Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F62340836
T389009.patch
Tgr (Gergő Tisza)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Authored By
Tgr
Jun 15 2025, 9:00 PM
2025-06-15 21:00:57 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
T389009.patch
View Options
From 0a461ba1938060ede5d85c6915d4deaf20d8e52e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Sun, 23 Mar 2025 20:33:17 +0100
Subject: [PATCH] SECURITY: Do not treat autocreation as login for
reauthentication
Auotcreation doesn't necessarily involve real-time user
identification, it can be based on some provider identifying the
user based on a session cookie or similar low-fidelity information.
Do not restart the reauthentication timer.
Bug: T389009
Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
---
includes/auth/AuthManager.php | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/includes/auth/AuthManager.php b/includes/auth/AuthManager.php
index 1ec091991d9..780483b4283 100644
--- a/includes/auth/AuthManager.php
+++ b/includes/auth/AuthManager.php
@@ -1940,7 +1940,7 @@ class AuthManager implements LoggerAwareInterface {
$user->loadFromId( IDBAccessObject::READ_LATEST );
if ( $login ) {
$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
- $this->setSessionDataForUser( $user, $remember );
+ $this->setSessionDataForUser( $user, $remember, false );
}
return Status::newGood()->warning( 'userexists' );
}
@@ -2100,7 +2100,7 @@ class AuthManager implements LoggerAwareInterface {
] );
if ( $login ) {
$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
- $this->setSessionDataForUser( $user, $remember );
+ $this->setSessionDataForUser( $user, $remember, false );
}
$status = Status::newGood()->warning( 'userexists' );
} else {
@@ -2158,7 +2158,7 @@ class AuthManager implements LoggerAwareInterface {
if ( $login ) {
$remember = $source === self::AUTOCREATE_SOURCE_TEMP;
- $this->setSessionDataForUser( $user, $remember );
+ $this->setSessionDataForUser( $user, $remember, false );
}
$retStatus = Status::newGood();
$this->logAutocreationAttempt( $retStatus, $user, $source, $login );
@@ -2851,9 +2851,11 @@ class AuthManager implements LoggerAwareInterface {
/**
* Log the user in
* @param User $user
- * @param bool|null $remember
+ * @param bool|null $remember The "remember me" flag.
+ * @param bool $isReauthentication Whether creating this session should count as a recent
+ * authentication for $wgReauthenticateTime checks.
*/
- private function setSessionDataForUser( $user, $remember = null ) {
+ private function setSessionDataForUser( $user, $remember = null, $isReauthentication = true ) {
$session = $this->request->getSession();
$delay = $session->delaySave();
@@ -2865,8 +2867,10 @@ class AuthManager implements LoggerAwareInterface {
if ( $remember !== null ) {
$session->setRememberUser( $remember );
}
- $session->set( 'AuthManager:lastAuthId', $user->getId() );
- $session->set( 'AuthManager:lastAuthTimestamp', time() );
+ if ( $isReauthentication ) {
+ $session->set( 'AuthManager:lastAuthId', $user->getId() );
+ $session->set( 'AuthManager:lastAuthTimestamp', time() );
+ }
$session->persist();
\Wikimedia\ScopedCallback::consume( $delay );
--
2.43.0
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
20963619
Default Alt Text
T389009.patch (3 KB)
Attached To
Mode
T389009: CVE-2025-6597: MediaWiki should not consider autocreation as login for the purposes of security reauthentication
Attached
Detach File
Event Timeline
Log In to Comment