Developing security patches

Jump to navigation Jump to search

This document outlines the process of developing a fix for security bugs. This is primarily for developers who are not often involved in the process, highlighting the differences between patches for security issues vs other bugs.

If you're trying to deploy or release fixes for a security issue, you probably want:

Creating a Security Patch[edit]

If you've found a security issue and are developing a patch, read on. This assumes that a task has been created in Phabricator.

  1. Ensure you can duplicate the issue in your local development environment, and make sure steps to reproduce the issue are documented in Phabricator.
  2. Fix the issue on the master branch of the appropriate repo.
  3. Ensure existing unit tests pass, and when possible, add unit tests that specifically test for the security issue.
  4. Create a local patch file, do not push into Gerrit for review!
    • Prefix your commit message with "SECURITY:" (not "[SECURITY]", "Security", or the task number). This helps deployers quickly see which security patches have been applied on WMF's deployment server.
    • Create the patch with git format-patch --stdout HEAD~1 > T12345.patch. In general, the filename should begin with the Phabricator task id. The patches are put in a single directory on WMF's deployment server prior to release, so putting the Phabricator task id in the name lets other users quickly lookup the history of the patch.
      • If the patch applies to a specific deployment branch, it's generally helpful to add the branch name into the filename, e.g., T12345-wfm8.patch, or T12345-REL1_24.patch.

Upload your patch[edit]

Attach the patch to to the Phabricator task. Do not upload the patch to Gerrit. Even "draft" patchsets can be accessed by anyone. Either,

  • drag-and-drop the patch into the comment section of the task
  • Go to, select your patch to upload, and select 'No One' from the 'Visible To' drop down. Link to the uploaded file on the Phabricator task.

Reviewing security patches[edit]

Since patches are not in Gerrit for review, reviewers should add comments on patches in Phabricator. Before a patch is deployed on the WMF cluster, a qualified reviewer should comment in Phabricator that they have reviewed the patch and it is ready to be deployed (equivalent of a "+2" in Gerrit).