Page MenuHomePhabricator
Create Task
Maniphest T119309

User::matchEditToken should use constant-time string comparison
Closed, ResolvedPublic
Actions

Assigned To
csteipp
Authored By
Tgr
Nov 21 2015, 8:12 PM
Tags
Referenced Files
F3113508: omnibus-v3-REL1_24.patch
Dec 23 2015, 11:52 PM
F3110764: omnibus-REL1_25.patch
Dec 23 2015, 11:52 PM
F3112777: omnibus-v2-REL1_23.patch
Dec 23 2015, 11:52 PM
F3110761: omnibus-master.patch
Dec 23 2015, 11:52 PM
F3105845: T119309-master.patch
Dec 15 2015, 7:55 PM
F2998570: 0001-SECURITY-Use-hash_equals-in-User-matchEditToken.patch
Nov 21 2015, 8:24 PM
Subscribers
csteipp
demon
gerritbot
Grunny
Luke081515
Platonides
Tgr

Description

User::matchEditToken ends with

if ( $val != $sessionToken ) {
	wfDebug( "User::matchEditToken: broken session data\n" );
}

return hash_equals( $sessionToken, $val );

Any benefits from using constant time comparison are lost if there is a non-constant-time comparison in the same function.

Not sure if this is really a security issue (seems impossible to exploit since you cannot time CSRF requests) but erring on the side of safety.

Patch:

0001-SECURITY-Use-hash_equals-in-User-matchEditToken.patch888 BDownload

  • 1.23 - included in
    omnibus-v2-REL1_23.patch34 KBDownload
  • 1.24 - included in
    omnibus-v3-REL1_24.patch35 KBDownload
  • 1.25 - included in
    omnibus-REL1_25.patch34 KBDownload
  • 1.26 - included in
    omnibus-master.patch18 KBDownload

type: CWE-208
CVE:

  • CVE-2015-8623 - Use hash_equals for result of User::matchEditToken (fixed in https://gerrit.wikimedia.org/r/#/c/156336, backported in security release)
  • CVE-2015-8624 - Use hash_equals for determining if we debug message should be logged

Details

SubjectRepoBranchLines +/-
Use hash_equals in User::matchEditTokenmediawiki/coreREL1_23+4 -3
Use hash_equals in User::matchEditTokenmediawiki/coremaster+1 -1
Use hash_equals in User::matchEditTokenmediawiki/coreREL1_26+1 -1
Use hash_equals in User::matchEditTokenmediawiki/coreREL1_25+1 -1
Use hash_equals in User::matchEditTokenmediawiki/coreREL1_24+4 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Nov 21 2015, 8:12 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 21 2015, 8:12 PM
Tgr created this task.Nov 21 2015, 8:12 PM
Tgr updated the task description. (Show Details)
Tgr added projects: Security-Core, MediaWiki-General, acl*security.
Tgr changed Security from None to Software security bug.
Tgr edited subscribers, added: Tgr; removed: Aklapper.
Tgr updated the task description. (Show Details)Nov 21 2015, 8:24 PM
Platonides subscribed.Nov 23 2015, 11:25 PM

+2

csteipp subscribed.Nov 24 2015, 1:03 AM

Patch looks good to me too.

If anyone can get this deployed by tomorrow, we can probably get it into the next security release.

csteipp triaged this task as Low priority.Nov 24 2015, 9:35 PM
csteipp closed this task as Resolved.Nov 24 2015, 11:41 PM
csteipp claimed this task.

23:40 csteipp: deployed patch for T119309

csteipp added a parent task: T115722: MediaWiki Security release 1.25.4.Nov 24 2015, 11:43 PM
demon subscribed.Dec 15 2015, 7:55 PM

Patch applies cleanly except 1.23, here's a patch for that:

T119309-master.patch884 BDownload

demon added a subscriber: Grunny.Dec 17 2015, 1:18 AM
Grunny mentioned this in T115722: MediaWiki Security release 1.25.4.Dec 17 2015, 1:53 PM

The backport patches for this to MW 1.23 and 1.24 should also use hash_equals in the check in the return of the method as well, i.e. here: https://github.com/wikimedia/mediawiki/blob/REL1_24/includes/User.php#L3939 and https://github.com/wikimedia/mediawiki/blob/REL1_23/includes/User.php#L3814. And they should both also probably have the same done for User::matchEditTokenNoSuffix.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2015, 12:39 AM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
gerritbot subscribed.Dec 18 2015, 12:40 AM

Change 259947 had a related patch set uploaded (by Chad):
Use hash_equals in User::matchEditToken

https://gerrit.wikimedia.org/r/259947

gerritbot added a project: Patch-For-Review.Dec 18 2015, 12:40 AM
gerritbot added a comment.Dec 18 2015, 1:04 AM

Change 259912 merged by Chad:
Use hash_equals in User::matchEditToken

https://gerrit.wikimedia.org/r/259912

gerritbot added a comment.Dec 18 2015, 1:30 AM

Change 259901 merged by Reedy:
Use hash_equals in User::matchEditToken

https://gerrit.wikimedia.org/r/259901

gerritbot added a comment.Dec 18 2015, 1:31 AM

Change 259936 merged by Chad:
Use hash_equals in User::matchEditToken

https://gerrit.wikimedia.org/r/259936

gerritbot added a comment.Dec 18 2015, 1:33 AM

Change 259925 merged by Reedy:
Use hash_equals in User::matchEditToken

https://gerrit.wikimedia.org/r/259925

ReleaseTaggerBot added projects: MW-1.24-release, MW-1.23-release, MW-1.26-release, MW-1.25-release.Dec 18 2015, 2:00 AM
gerritbot added a comment.Dec 18 2015, 9:00 AM

Change 259947 merged by jenkins-bot:
Use hash_equals in User::matchEditToken

https://gerrit.wikimedia.org/r/259947

ReleaseTaggerBot added projects: MW-1.27-release (WMF-deploy-2016-01-12_(1.27.0-wmf.10)), MW-1.27-release-notes.Dec 18 2015, 10:00 AM
csteipp updated the task description. (Show Details)Dec 23 2015, 11:52 PM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptDec 23 2015, 11:52 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL