Page MenuHomePhabricator
Create Task
Maniphest T150044

"Mark all pages visited" on the watchlist does not require a CSRF token
Closed, ResolvedPublic
Actions

Description

In comparison, the https://en.wikipedia.org/w/api.php?modules=setnotificationtimestamp module which does the same thing does require a token.

Details

SubjectRepoBranchLines +/-
SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"mediawiki/corewmf/1.29.0-wmf.19+4 -0
SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"mediawiki/coremaster+4 -0
SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"mediawiki/coreREL1_27+4 -0
SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"mediawiki/coreREL1_28+4 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Nov 4 2016, 6:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 4 2016, 6:04 PM
matmarex added projects: MediaWiki-Watchlist, Patch-For-Review.Nov 7 2016, 7:14 PM
matmarex subscribed.

0001-SECURITY-SpecialWatchlist-Check-CSRF-token-when-usin.patch1 KBDownload

Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Nov 7 2016, 8:43 PM
Bawolff subscribed.
In T150044#2777463, @matmarex wrote:

0001-SECURITY-SpecialWatchlist-Check-CSRF-token-when-usin.patch1 KBDownload

Reviewed. Patch looks good.

Reedy added projects: MW-1.23-release, MW-1.26-release, MW-1.27-release, MW-1.28-release.Nov 7 2016, 9:23 PM
Reedy subscribed.

This should be a trivial backport to all branches

Legoktm added a comment.Nov 7 2016, 9:56 PM

Patch looks fine from a security perspective, but maybe we should show the session failure error message if the token matching fails?

Bawolff added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Nov 7 2016, 10:16 PM
matmarex added a comment.Nov 7 2016, 11:45 PM

I'm not sure if it's worth adding more ugly error messages about sessions. But that can be done later as non-security patch.

demon removed a project: MW-1.28-release.Nov 16 2016, 11:50 PM
demon subscribed.

Removing 1.28 because it doesn't block that release.

Aklapper removed a project: MW-1.26-release.Dec 14 2016, 6:38 PM
demon mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Jan 24 2017, 11:40 PM
Reedy renamed this task from "Mark all pages as visited" on the watchlist does not require a CSRF token to "Mark all pages visited" on the watchlist does not require a CSRF token.Mar 20 2017, 1:59 AM
Reedy added a comment.Mar 20 2017, 2:49 AM

What do I put in T160876 for the flaw and the exploit for this one? May just be that I'm tired, and it's late, but I'm coming up blank

matmarex added a comment.Mar 20 2017, 5:44 PM

Flaw: Special:Watchlist did not check the CSRF token.

Exploit: an user B who tricked another user A into visiting their external website could mark all pages on A's watchlist as "visited", making it more difficult for them to notice changes to pages and revert vandalism.

Reedy closed this task as Resolved.Mar 30 2017, 5:58 PM
Reedy assigned this task to matmarex.

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:56 PM
gerritbot subscribed.Apr 6 2017, 9:10 PM

Change 346842 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/346842

ReleaseTaggerBot added projects: MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 6 2017, 10:00 PM
gerritbot added a comment.Apr 6 2017, 10:09 PM

Change 346861 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/346861

ReleaseTaggerBot added a project: MW-1.28-release-notes.Apr 6 2017, 11:00 PM
gerritbot added a comment.Apr 6 2017, 11:17 PM

Change 346851 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/346851

ReleaseTaggerBot added a project: MW-1.27-release-notes.Apr 7 2017, 12:00 AM
gerritbot added a comment.Apr 7 2017, 6:16 PM

Change 347036 had a related patch set uploaded (by Chad; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.29.0-wmf.19] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/347036

gerritbot added a comment.Apr 7 2017, 6:36 PM

Change 347036 merged by jenkins-bot:
[mediawiki/core@wmf/1.29.0-wmf.19] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/347036

ReleaseTaggerBot edited projects, added MW-1.29-release (WMF-deploy-2017-04-04_(1.29.0-wmf.19)); removed MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 7 2017, 7:00 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:36 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Umherirrender merged a task: T46563: Use token for reseting the update markers on the watchlist.Aug 19 2021, 10:17 PM
Umherirrender added a subscriber: duplicatebug.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits