Page MenuHomePhabricator

SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch

Authored By
Anomie
Mar 18 2016, 5:20 PM
Size
1 KB
Referenced Files
None
Subscribers
None

SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch

From 0c717787704523723952cc5ec53f790e38f23a6b Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 18 Mar 2016 13:05:01 -0400
Subject: [PATCH] SECURITY: Check for valid but unusable user names
Otherwise, if a name is usable on one wiki and reserved on another in
the same SUL grouping, you can log in on the first and be logged in on
the second when you shouldn't be able to.
Bug: T130384
Change-Id: If4c0815b2629d20f979aca41bcee4e8050d2f28e
---
includes/CentralAuthHooks.php | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/includes/CentralAuthHooks.php b/includes/CentralAuthHooks.php
index a29e2e8..555e7aa 100644
--- a/includes/CentralAuthHooks.php
+++ b/includes/CentralAuthHooks.php
@@ -285,6 +285,10 @@ class CentralAuthHooks {
wfDebug( __METHOD__ . ": invalid username\n" );
return null;
}
+ if ( !User::isUsableName( $userName ) ) {
+ wfDebug( __METHOD__ . ": username $userName is not usable on this wiki" );
+ return null;
+ }
// Try the central user
$centralUser = new CentralAuthUser( $userName );
@@ -873,6 +877,10 @@ class CentralAuthHooks {
wfDebug( __METHOD__ . ": invalid username\n" );
return true;
}
+ if ( !User::isUsableName( $userName ) ) {
+ wfDebug( __METHOD__ . ": username $userName is not usable on this wiki" );
+ return true;
+ }
// Try the central user
// Don't use CentralAuthUser::getInstance, we don't want to cache it on failure.
--
2.8.0.rc3

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3531873
Default Alt Text
SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch (1 KB)

Event Timeline