Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simetrical wrote:
Well, first of all, I think our security team consists of Brion, although maybe some other people receive the security@wikimedia.org mailings as well. Since he's also the lead developer, it's not so much a question of recommendations as mandates, which he usually implements personally (either fixing it himself, or reverting whatever broke it).
Nick Jenkins has done some fuzz-testing on MediaWiki in the past. As far as I'm aware, that's about the end of specific security testing that's done on MediaWiki, at least by the developers. The rest is covered by general code review: checking new code to make sure everything is escaped properly, and looking over old code as it's being maintained.
Hi Brion,
thanks for your input!
Indeed, there's not a lot of organized testing, though the fuzz testing tools get pulled out from time to time to look for HTML injection bugs and other such surprises.
Sounds good that you found some suitable tools to fuzz with. Are you able to name those tools?
etc
It's not always perfect, and there's going to be lazy code here and there, but working within a safe framework at input/output points is always a big help in combatting many of the traditional web app vulnerabilities.
When it comes to ensuring that private data in the wiki stays private, there's perhaps less of an automatic guarantee, as you have to decide what is or isn't private and ensure that the visibility is properly restricted.
Is there any multi-tier patch revision? The folks at Apache Tomcat do a three-person-review of patches before they get committed.
Thanks