Page MenuHomePhabricator
Projects Vuln-CachePollution

Vuln-CachePollutionTag
ActivePublic
Watch Project

Members

  • This project does not have any members.
  • View All

Watchers

  • This project does not have any watchers.
  • View All

Details

Description

This tag is used to group security bugs by their general classification, in this case Cache Pollution.

Parent project: Security-Team

Recent Activity
View All

Jul 12 2023

Aklapper changed the edit policy for Vuln-CachePollution.
Jul 12 2023, 8:09 AM

Feb 2 2021

WMDE-leszek added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Thanks for this @sbassett and apologies for not cleaning the house ourselves!

Feb 2 2021, 10:07 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Feb 1 2021

sbassett added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Note: I committed the deletion of the two wmf.28 Wikibase patches under /srv/patches on the deployment server (5578144525) since wmf.28 was rolled back and as noted by gerritbot above, https://gerrit.wikimedia.org/r/658323 and https://gerrit.wikimedia.org/r/658324 were merged.

Feb 1 2021, 10:25 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Jan 25 2021

sbassett lowered the priority of T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from High to Low.
Jan 25 2021, 7:19 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Silvan_WMDE removed a parent task for T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted: T271342: 1.36.0-wmf.28 deployment blockers.
Jan 25 2021, 6:35 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
WMDE-leszek closed T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted as Resolved.
Jan 25 2021, 6:32 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
ReleaseTaggerBot added a project to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted: MW-1.36-notes (1.36.0-wmf.28; 2021-01-26).
Jan 25 2021, 6:00 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Stalled/Waiting to Done on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Jan 25 2021, 5:57 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
gerritbot added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Change 658324 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] SECURITY: Add job to purge entity data on page deletion

Jan 25 2021, 5:56 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
gerritbot added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Change 658323 merged by jenkins-bot:
[mediawiki/extensions/Wikibase@master] SECURITY: Add EntityDataPurger

Jan 25 2021, 5:44 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Maintenance_bot moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from incoming to in progress on the Wikidata board.
Jan 25 2021, 5:15 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
WMDE-leszek changed the visibility for T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.
Jan 25 2021, 4:50 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

The two security patches are now on Gerrit: https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/ /658323 and https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Wikibase/ /658324. We can merge them so that they’ll go out with the regular train, and won’t need to be applied as security patches anymore.

Jan 25 2021, 3:36 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
WMDE-leszek added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

The issue has been successfully patched on Wikidata. To our best knowledge the problem does not pose a security risk to Wikibase installation outside of WMF production wiki. Therefore we make the issue, and the fix, public.

Jan 25 2021, 3:31 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Jan 20 2021

Ladsgroup added a parent task for T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted: T271342: 1.36.0-wmf.28 deployment blockers.
Jan 20 2021, 7:08 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Ladsgroup added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

I think this should not linger in production like that as more issues are bound to happen. I make this a blocker of the next train to make sure it doesn't get forgotten by the next branch cut.

Jan 20 2021, 7:08 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

I’ve looked at the applied commit on deploy1001 (/srv/mediawiki-staging/php-1.36.0-wmf.27/extensions/Wikibase, commit e4054597c9) and it looks fine to me. I’m guessing that some other change on master touched an adjacent hooks line in the extension JSON file; in that case, a 3-way merge is probably semantically correct.

Jan 20 2021, 9:46 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Jan 19 2021

Ladsgroup added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Thanks. This seems to be a problem. I check to see what's the blocker of making this public, it should not stay like this for that long time.

Jan 19 2021, 10:46 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
brennen added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Noting that 01-T260349.patch no longer applies without 3-way merge:

Jan 19 2021, 7:19 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Jan 13 2021

WMDE-leszek moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Test (Verification) to Stalled/Waiting on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Jan 13 2021, 9:26 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Dec 15 2020

WMDE-leszek moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Peer Review to Test (Verification) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Dec 15 2020, 10:23 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
WMDE-leszek moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Test (Verification) to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Dec 15 2020, 10:22 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Dec 7 2020

Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Once this task is made public, we should leave a comment at T128667: Special:EntityData with flavor is cached but not purged properly. It’s not clear to me whether that task is fully resolved with the changes here – it asks for purging “when action=purge is issued”, and we now purge Special:EntityData on revdel/pagedel and on /wiki/Special:EntityData/Q123?action=purge, but not on /wiki/Q123?action=purge.

Dec 7 2020, 2:51 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Dec 1 2020

Lucas_Werkmeister_WMDE moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Doing to Test (Verification) on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Dec 1 2020, 10:21 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 30 2020

Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.
In T260349#6648544, @Lucas_Werkmeister_WMDE wrote:

T260349-2-alt.patch17 KBDownload

Nov 30 2020, 12:39 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 26 2020

Lucas_Werkmeister_WMDE moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Peer Review to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Nov 26 2020, 12:23 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
ItamarWMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

tested locally that HtmlCacheUpdater::purgeUrls() is called by adding the following line

Nov 26 2020, 7:19 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 25 2020

Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

That means we must ensure that our code runs after the main transaction has committed, and then also still wait for replication. I think there are several ways to do the first part – a post-send (i.e. default) deferred update, onTransactionCommitOrIdle(), probably some more I’m not aware of – but a job should take care of that part as well, so it’s probably best to go for the job solution. (Even if jobs are run as part of the web request, they run after the main transaction commit, as far as I’m aware.)

Nov 25 2020, 1:43 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

@ItamarWMDE noticed that the test suite failed with that change, so I uploaded a MediaWiki core change to fix that: https://gerrit.wikimedia.org/r/c/mediawiki/core/ /643496. The following version of the patch file just adds a comment to the commit message and streamlines the test code a bit; no non-test code changes.

Nov 25 2020, 1:16 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 24 2020

Lucas_Werkmeister_WMDE moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Doing to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Nov 24 2020, 7:25 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Alright, the following patch implements the job solution:

Nov 24 2020, 7:25 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Pablo-WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Nice. We discussed the "job solution" a bit and in my understanding it would both cater to the performance concerns doing all this work during the web request, as well as making the topic area of waiting for replication largely irrelevant. Win win (at quite a bit of effort and added complexity).

Nov 24 2020, 1:17 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Okay, I think I made another false assumption – that endAtomic() commits the transaction, so that it’s now ready for replication. That’s not the case: in general, an endAtomic() may commit the whole transaction (if it’s the outermost atomic level and the whole transaction was started by that atomic section), but in a normal web request, IIUC the most it can do is release a savepoint – the commit only happens later, when the whole request is done. (And since the startAtomic() call here didn’t request the section to be cancelable, and the default is ATOMIC_NOT_CANCELABLE, there shouldn’t even be a savepoint to release.) So this means that with the patches from T260349#6641445, the waitForReplication() didn’t help because the transaction to create the archive rows hadn’t committed yet, and therefore none of the replicas were allowed to see those rows.

Nov 24 2020, 12:28 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 23 2020

Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Weird, the waitForReplication() didn’t help either. (I also tried it without the 'domain' part by commenting out that lineon mwdebug1001 directly.) I think it’s time for me to step back for a bit…

Nov 23 2020, 5:07 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

New patches with and without debug logging:

Nov 23 2020, 4:49 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE claimed T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

I suspect that our assumption – that, by the time the ArticleDeleteComplete hook runs, the archived rows have been committed and replicated – is incorrect.

Nov 23 2020, 4:12 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE placed T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted up for grabs.

Yup, with DB_MASTER it works. (See the logs if you want to – most important is “purge 9 URLs”.) I’ll undeploy the change again so we can figure out how to properly solve this in normal campsite work (because reading an unbounded number of rows from the master is probably not ideal).

Nov 23 2020, 3:54 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Excerpt from the log messages:

Nov 23 2020, 3:49 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Alright, here’s a version of the patch with some debug logging added:

Nov 23 2020, 2:09 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

I deployed this to wmf.18, but it didn’t seem to work, so I removed it again. I’ll try to test this locally later, and if I can’t figure out what’s going wrong, see how I can add some debug logging.

Nov 23 2020, 12:35 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Ahead of the deployment, I’ve verified that if I undelete the specific revision with the rebel base’s location, then get the entity data (to make sure it’s cached), and then delete the whole item, the cached data stays available. I’ll use the same item (Q212688) to test the deployment later.

Nov 23 2020, 11:12 AM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 20 2020

Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Looks good to me; I think we can deploy it on Monday (scheduled for the EU window). The change seems to apply without conflict to wmf.16 too, so we can probably backport to both branches, since wmf.18 currently isn’t fully rolled out.

Nov 20 2020, 2:34 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
ItamarWMDE moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from Doing to Peer Review on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Nov 20 2020, 12:36 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
ItamarWMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Additional patch to purge urls of deleted items. based on previous security patch:

0001-SECURITY-Add-onArticleDelete-hook-handler-to-EntityD.patch14 KBDownload

Nov 20 2020, 12:34 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 10 2020

ItamarWMDE claimed T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.
Nov 10 2020, 12:57 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
ItamarWMDE moved T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted from To Do (prioritised from top to bottom) to Doing on the Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)) board.
Nov 10 2020, 12:57 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Nov 3 2020

noarave updated the task description for T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.
Nov 3 2020, 3:04 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
noarave added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

A note from task inspection: We might be able to reuse some code to dig up revisions out of the archive table from the changes related to T242164: Retract revdel'ed Wikidata edits from Wikibase client watchlists.

Nov 3 2020, 3:03 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Oct 29 2020

Lucas_Werkmeister_WMDE added a comment to T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.

Hm, I think we didn’t implement any entity/page deletion handling yet? It’s in the task title and AC, but maybe we forgot about it while working on the task (or at least I forgot, I believe).

Oct 29 2020, 3:52 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team

Oct 28 2020

Addshore updated subscribers of T260349: Wikibase does not purge cached Special:EntityData URLs when revisions or entities are deleted.
Oct 28 2020, 7:30 PM · MW-1.36-notes (1.36.0-wmf.28; 2021-01-26), Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)), Vuln-CachePollution, MediaWiki-extensions-WikibaseRepository, Wikidata, Security, Security-Team
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits