/me thinks it might be prudent to look at all the Special pages in Central Auth, not just that one.
Thus far, (only done Special:GlobalGroupPermissions and Special:CentralAuth as of yet), things I'm concerned about:
- buildGroupView() lines 235, 243, 244 - Group name is not escaped [low severity as its unlikely for the attacker to have control of the group name]
- line 376 - misleading code comment
- Username in showInfo() on line 306 [Low severity, as usernames normally can't have < or > in them, but should not rely on that.]
Ok I've looked at all the special pages, except Special:MergeAccount. Mostly I discovered a bunch of low severity sketchy stuff that's not exploitable (Not escaping i18n messages, double escaping some things, etc).
My not really tested yet patch is:
This patch does not include the following issues:
- Special:MergeAccount (Because I haven't fully looked at the html output code of it yet, but it definitely should be carefully checked as its gnarly)
- Also Special:MergeAccount::initSession() uses mt_rand() to generate numbers that should be cryptographically random. This is bad.
- interwiki redirection in Special:CentralAuthAutoLogin similar to T109140
Patch for final bit.
It is a limited open redirect which is probably enough of a real security issue that it should go through secret security patch process and not just be dumped on gerrit.
Deployed to Wikimedia:
[22:28] logmsgbot !log bawolff@tin Synchronized php-1.30.0-wmf.7/extensions/CentralAuth/includes/specials/SpecialCentralAutoLogin.php: T134931 (duration: 00m 44s)