Patch is ready here - https://gerrit.wikimedia.org/r/c/mediawiki/extensions/EmailAuth/+/1289409

Perfect, will do 👍

Here is a new patch. Tests are passing, and the commit message includes testing instructions. Would be great to get some code review. Perhaps @sbassett or @Reedy?

{P92465}

Here is my WIP patch that I need to hand off. It seems to be basically working. I tried to generate some tests with OpenCode and wasn't able to complete this, so the tests are failing, and I haven't closely reviewed the generated tests. I think some of them are failing because of the change itself, not only the new test that I've written. Please feel free to scrap the generated tests if they aren't any good.

i18n messages updated in https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaMessages/+/1281533

Completed Monday (Apr 27)

{P91692}

It looks good! Removing that functionality removes the High and Medium risks that I identified, so we're good to go from my perspective 👍

Since this is not critical to the product and experiment we are building, I propose to remove the feature entirely from the source validation endpoint to expedite the path to production and explore ways to reintroduce it safely, if possible, in collaboration with you and your team.

Security Review Summary - T419136 - 2026-04-11
Last commit reviewed: 55772a87d598f90634e0aa8addbaeade5e9d90bd

CVE-2026-39838 does not appear to list any affected versions of ProofreadPage -- its description just (in relevant part) says "This issue affects .", and the 'Product Status' information just appears to list 3 apparently-unaffected versions.

That all sounds good, and the code looks good to me! Marking this as resolved. Any objections to making this review public?

ReportIncident
+ (T414582, CVE-2026-5762) - ReportIncident DiscussionTools integration causes slow requests with occasional timeouts on large talk pages
https://gerrit.wikimedia.org/r/q/I05d7f65c57d9aa1b70cdb159c4291ac28c60b4dd

Have you decided how you would like to proceed given the outlined risks?

This is completed in https://gerrit.wikimedia.org/r/c/1260712

This is completed by the set of linked Gerrit diffs.

• https://integration.wikimedia.org/ci/job/quibble-with-gated-extensions-vendor-mysql-php83/23459/console
• https://integration.wikimedia.org/ci/job/quibble-with-gated-extensions-vendor-mysql-php83/23473/console

All of the patches have been merged and will be deployed on next week's train.

@ROdonoghue-WMF I may have spoken too soon on this. Most of the other instances I was finding were actually in older, unsupported extensions. I did find one legitimate usage, but it's a bit of a special case, because the info field has bolded text, and then non-bolded text, and it's immediately followed by an actual field (it's in a captcha implementation). I'll keep looking, but just wanted to correct myself here - bolded text without an interactive field probably isn't actually a widespread pattern.

The first patches are up for this (see links in description).

Haven't heard back re: ops-l mailing list, but I don't think it's critical. Marking this as resolved.

Tagging @Jdrewniak as well as the EM.

Security Review Summary - T419743 - 2026-03-16

Making this private so that we can discuss the risks internally before the review is made public.

@SomeRandomDeveloper Sorry about that! This should be deployed now - https://sal.toolforge.org/log/DGif1JwBffdvpiTrkH7z

@SomeRandomDeveloper could you test this to make sure the patch is working in production?

@sbassett A note regarding the above script: I believe the blocked-url, document-uri, and referrer should each be prefixed with csp-report. in order to include their values in the API output.

Great, thanks! 🙌

I am already in the deployment shell group - https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/admin/data/data.yaml#L231

Hey @tappof as @aranyap mentioned above I'll be working on this too. Could you please send me creds as well?