OAuth /identify endpoint does not check whether consumer is approved
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tgr
	Oct 19 2016, 1:35 AM

Description

Steps to reproduce (on vagrant with oauth role on):

visit oauth hello world app
authorize
disable hello world app
verify identity

Details

Subject	Repo	Branch	Lines +/-
SECURITY: check stage and user blocked/locked status in /identify	mediawiki/extensions/OAuth	wmf/1.28.0-wmf.22	+8 -1
SECURITY: check stage and user blocked/locked status in /identify	mediawiki/extensions/OAuth	master	+8 -1
SECURITY: check stage and user blocked/locked status in /identify	mediawiki/extensions/OAuth	REL1_27	+8 -1
SECURITY: check stage and user blocked/locked status in /identify	mediawiki/extensions/OAuth	REL1_26	+8 -1
SECURITY: check stage and user blocked/locked status in /identify	mediawiki/extensions/OAuth	REL1_23	+8 -1

Customize query in gerrit

Related Objects

Mentioned In: T224919: Code Stewardship Review: OAuth extension
Mentioned Here: T149194: Owner-only consumer fails when Identifying over OAuth
T129738: Blocked accounts on BlockDisablesLogin wikis aren't logged out

Event Timeline

Tgr created this task.Oct 19 2016, 1:35 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 19 2016, 1:35 AM

Tgr added a project: MediaWiki-extensions-OAuth.Oct 19 2016, 1:36 AM

Also, the API disallows actions when the user is blocked and $wgBlockDisablesLogin is on, but /identify does not.

Patch:

0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch1 KBDownload

In T148600#2727551, @Tgr wrote:

Patch:
0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch1 KBDownload

-					if ( !$localUser || !$localUser->isLoggedIn() ) {
+					if ( !$localUser || !$localUser->isLoggedIn() || $localUser->isLocked() ) {
 						throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' );

Instead of throwing 'mwoauth-invalid-authorization-invalid-user' for the added condition, it would make more sense to throw 'mwoauth-invalid-authorization-blocked-user'. Also, you're not checking the $wgBlockDisablesLogin && ->isBlocked() case.

Fixed:

0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch2 KBDownload

(Blocked users should be handled in the auth layer, as in T129738, but no harm in double-checking.)

In T148600#2730214, @Tgr wrote:

Fixed:
0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch2 KBDownload

Looks good, +1.

• dpatrick added a project: Vuln-Authn/Session.Oct 20 2016, 9:41 PM

@Tgr, I will can deploy this on Monday if you've not already done so.

23:07 dapatrick: Deployed patch for T148600 to wmf22

You guys can go ahead and announce and release this now.

Thanks! (And sorry for forgetting to respond. I wanted to deploy it and then got distracted.)
Let's keep it open until it's merged in master (and the task can be made public), though.

@demon do you want to make a proper security release for this? IMO it is significant enough to warrant a backport (/identify was added in 1.23 so that means 1.23, 1.26 and 1.27) but not severe enough for the whole security release process with the pre-announcement and whatnot. If the old branches will also get new releases when 1.28 is released, IMO we can just merge to master and backport and be done with it.

In T148600#2740729, @Tgr wrote:

Thanks! (And sorry for forgetting to respond. I wanted to deploy it and then got distracted.)
Let's keep it open until it's merged in master (and the task can be made public), though.

@demon do you want to make a proper security release for this? IMO it is significant enough to warrant a backport (/identify was added in 1.23 so that means 1.23, 1.26 and 1.27) but not severe enough for the whole security release process with the pre-announcement and whatnot. If the old branches will also get new releases when 1.28 is released, IMO we can just merge to master and backport and be done with it.

Since it's not bundled I say let's do that. Push to master + all supported branches and send an announcement to the usual places.

Merged as https://gerrit.wikimedia.org/r/#/c/317733/ (I probably should have made the task public first) and backported.

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2016-11-01_(1.29.0-wmf.1)).Oct 25 2016, 6:00 PM

Change 318228 had a related patch set uploaded (by Gergő Tisza):
SECURITY: check stage and user blocked/locked status in /identify

https://gerrit.wikimedia.org/r/318228

gerritbot added a project: Patch-For-Review.Oct 27 2016, 12:01 AM

Change 318228 merged by jenkins-bot:
SECURITY: check stage and user blocked/locked status in /identify

https://gerrit.wikimedia.org/r/318228

ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-10-11_(1.28.0-wmf.22)).Oct 27 2016, 1:00 AM

A mistake in the patch caused T149194.

Tgr mentioned this in T224919: Code Stewardship Review: OAuth extension.Jun 10 2019, 10:05 PM

• chasemp added a project: Security.Feb 10 2020, 10:53 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM

Aklapper removed subscribers: • dpatrick, Anomie.Oct 16 2020, 5:39 PM

Zabe removed a project: Patch-For-Review.Jul 29 2021, 12:23 PM

	F4631569: 0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch
	Oct 19 2016, 10:42 PM

	F4624363: 0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch
	Oct 19 2016, 2:48 AM

OAuth /identify endpoint does not check whether consumer is approvedClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

OAuth /identify endpoint does not check whether consumer is approved
Closed, ResolvedPublic
Actions