Page MenuHomePhabricator
Create Task
Maniphest T132874

API action=move is not rate limited
Closed, ResolvedPublic
Actions

Description

Web UI moves are rate-limited in MovePageForm::doSubmit(), which ApiMove has never used.

I note that MovePage (the utility class for moving pages) is a bit too low-level for the purpose, since it handles moving exactly one page while the rate limit should probably continue to apply to "submissions" that might move a page, its talk page, and its subpages all at once.

Filing this as "security" since it allows for bypassing rate limits.

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved demonT124940 MediaWiki 1.26.3 security release
 Resolved csteippT132874 API action=move is not rate limited

Event Timeline

Anomie created this task.Apr 17 2016, 2:36 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 17 2016, 2:36 PM
Anomie added projects: MediaWiki-Action-API, Patch-For-Review.Apr 17 2016, 2:38 PM

SECURITY: Rate limit moves via the API.patch1 KBDownload

Anomie moved this task from Unsorted to Needs Review on the MediaWiki-Action-API board.Apr 17 2016, 2:38 PM
Bawolff subscribed.Apr 17 2016, 7:22 PM
In T132874#2212852, @Anomie wrote:

SECURITY: Rate limit moves via the API.patch1 KBDownload

+1

csteipp subscribed.Apr 18 2016, 3:29 PM

Thanks @Anomie!

I'll try to get this deployed today, and included in the next release.

csteipp triaged this task as Medium priority.Apr 18 2016, 3:30 PM
csteipp added a parent task: T124940: MediaWiki 1.26.3 security release.
csteipp removed a parent task: T124940: MediaWiki 1.26.3 security release.Apr 19 2016, 5:09 PM
csteipp closed this task as Resolved.May 5 2016, 7:31 PM
csteipp claimed this task.

19:30 csteipp: deployed patch for T132874

csteipp added a parent task: T124940: MediaWiki 1.26.3 security release.May 5 2016, 7:32 PM
csteipp mentioned this in T124940: MediaWiki 1.26.3 security release.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:28 PM
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:28 PM
Base subscribed.May 20 2016, 7:33 PM

I note that MovePage (the utility class for moving pages) is a bit too low-level for the purpose, since it handles moving exactly one page while the rate limit should probably continue to apply to "submissions" that might move a page, its talk page, and its subpages all at once.

Sorry for possibly irrelevant comment, but could that mean that if the work as described is implemented, if one moves a page with like 51 subpage and his limit allows him to do just 50 moves at once, just the root and 49 subpages (if we do not have talks) will be moved and the rest would stay unmoved? If so, it's probably better to throw an error right away.

Sorry again if what I have written is a gibberish in the context.

Anomie added a comment.May 21 2016, 3:39 AM

What you refer to as "the work as described" is actually what is not being done here, for the reasons that concern you.

chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL