If someone creates a page User:Foo/bar.js and someone else does importScript( 'User:Foo/bar.js' );, but there is no account named User:Foo, this is very dangerous as anyone can create User:Foo and take control of the script.
While it doesn't solve the problem entirely, banning loading such pages with text/javascript mime type (e.g. making http://mywiki.com/w/index.php?title=User:Foo/bar.js&action=raw&ctype=text/javascript return a 403) will discourage users from making this kind of mistake.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Stalled | None | T302086 Set scap minimum python version to 3.7 | |||
| Resolved | None | T247045 Migrate all of production metal and VMs to Buster or later | |||
| Resolved | akosiaris | T249724 Track and remove jessie based container images from production | |||
| Resolved | Jdforrester-WMF | T224908 Drop jessie testing support | |||
| Resolved | Jdforrester-WMF | T224907 Drop php55 testing support | |||
| Resolved | Reedy | T205039 Release MediaWiki 1.27.6/1.30.2/1.31.2/1.32.2 | |||
| Resolved | Reedy | T205041 Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release | |||
| Resolved | Bawolff | T207603 CVE-2019-12471: Loading JS from user space where the username is not a registered account is dangerous and should be banned |
Fixed in https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/433094/
Note, the gerrit commit references a different bug. Unfortunately that bug in the course of investigating an issue had some comments added to it containing private data. As a result it can never be made public, so I have summarized the issue on this new bug.
Change 468849 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@REL1_31] SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Change 468850 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@REL1_30] SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Change 468855 had a related patch set uploaded (by Brian Wolff; owner: Brian Wolff):
[mediawiki/core@REL1_27] SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Change 468849 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Change 468855 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
Change 468850 merged by jenkins-bot:
[mediawiki/core@REL1_30] SECURITY: Disallow loading JS/CSS/Json subpages from unregistered users and log
What are the conditions in which someone could create User:Foo/bar.js when there is no account for User:Foo? Wouldn't it be better to also disallow creation of these pages by anyone? Or are there valid use-cases for these pages (I can't think of anything that couldn't be better covered by mechanisms such as the sitewide files, gadgets, etc.)?
If someone's account was renamed (or possibly deleted if using an extension that deleted account).
Sometimes people just create shared js files in User:Js/scriptFile.js as a shared place for scripts, which is bad and people shouldn't do it.
(I'm not opposed to refining the changes further, this change is more a starting place than a final place)
I thought renaming accounts normally also renamed all the pages in the account's userspace, but I could see how that might fail or just not happen in some cases. For account renames, I feel like MediaWiki should be reserving the old username to prevent someone coming in and registering it, even if MW itself doesn't support account renames per se, but I think this is a separate issue probably.