Last modified: 2014-05-28 16:57:00 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T64272, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 62272 - Security review of TargetProcess Bugzilla module
Security review of TargetProcess Bugzilla module
Status: NEW
Product: Wikimedia
Classification: Unclassified
Bugzilla (Other open bugs)
unspecified
All All
: Lowest enhancement (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-05 20:54 UTC by Ori Livneh
Modified: 2014-05-28 16:57 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Ori Livneh 2014-03-05 20:54:24 UTC 
We're considering using TargetProcess's KanBan board (http://www.targetprocess.com/). This is a commercial service, but it would simply be acting as an interface on top of Bugzilla, so all data and activity would still be managed on our infrastructure using OSS tools. And the KanBan board itself could be set to 'public', allowing anyone to view it.

TargetProcess's Bugzilla integration requires adding an additional entrypoint to our Bugzilla instance: http://core.tpondemand.com/JavaScript/Mashups/Bugzilla%20ProfileEditor/Scripts/4.2/tp2.cgi.zip


There are two blockers to using it:

* The file is currently missing a license header. I contacted TargetProcess support and they are prepared to release the file under an open-source license.

* The file needs security review.
Comment 1 Antoine "hashar" Musso (WMF) 2014-03-06 11:09:18 UTC 
There is a GPL PHP software https://github.com/EvanOman/KanbanBoard which uses a custom field in Bugzilla to track the column of the bug.

An intern at Mozilla coded an Angular.js with a python backend which does Kanban as well: https://github.com/DerekRies/kanbanzilla


For hhvm project purposes, maybe we can just stick to mingle which is already used by various teams and the base of the scrum of scrums.
Comment 2 Andre Klapper 2014-03-06 12:45:25 UTC 
(In reply to Ori Livneh from comment #0)
> We're considering using TargetProcess's KanBan board

Who's "we" in this context?

tp2.cgi says
   my $supportedBugzillaVersion = '4.2';

But we run 4.4. ("we" = the Wikimedia servers ;-)
Comment 3 Chris Steipp 2014-03-06 17:08:04 UTC 
As it's written, it does a very poor job of security. They parameterize most of their sql (except the one on 376, but hopefully bugzilla wouldn't have an extra feature name that contained sql), so it probably won't take down the server.

They don't do any xss filtering, and rely and outputting text/plain content type. So xss is only exploitable on ie6, iOS 6's Safari, or any other browser that interprets scripts in text/plain.

It would probably be safe to deploy this if you could lock down access to only their IP address (so xss wouldn't be an issue). But it certainly isn't something I would feel comfortable having up and accessible on our servers.
Comment 4 Andre Klapper 2014-04-28 05:34:25 UTC 
Is this still wanted, or can this ticket be closed?
Comment 5 Greg Grossmeier 2014-05-28 16:57:00 UTC 
Setting to "Lowest" for now, and when we migrate to Phabricator, let's close this as INVALID (ie: keep it around on the very very slim chance something in Phabricator land blows up and we don't end up using it).
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links