Page MenuHomePhabricator
Create Task
Maniphest T130384

CentralAuth doesn't check if given valid but unusable name
Closed, ResolvedPublic
Actions

Assigned To
Anomie
Authored By
Anomie
Mar 18 2016, 5:04 PM
Tags
Referenced Files
F4345953: T130384.patch
Aug 8 2016, 9:47 PM
F3657113: SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch
Mar 18 2016, 5:21 PM
F3657112: SECURITY: Check for valid but unusable user names.patch
Mar 18 2016, 5:21 PM
Subscribers
Aklapper
Bawolff
gerritbot
Malyacko

Description

CentralAuth doesn't check if the user name it was given is usable, only if it's valid.

For MediaWiki with SessionManager, this isn't too bad of a problem: MediaWiki\Session\UserInfo::newFromName does throw an exception if given an unusable name, which makes the providers throw rather than failing more gracefully. This is why {T130099} was giving a 503 error rather than failing in a more user-friendly manner.

For MediaWiki without SessionManager, though, it's a security issue: It apparently just allows the login, which is why Xqbot only recently started failing as described in T130099, instead of failing as soon as Xqt mistranslated "Redirect fixer" on translatewiki back in 2009.

Since we'll probably want to backport a fix to 1.26 and earlier, I'm going to file this as a security bug.

Details

SubjectRepoBranchLines +/-
SECURITY: Check for valid but unusable user namesmediawiki/extensions/CentralAuthREL1_23+9 -1
SECURITY: Check for valid but unusable user namesmediawiki/extensions/CentralAuthREL1_26+8 -0
SECURITY: Check for valid but unusable user namesmediawiki/extensions/CentralAuthmaster+8 -0
SECURITY: Check for valid but unusable user namesmediawiki/extensions/CentralAuthREL1_27+11 -0
SECURITY: Check for valid but unusable user namesmediawiki/extensions/CentralAuthmaster+11 -0
Customize query in gerrit

Related Objects

Event Timeline

Anomie created this task.Mar 18 2016, 5:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 18 2016, 5:04 PM
Krenair added projects: MediaWiki-extensions-CentralAuth, Security-Extensions.Mar 18 2016, 5:11 PM
Anomie claimed this task.Mar 18 2016, 5:19 PM
Anomie added a project: Patch-For-Review.

Patches:

  • For master/1.27:
    SECURITY: Check for valid but unusable user names.patch3 KBDownload
  • For backports:
    SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch1 KBDownload
Bawolff triaged this task as Medium priority.Mar 22 2016, 9:38 PM
Bawolff subscribed.

I'm prioritizing this as normal, since someone impersonating an internal mediawiki user is on the low end of evil things to do.

Bawolff added a parent task: T124940: MediaWiki 1.26.3 security release.Mar 29 2016, 9:54 PM
csteipp removed a parent task: T124940: MediaWiki 1.26.3 security release.Apr 19 2016, 5:10 PM
Anomie added a comment.Jul 15 2016, 3:22 PM

This seems like it contributed to T139970#2465971, apparently Echo's junk triggered on a system user and flooded the API with requests which blew up as described in the description instead of being handled more gracefully.

dpatrick added a parent task: T133070: MediaWiki 1.27.1 security release.Jul 18 2016, 7:24 PM
dpatrick mentioned this in T133070: MediaWiki 1.27.1 security release.Jul 18 2016, 11:02 PM
dpatrick subscribed.
In T130384#2134593, @Anomie wrote:

Patches:

  • For master/1.27:
    SECURITY: Check for valid but unusable user names.patch3 KBDownload
  • For backports:
    SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch1 KBDownload

Thanks for backporting. We'll test this this week, and deploy on July 25.

Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Aug 2 2016, 8:51 PM
dpatrick added a comment.EditedAug 8 2016, 9:31 PM

@Anomie b1908c5ada1e219488b12bc2e0d1ac53d19315b0 removed includes/session/CentralAuthSessionCompat.php. Can you update this patch to account for that?

dpatrick added a comment.Aug 8 2016, 9:37 PM

In other words, I'm asking you, @Anomie, to verify that the patches can be used as they are, sans the includes/session/CentralAuthSessionCompat.php portions.

dpatrick added a comment.Aug 8 2016, 9:47 PM

NM. Looks sane to me and tests fine. Here's the updated version.

T130384.patch2 KBDownload

dpatrick closed this task as Resolved.Aug 8 2016, 9:58 PM

21:57 dapatrick: Deployed patch for T130384 to wmf.13

Anomie added a comment.Aug 9 2016, 12:34 AM

Yeah, no need to patch deleted code. I'm glad you didn't need to wait for me to get back from vacation (:

demon removed a parent task: T133070: MediaWiki 1.27.1 security release.Aug 10 2016, 9:14 PM
Anomie changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 15 2016, 5:13 PM
Anomie changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptAug 15 2016, 5:13 PM
ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-08-16_(1.28.0-wmf.15)).Aug 15 2016, 6:00 PM
gerritbot subscribed.Sep 21 2016, 7:58 PM

Change 304861 merged by Jforrester:
SECURITY: Check for valid but unusable user names

https://gerrit.wikimedia.org/r/304861

MarcoAurelio moved this task from Backlog to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:16 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:38 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL