Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3657113
SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Anomie
Mar 18 2016, 5:20 PM
2016-03-18 17:20:30 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch
View Options
From 0c717787704523723952cc5ec53f790e38f23a6b Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Fri, 18 Mar 2016 13:05:01 -0400
Subject: [PATCH] SECURITY: Check for valid but unusable user names
Otherwise, if a name is usable on one wiki and reserved on another in
the same SUL grouping, you can log in on the first and be logged in on
the second when you shouldn't be able to.
Bug: T130384
Change-Id: If4c0815b2629d20f979aca41bcee4e8050d2f28e
---
includes/CentralAuthHooks.php | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/includes/CentralAuthHooks.php b/includes/CentralAuthHooks.php
index a29e2e8..555e7aa 100644
--- a/includes/CentralAuthHooks.php
+++ b/includes/CentralAuthHooks.php
@@ -285,6 +285,10 @@ class CentralAuthHooks {
wfDebug( __METHOD__ . ": invalid username\n" );
return null;
}
+ if ( !User::isUsableName( $userName ) ) {
+ wfDebug( __METHOD__ . ": username $userName is not usable on this wiki" );
+ return null;
+ }
// Try the central user
$centralUser = new CentralAuthUser( $userName );
@@ -873,6 +877,10 @@ class CentralAuthHooks {
wfDebug( __METHOD__ . ": invalid username\n" );
return true;
}
+ if ( !User::isUsableName( $userName ) ) {
+ wfDebug( __METHOD__ . ": username $userName is not usable on this wiki" );
+ return true;
+ }
// Try the central user
// Don't use CentralAuthUser::getInstance, we don't want to cache it on failure.
--
2.8.0.rc3
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3531873
Default Alt Text
SECURITY: Check for valid but unusable user names (for 1.26 and earlier).patch (1 KB)
Attached To
Mode
T133070: MediaWiki 1.27.1 security release
Attached
Detach File
T130384: CentralAuth doesn't check if given valid but unusable name
Attached
Detach File
Event Timeline
Log In to Comment