Closed Bug 735454 Opened 12 years ago Closed 12 years ago

Perform Security Review For AirMozilla Theme Refresh

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: bensternthal, Assigned: ygjb)

References

Details

(Whiteboard: [secr:yvan][target 2012-04-12]) 

I am not sure how much security review we need for this as we are only updating a theme. However I wanted to add this so you were aware and could advise. If you decide we do not need a review just close the bug. If we do need a review I will include whomever is assigned the bug to 
our weekly meeting



==A quick intro to what this app does==
We are planning a UI refresh of https://air.mozilla.org/ website.

The scope of this project is:
- Use a one mozilla based theme with certain air mozilla branding elements
- Add a simple widget that allows freeform html into the sidebar
- Change main page to function more like a blog... latest posts on top, more than just one post.

So we are just updating the theme and adding a standard widget. We are not using/adding any additional plugins.

==Where is the source code located?==
TBD

==Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on.==
We are requesting a stage server located here: http://airmozilla.allizom.org
It is not setup yet

==Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs.==
Product:	Websites
Component:  air.mozilla.com
Blocks: 735436 

==Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)?==
No

==Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS.==
N/A

==Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role.==
It's wordpress, I do not think we have different roles for this site.


==What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.)==
We could not stream live events


==Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed?==
Yes but just standard wordpress


==This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?==
If we do decide we need a security review it would be around the first week of april. Our drop dead date for this project is April 20th for
Moz Camp BA. We want to have this site live well before then.
QA Contact: mcoates → jstevensen
I wanted to check on this, given that this is theme work with no new plugins do we need a sec review?
Assignee: security-assurance → yboily
Whiteboard: [pending secreview] → [secr:yvan]
Reminder on this one, can you confirm if we do/do-not need a sec review given that this is just a theme no plugins.
Yvan... talking to craig... since we are pushing new code (this is a sub-theme) we would like a sec review. We do think it will be a quick one.

Do the dates of 4/10 - 4/11 work for you? I will also add you to our next meeting.

Ping me or email me if you need more info/have comments.
Per our discussion, this will be completed by April 12th.  Can you provide the repo for the source code?
Whiteboard: [secr:yvan] → [secr:yvan][target 2012-04-12]
Yvan, below is the SVN location:

http://svn.mozilla.org/projects/air.mozilla.com/trunk/wp-content/themes/

The theme is:

OneMozilla-Air
Yvan:

I wanted to ping you on this, we have the sec review scheduled for 4/10 - 4/12.

The code at the svn repository is relatively stable. I do not see major changes at this stage, and it's very minor stuff. I think this will be very quick for you.

Please contact me or craig if you have any questions or concerns.
Can you confirm if this was completed yesterday? We are slated to launch on monday and I want to be sure we are infrasec approved.

Thanks,
Ben
Blocks: 745341
Yes, this was completed.  Apologies for not updating it.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.