Developing security patches

This document outlines the process for fixing security bugs, for developers who are not normally involved in the process.

If you're trying to deploy or release fixes for a security issue, you probably want:
 * How to deploy code - The canonical reference for deploying security patches on the WMF cluster
 * How to perform security fixes - A slightly dated guide you to the WMF's deployment and release process

If you've found a security issue and are developing a patch, read on. This assumes that a task has been created in Phabricator.

1. Make sure steps to reproduce the issue are documented in Phabricator, and ensure you can duplicate the issue in your local development environment.

2. Fix the issue on the master branch of the appropriate repo.

3. Ensure existing unit tests pass, and when possible, add unit tests that specifically test for the security issue.

4. Create a local patch file, do not push into gerrit for review!
 * Prefix your commit message with "SECURITY:" (not "[SECURITY]", "Security", or the task number). This helps deployers quickly see which security patches have been applied on WMF's deployment server.
 * Create the patch with `git format-patch --stdout HEAD~1 > T12345.patch`, where "T12345" is the Phabricator task number. The patches are put in a single location on WMF's deployment server prior to release, so putting the id in the name lets other users quickly lookup the history for the patch.
 * If the patch applies to only one branch, add the branch name to the filename, e.g., T12345-wfm8.patch (or T12345-REL1_24.patch for backports)

5. Attach the patch to to the Phabricator task. Either,
 * drag-and-drop the patch into the comment section of the task
 * Go to https://phabricator.wikimedia.org/file/upload/, select your patch to upload, and select 'No One' from the 'Visible To' drop down. Link to the uploaded file on the phabricator task.