the tool is useful, and would really like people to test it out and give feedback. Note: the tool has a requirement of php 7.0 (neither higher nor lower) see https://www.mediawiki.org/wiki/Continuous_integration/Phan#Dependencies for how to install php 7.0 if your system doesn't have it. To test with your extension, simply do: $ composer require --dev mediawiki/phan-taint-check-plugin and then merge into the scripts directive of composer.json "scripts": { "seccheck": "seccheck-mwext", "seccheck-fast": "seccheck-fast-mwext" } and simply run composer seccheck seccheck will take about 3 minutes and use lots of ram (~2 GB), seccheck-fast won't test certain things involving hooks, but will work in about 27 seconds and use much less ram. This assumes that your extension is installed in the extensions/ subdirectory of MediaWiki. In the future we may make this into a non-voting jenkins job. If you are not making a MediaWiki extension, there is also a "seccheck-generic" script you can use, which should work with any PHP project. It is also possible to customize the script for other projects that have custom escaping methods. Generic mode is not well tested yet. See the README for more information about the tool: https://github.com/wikimedia/Phan-Taint-Check-Plugin/blob/master/README.md Anyways, I hope this is useful, and am very eager to hear feedback. I also hope that this will not only be useful for Wikimedia, but also helpful to the third party extension development community. Please test it and let me know what you think. _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

1 0

Last Call: MediaWiki 1.30 Release Candidate 0
by Derick N. Alangi 10 Dec '17

10 Dec '17

We are getting ready to release MediaWiki 1.30 - probably tomorrow. If you have found any bugs while testing Release Candidate 0, please report them now. Thanks! Cindy ______________________________ Cindy Cicalese Product Manager, MediaWiki Platform Wikimedia Foundation

1 0

2024

2023

2022

2021

2020

2019

2018

2017

African-wikimedia-developers December 2017