Page MenuHomePhabricator

Users auto-creating accounts by logging in with single-character passwords (?) triggers exception
Closed, DeclinedPublicPRODUCTION ERROR

Description

2016-02-17 00:12:50 mw1091 enwiki 1.27.0-wmf.13 exception ERROR: [31494c50] /w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=redacted&returntoquery=redacted   PasswordError from line 2418 of /srv/mediawiki/php-1.27.0-wmf.13/includes/user/User.php: Passwords must be at least 1 character. {"exception_id":"31494c50"} 
[Exception PasswordError] (/srv/mediawiki/php-1.27.0-wmf.13/includes/user/User.php:2418) Passwords must be at least 1 character.
  #0 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(691): User->setPassword(string)
  #1 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(967): LoginForm->initUser(User, boolean)
  #2 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(789): LoginForm->attemptAutoCreate(User)
  #3 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(983): LoginForm->authenticateUserData()
  #4 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(361): LoginForm->processLogin()
  #5 /srv/mediawiki/php-1.27.0-wmf.13/includes/specialpage/SpecialPage.php(407): LoginForm->execute(NULL)
  #6 /srv/mediawiki/php-1.27.0-wmf.13/includes/specialpage/SpecialPageFactory.php(565): SpecialPage->run(NULL)
  #7 /srv/mediawiki/php-1.27.0-wmf.13/includes/MediaWiki.php(280): SpecialPageFactory::executePath(Title, RequestContext)
  #8 /srv/mediawiki/php-1.27.0-wmf.13/includes/MediaWiki.php(736): MediaWiki->performRequest()
  #9 /srv/mediawiki/php-1.27.0-wmf.13/includes/MediaWiki.php(517): MediaWiki->main()

Event Timeline

Krenair raised the priority of this task from to Needs Triage.
Krenair updated the task description. (Show Details)
Krenair added subscribers: Krenair, csteipp.
Krenair set Security to None.

Also similar exceptions like this:

2016-02-16 20:57:45 mw1090 enwiki 1.27.0-wmf.13 exception ERROR: [e906ea3d] /w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=redacted&returntoquery=redacted   PasswordError from line 2418 of /srv/mediawiki/php-1.27.0-wmf.13/includes/user/User.php: Your password must be different from your username. {"exception_id":"e906ea3d"} 
[Exception PasswordError] (/srv/mediawiki/php-1.27.0-wmf.13/includes/user/User.php:2418) Your password must be different from your username.
  #0 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(691): User->setPassword(string)
  #1 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(967): LoginForm->initUser(User, boolean)
  #2 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(789): LoginForm->attemptAutoCreate(User)
  #3 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(983): LoginForm->authenticateUserData()
  #4 /srv/mediawiki/php-1.27.0-wmf.13/includes/specials/SpecialUserlogin.php(361): LoginForm->processLogin()
  #5 /srv/mediawiki/php-1.27.0-wmf.13/includes/specialpage/SpecialPage.php(407): LoginForm->execute(NULL)
  #6 /srv/mediawiki/php-1.27.0-wmf.13/includes/specialpage/SpecialPageFactory.php(565): SpecialPage->run(NULL)
  #7 /srv/mediawiki/php-1.27.0-wmf.13/includes/MediaWiki.php(280): SpecialPageFactory::executePath(Title, RequestContext)
  #8 /srv/mediawiki/php-1.27.0-wmf.13/includes/MediaWiki.php(736): MediaWiki->performRequest()
  #9 /srv/mediawiki/php-1.27.0-wmf.13/includes/MediaWiki.php(517): MediaWiki->main()

Duplicated this. Yes, we should catch that and either reject the login with an error about it, or funnel them into the password change flow.

Actually, we really shouldn't even be setting the password on the local wiki when the user is autocreated from a global account.

I would say we should fix AuthPlugin, but with AuthManger coming out soon, might be best to just wait for that. In the meantime, I think we could put up a small patch that will just set a long random password on the local wiki, since the password is validated by the AuthPlugin (CentralAuth in our case), the local wiki password hash should never be used.

This is probably a non-issue with AuthManager now right?

Krinkle subscribed.

Neither of these two PasswordError message appear in Logstash for the past 30 days.

mmodell changed the subtype of this task from "Task" to "Production Error".Aug 28 2019, 11:11 PM