Michal Čihař - Archive for 7/2017

Weblate 2.16: Call for translations

Weblate 2.16 is almost ready (I expect no further code changes), so it's really great time to contribute to it's translations! Weblate 2.16 will be probably released during my presence at DebConf 17.

As you might expect, Weblate is translated using Weblate, so the contributions should be really easy. In case there is something unclear, you can look into Weblate documentation.

I'd especially like to see improvements in the Italian translation which was one of the first in Weblate beginnings, but hasn't received much love in past years.

Weekly phpMyAdmin contributions 2017-W29

Last week was really focused on fixing issues on phpMyAdmin itself. Some of them also lead to me to bigger cleanups, for example in theme management code, which is now not relying on session cache.

Another important improvements were focused on improving SSL support in phpMyAdmin. It is now able to automatically detect if server enforces SSL and enable it in such case. There is also improved documentation about configuring SSL.

Handled issues:

Making Weblate more secure and robust

Having publicly running web application always brings challenges in terms of security and in generally in handling untrusted data. Security wise Weblate has been always quite good (mostly thanks to using Django which comes with built in protection against many vulnerabilities), but there were always things to improve in input validation or possible information leaks.

When Weblate has joined HackerOne (see our first month experience with it), I was hoping to get some security driven core review, but apparently most people there are focused on black box testing. I can certainly understand that - it's easier to conduct and you need much less knowledge of the tested website to perform this.

One big area where reports against Weblate came in was authentication. Originally we were mostly fully relying on default authentication pipeline coming with Python Social Auth, but that showed some possible security implications and we ended up with having heavily customized authentication pipeline to avoid several risks. Some patches were submitted back, some issues reported, but still we've diverged quite a lot in this area.

Second area where scanning was apparently performed, but almost none reports came, was input validation. Thanks to excellent XSS protection in Django nothing was really found. On the other side this has triggered several internal server errors on our side. At this point I was really happy to have Rollbar configured to track all errors happening in the production. Thanks to having all such errors properly recorded and grouped it was really easy to go through them and fix them in our codebase.

Most of the related fixes have landed in Weblate 2.14 and 2.15, but obviously this is ongoing effort to make Weblate better with every release.

Weekly phpMyAdmin contributions 2017-W28

Last week was quite busy and that can be seen from number of issues. Some of them are coming from our error reporting server, where I've focused on the most frequently happening ones for last releases. Still there is about 30000 reports to handle there.

There were several fixes to our SQL parser as well, apparently it's already being used by some other tools, for example by php-sqllint, so we're getting more bug reports :-).

Handled issues:

Weekly phpMyAdmin contributions 2017-W26

Last week was really about solving bug and pull request. I've managed to go through many of long pending pull requests and most of them were merged either directly or with additional fixes.

I always feel bad when it takes too long to merge pull request, but most of them were actually waiting for some fixes which didn't arrive and I had to fix them on my own. This is often what happens to GSoC students pull requests once they realize they were not accepted in the end...

Handled issues: