Page MenuHomePhabricator
Create Task
Maniphest T125177

api.log contains passwords in plaintext
Closed, ResolvedPublic
Actions

Assigned To
dpatrick
Authored By
Tgr
Jan 29 2016, 1:02 AM
Tags
Referenced Files
F4932228: 0001-SECURITY-API-Don-t-log-sensitive-parameters.patch
Dec 1 2016, 7:06 PM
F4685463: 0001-SECURITY-API-Don-t-log-sensitive-parameters.patch
Nov 1 2016, 6:14 PM
F4414552: T125177.patch
Aug 29 2016, 10:38 PM
F4374337: 0001-SECURITY-API-Don-t-log-sensitive-parameters.patch
Aug 18 2016, 5:55 PM
F3289670: T125177.patch
Jan 29 2016, 2:11 AM
F3289657: T125177.patch
Jan 29 2016, 2:04 AM
Subscribers
Aklapper
csteipp
gerritbot
Jalexander
Krenair
Nemo_bis
Reedy
Tgr

Description

Those should probably be edited out.

Details

SubjectRepoBranchLines +/-
SECURITY: API: Don't log "sensitive" parametersmediawiki/corewmf/1.29.0-wmf.19+47 -3
SECURITY: API: Don't log "sensitive" parametersmediawiki/coreREL1_27+48 -3
SECURITY: API: Don't log "sensitive" parametersmediawiki/coreREL1_28+47 -3
SECURITY: API: Don't log "sensitive" parametersmediawiki/coremaster+47 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jan 29 2016, 1:02 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: MediaWiki-Action-API, acl*security.
Tgr changed the visibility from "Public (No Login Required)" to "Custom Policy".
Tgr changed the edit policy from "All Users" to "Custom Policy".
Tgr changed Security from None to Software security bug.
Tgr added subscribers: Tgr, Anomie.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 29 2016, 1:02 AM
Tgr added a comment.Jan 29 2016, 1:06 AM

Not really a security bug, I guess, since api.log access means shell access which would already allow people to intercept passwords, but should still be redacted.

Jalexander subscribed.Jan 29 2016, 1:19 AM
In T125177#1980550, @Tgr wrote:

Not really a security bug, I guess, since api.log access means shell access which would already allow people to intercept passwords, but should still be redacted.

eh, I'd still say security bug, while yes you could intercept them with shell access it's more difficult and in general the system is designed to try and make it as close to impossible as possible to figure out a users password. It is both relatively difficult (even most people with shell access likely don't know how to do the interception, maybe not on WMF servers but almost certainly for reusers who have a wider range of tech skills) to intercept and interception requires 'real time' (basically) compared to log entries which, more similar to the database where we hash them with a salt, can be looked at retroactively "at their leisure" and so makes it easier to target specific users and hide your access.

Krenair subscribed.Jan 29 2016, 1:27 AM
In T125177#1980550, @Tgr wrote:

Not really a security bug, I guess, since api.log access means shell access which would already allow people to intercept passwords, but should still be redacted.

You mean, deployers could still change the code to log the passwords anyway? Yes, but restricted and mw-log-readers can read logs without being able to do that.

csteipp triaged this task as High priority.Jan 29 2016, 1:31 AM
csteipp subscribed.

Definitely security bug, and I'd like us to get this fixed quickly, if possible. @Tgr, is this something you or @Anomie can get a patch for?

Tgr added a comment.EditedJan 29 2016, 2:04 AM

T125177.patch847 BDownload
covers passwords for the login and accountcreation API. Do we have anything else that could be sensitive?

Anomie added a comment.Jan 29 2016, 3:51 AM

T125177.patch847 BDownload
only handles action=login. For action=createaccount, the parameter is "password" with no prefix.

Once AuthManager comes out, passwords are likely to also be in a parameter named "retype". But the AuthenticationRequest might use any parameter name it wants, if some extension decides to do something particularly weird with it.

Tgr added a comment.EditedJan 29 2016, 5:32 AM

It looks for password and lgpassword; I "amended" it by editing the comment (probably a bad habit) and Phabricator does not send any email about that.

For AuthManager we should just redact fields with type=password.

Anomie added a comment.Jan 29 2016, 2:27 PM

The hard part there is in (1) knowing that the request is for an AuthManager-using module in the first place and then (2) actually determining the AuthenticationRequests that were involved. And asking the module itself could be problematic since things might have errored out before even getting to that point.

Anomie moved this task from Unsorted to Needs Review on the MediaWiki-Action-API board.Jan 29 2016, 2:27 PM
csteipp added a comment.Feb 4 2016, 1:08 AM

Is there an easy way to filter edit tokens here too? That's less important, but would be nice.

For centralauth tokens and OATH tokens, they expire when used, so having those logged isn't a problem.

@Anomie, for other AuthManger providers, I guess letting them append to some list of blacklisted api parameter names would be nice. I don't think we need to necessarily know that it's an authentication request in order to redact the log.

csteipp added projects: Patch-For-Review, Reading-Infrastructure-Team-Old (Don't use).May 10 2016, 10:05 PM
Tgr added a comment.Jun 10 2016, 5:22 PM

Maybe add a sensitive key to the authrequest field definition and then clients of AuthManager can decide what to do about it?

Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.Jul 10 2016, 5:24 PM
Anomie added a comment.Aug 18 2016, 5:54 PM
In T125177#2372392, @Tgr wrote:

Maybe add a sensitive key to the authrequest field definition and then clients of AuthManager can decide what to do about it?

That's probably the thing to do.

I just now decided to do that for a different purpose (I saw T143285 and thought that that should be an error, eventually), and then I was reminded of this bug.

Anomie added a comment.Aug 18 2016, 5:55 PM

This patch applies on top of https://gerrit.wikimedia.org/r/305545

0001-SECURITY-API-Don-t-log-sensitive-parameters.patch6 KBDownload

Tgr added a comment.Aug 18 2016, 10:26 PM
In T125177#2565227, @Anomie wrote:

0001-SECURITY-API-Don-t-log-sensitive-parameters.patch6 KBDownload

CR+2

Bawolff moved this task from Patch pending review to Patch pending deployment on the acl*security board.Aug 23 2016, 8:20 PM
dpatrick subscribed.Aug 23 2016, 8:21 PM

This will be deployed on August 29th.

dpatrick added a project: Vuln-Infoleak.Aug 23 2016, 8:23 PM
dpatrick mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Aug 24 2016, 6:03 PM
dpatrick added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.
dpatrick added a comment.Aug 29 2016, 8:57 PM
In T125177#2565227, @Anomie wrote:

This patch applies on top of https://gerrit.wikimedia.org/r/305545

@Anomie, this needs a rebase. Can you do it?

dpatrick closed this task as Resolved.EditedAug 29 2016, 10:38 PM
dpatrick claimed this task.

22:39 dapatrick: Deployed patch for T125177 to 1.28.0-wmf.16

Rebased patch was

T125177.patch6 KBDownload
.

Anomie added a comment.Nov 1 2016, 6:14 PM

Rebased for 1.29:

0001-SECURITY-API-Don-t-log-sensitive-parameters.patch6 KBDownload

Anomie added a comment.Dec 1 2016, 7:06 PM

Rebased again:

0001-SECURITY-API-Don-t-log-sensitive-parameters.patch6 KBDownload

It'd be nice if we could get this released at some point soon.

Reedy subscribed.Apr 1 2017, 9:32 PM

Hmm. So on my supporting backport of https://gerrit.wikimedia.org/r/#/c/336838/

@Tgr wrote:

Seems pointless (unless it blocks other commits from merging cleanly). All this does is break tools with insecure password practices, it seems pretty useless to do that a few weeks before the end of the support period.

If we don't merge that, we can't really put the fix for this into REL1_23... Anyone got any strong opinions either way?

For most client libraries.... Moving passwords/tokens from GET into POST (if they've not already done so for support of newer MW versions) should be trivial

Reedy changed the visibility from "Custom Policy" to "All Users".Apr 6 2017, 8:56 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy changed the visibility from "All Users" to "Public (No Login Required)".
gerritbot subscribed.Apr 6 2017, 9:07 PM

Change 346841 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: API: Don't log "sensitive" parameters

https://gerrit.wikimedia.org/r/346841

ReleaseTaggerBot added projects: MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)), MW-1.29-release-notes.Apr 6 2017, 10:00 PM
gerritbot added a comment.Apr 6 2017, 10:09 PM

Change 346860 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: API: Don't log "sensitive" parameters

https://gerrit.wikimedia.org/r/346860

ReleaseTaggerBot added a project: MW-1.28-release-notes.Apr 6 2017, 11:00 PM
gerritbot added a comment.Apr 6 2017, 11:05 PM

Change 346850 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: API: Don't log "sensitive" parameters

https://gerrit.wikimedia.org/r/346850

ReleaseTaggerBot added a project: MW-1.27-release-notes.Apr 7 2017, 12:00 AM
gerritbot added a comment.Apr 7 2017, 5:45 PM

Change 347027 had a related patch set uploaded (by Chad; owner: Anomie):
[mediawiki/core@wmf/1.29.0-wmf.19] SECURITY: API: Don't log "sensitive" parameters

https://gerrit.wikimedia.org/r/347027

Nemo_bis subscribed.Apr 7 2017, 5:53 PM
gerritbot added a comment.Apr 7 2017, 6:14 PM

Change 347027 merged by jenkins-bot:
[mediawiki/core@wmf/1.29.0-wmf.19] SECURITY: API: Don't log "sensitive" parameters

https://gerrit.wikimedia.org/r/347027

ReleaseTaggerBot edited projects, added MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)); removed MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 7 2017, 7:00 PM
Fjalapeno edited projects, added Product-Infrastructure-Team-Backlog-Deprecated; removed Reading-Infrastructure-Team-Old (Don't use).Jun 7 2017, 2:56 PM
Anomie mentioned this in T180488: api.log still contains passwords in plaintext due to a rebase error in 4d38a489.Nov 14 2017, 4:22 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:37 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL