-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Simetrical wrote:
Well, first of all, I think our security team consists of Brion, although maybe some other people receive the security@wikimedia.org mailings as well. Since he's also the lead developer, it's not so much a question of recommendations as mandates, which he usually implements personally (either fixing it himself, or reverting whatever broke it).
Nick Jenkins has done some fuzz-testing on MediaWiki in the past. As far as I'm aware, that's about the end of specific security testing that's done on MediaWiki, at least by the developers. The rest is covered by general code review: checking new code to make sure everything is escaped properly, and looking over old code as it's being maintained.
Indeed, there's not a lot of organized testing, though the fuzz testing tools get pulled out from time to time to look for HTML injection bugs and other such surprises.
Generally, we try to maintain safe programming practices to ensure the borders are patrolled, as it were:
* Don't construct SQL by hand; use query-building abstractions which ensure proper encoding
* Don't construct HTML output by hand; use wiki parser where suitable or XML-building abstractions which ensure proper encoding
* Don't use $_GET, $_POST, $_REQUEST etc values straight; use abstractions which provide some basic data type validation
* Don't use explicit include() or require()s with configured paths; use class autoloader (when an explicit include is needed, always precede it with a constant check to avoid remote include vulnerabilities)
etc
It's not always perfect, and there's going to be lazy code here and there, but working within a safe framework at input/output points is always a big help in combatting many of the traditional web app vulnerabilities.
When it comes to ensuring that private data in the wiki stays private, there's perhaps less of an automatic guarantee, as you have to decide what is or isn't private and ensure that the visibility is properly restricted.
- -- brion vibber (brion @ wikimedia.org)