Page MenuHomePhabricator
Create Task
Maniphest T148600

OAuth /identify endpoint does not check whether consumer is approved
Closed, ResolvedPublic
Actions

Description

Steps to reproduce (on vagrant with oauth role on):

  • visit oauth hello world app
  • authorize
  • disable hello world app
  • verify identity

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/OAuthwmf/1.28.0-wmf.22+8 -1SECURITY: check stage and user blocked/locked status in /identify
mediawiki/extensions/OAuthmaster+8 -1SECURITY: check stage and user blocked/locked status in /identify
mediawiki/extensions/OAuthREL1_27+8 -1SECURITY: check stage and user blocked/locked status in /identify
mediawiki/extensions/OAuthREL1_26+8 -1SECURITY: check stage and user blocked/locked status in /identify
mediawiki/extensions/OAuthREL1_23+8 -1SECURITY: check stage and user blocked/locked status in /identify
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Oct 19 2016, 1:35 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 19 2016, 1:35 AM
Tgr added a project: MediaWiki-extensions-OAuth.Oct 19 2016, 1:36 AM
Tgr added a comment.Oct 19 2016, 1:42 AM

Also, the API disallows actions when the user is blocked and $wgBlockDisablesLogin is on, but /identify does not.

Tgr added a comment.Oct 19 2016, 2:48 AM

Patch:

0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch1 KBDownload

Anomie added a subscriber: Anomie.Oct 19 2016, 1:58 PM
In T148600#2727551, @Tgr wrote:

Patch:

0001-SECURITY-check-stage-and-user-locked-status-in-ident.patch1 KBDownload

-					if ( !$localUser || !$localUser->isLoggedIn() ) {
+					if ( !$localUser || !$localUser->isLoggedIn() || $localUser->isLocked() ) {
 						throw new MWOAuthException( 'mwoauth-invalid-authorization-invalid-user' );

Instead of throwing 'mwoauth-invalid-authorization-invalid-user' for the added condition, it would make more sense to throw 'mwoauth-invalid-authorization-blocked-user'. Also, you're not checking the $wgBlockDisablesLogin && ->isBlocked() case.

Tgr added a comment.Oct 19 2016, 10:42 PM

Fixed:

0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch2 KBDownload

(Blocked users should be handled in the auth layer, as in T129738, but no harm in double-checking.)

Anomie added a comment.Oct 20 2016, 3:17 PM
In T148600#2730214, @Tgr wrote:

Fixed:

0001-SECURITY-check-stage-and-user-blocked-locked-status-.patch2 KBDownload

Looks good, +1.

dpatrick added a project: Vuln-Authn/Session.Oct 20 2016, 9:41 PM
dpatrick added a subscriber: dpatrick.Oct 21 2016, 7:50 PM

@Tgr, I will can deploy this on Monday if you've not already done so.

dpatrick closed this task as Resolved.Oct 24 2016, 11:08 PM
dpatrick claimed this task.

23:07 dapatrick: Deployed patch for T148600 to wmf22

dpatrick added a comment.Oct 24 2016, 11:08 PM

You guys can go ahead and announce and release this now.

Tgr reopened this task as Open.Oct 25 2016, 12:16 AM
Tgr removed dpatrick as the assignee of this task.
Tgr added a subscriber: demon.

Thanks! (And sorry for forgetting to respond. I wanted to deploy it and then got distracted.)
Let's keep it open until it's merged in master (and the task can be made public), though.

@demon do you want to make a proper security release for this? IMO it is significant enough to warrant a backport (/identify was added in 1.23 so that means 1.23, 1.26 and 1.27) but not severe enough for the whole security release process with the pre-announcement and whatnot. If the old branches will also get new releases when 1.28 is released, IMO we can just merge to master and backport and be done with it.

demon added a comment.Oct 25 2016, 12:23 AM
In T148600#2740729, @Tgr wrote:

Thanks! (And sorry for forgetting to respond. I wanted to deploy it and then got distracted.)
Let's keep it open until it's merged in master (and the task can be made public), though.

@demon do you want to make a proper security release for this? IMO it is significant enough to warrant a backport (/identify was added in 1.23 so that means 1.23, 1.26 and 1.27) but not severe enough for the whole security release process with the pre-announcement and whatnot. If the old branches will also get new releases when 1.28 is released, IMO we can just merge to master and backport and be done with it.

Since it's not bundled I say let's do that. Push to master + all supported branches and send an announcement to the usual places.

Tgr closed this task as Resolved.Oct 25 2016, 1:18 AM
Tgr claimed this task.
Tgr changed the visibility from "Custom Policy" to "Public (No Login Required)".
Tgr changed Security from Software security bug to None.

Merged as https://gerrit.wikimedia.org/r/#/c/317733/ (I probably should have made the task public first) and backported.

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2016-11-01_(1.29.0-wmf.1)).Oct 25 2016, 6:00 PM
gerritbot added a subscriber: gerritbot.Oct 27 2016, 12:01 AM

Change 318228 had a related patch set uploaded (by Gergő Tisza):
SECURITY: check stage and user blocked/locked status in /identify

https://gerrit.wikimedia.org/r/318228

gerritbot added a project: Patch-For-Review.Oct 27 2016, 12:01 AM
gerritbot added a comment.Oct 27 2016, 12:18 AM

Change 318228 merged by jenkins-bot:
SECURITY: check stage and user blocked/locked status in /identify

https://gerrit.wikimedia.org/r/318228

ReleaseTaggerBot added a project: MW-1.28-release (WMF-deploy-2016-10-11_(1.28.0-wmf.22)).Oct 27 2016, 1:00 AM
Tgr added a comment.Oct 27 2016, 11:13 PM

A mistake in the patch caused T149194.

Tgr mentioned this in T224919: Code Stewardship Review: OAuth extension.Jun 10 2019, 10:05 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Aklapper removed subscribers: dpatrick, Anomie.Oct 16 2020, 5:39 PM
Zabe removed a project: Patch-For-Review.Jul 29 2021, 12:23 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL