Page MenuHomePhabricator
Create Task
Maniphest T119295

Update firebase/php-jwt to 3.0.0 in OAuth extension
Closed, ResolvedPublic
Actions

Description

What it says on the tin!

Main change is moving the code into namespaces, so will need to be updated for that

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Update firebase/php-jwt to 3.0.0mediawiki/extensions/OAuthmaster+3 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Nov 21 2015, 12:41 PM
Reedy raised the priority of this task from to Needs Triage.
Reedy updated the task description. (Show Details)
Reedy added a project: MediaWiki-extensions-OAuth.
Reedy added a subtask: T119194: Move lib/JWT.php to extension vendor.
Reedy updated the task description. (Show Details)
Reedy set Security to None.
Reedy added subscribers: Aklapper, Reedy, StudiesWorld.
gerritbot subscribed.Nov 21 2015, 1:15 PM

Change 254642 had a related patch set uploaded (by Reedy):
Update firebase/php-jwt to 3.0.0

https://gerrit.wikimedia.org/r/254642

gerritbot added a project: Patch-For-Review.Nov 21 2015, 1:15 PM
Reedy closed subtask T119194: Move lib/JWT.php to extension vendor as Resolved.Nov 22 2015, 10:03 PM
Legoktm added a project: deprecated-security-team-reviews.Nov 22 2015, 10:06 PM
Legoktm added subscribers: csteipp, Legoktm.

Full changelog is https://github.com/firebase/php-jwt/compare/e0a75bfb6413f22092c99b70f310ccb2cca3efa5...fa8a06e96526eb7c0eeaa47e4f39be59d21f16e1, and it looks like the only actual code change is https://github.com/firebase/php-jwt/commit/49f7de66cfb3ae4867a0c95665102b2b0386c4a0 "require a non-empty key to decode a JWT"

@csteipp/security people, could you take a quick look and make sure the new version is ok? I can take care of coordinating the merges if it is.

gerritbot added a comment.Nov 24 2015, 8:06 AM

Change 254642 merged by jenkins-bot:
Update firebase/php-jwt to 3.0.0

https://gerrit.wikimedia.org/r/254642

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2015-12-08_(1.27.0-wmf.8)).Nov 24 2015, 9:00 AM
csteipp added a comment.Jan 14 2016, 1:07 AM

Did I never comment on this? Sorry about that..

Ex:OAuth should never call php-jwt with an empty key, but good to update the library to make it impossible.

Has vendor been updated too?

Reedy added a comment.Jan 14 2016, 1:14 AM

Yup, see https://gerrit.wikimedia.org/r/#/c/254641/ and T119294... Which should've been closed already. Will do that now

Reedy closed this task as Resolved.Jan 14 2016, 1:15 AM
Reedy claimed this task.
sbassett moved this task from Incoming to Done on the deprecated-security-team-reviews board.Apr 24 2019, 6:11 PM
chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:13 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits