"Mark all pages visited" on the watchlist does not require a CSRF token
Closed, ResolvedPublic

Description

In comparison, the https://en.wikipedia.org/w/api.php?modules=setnotificationtimestamp module which does the same thing does require a token.

Legoktm created this task.Nov 4 2016, 6:04 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 4 2016, 6:04 PM
matmarex added a subscriber: matmarex.

Bawolff added a subscriber: Bawolff.

Reviewed. Patch looks good.

Reedy added a subscriber: Reedy.

This should be a trivial backport to all branches

Patch looks fine from a security perspective, but maybe we should show the session failure error message if the token matching fails?

I'm not sure if it's worth adding more ugly error messages about sessions. But that can be done later as non-security patch.

demon added a subscriber: demon.

Removing 1.28 because it doesn't block that release.

Reedy renamed this task from "Mark all pages as visited" on the watchlist does not require a CSRF token to "Mark all pages visited" on the watchlist does not require a CSRF token.Mar 20 2017, 1:59 AM
Reedy added a comment.Mar 20 2017, 2:49 AM

What do I put in T160876 for the flaw and the exploit for this one? May just be that I'm tired, and it's late, but I'm coming up blank

Flaw: Special:Watchlist did not check the CSRF token.

Exploit: an user B who tricked another user A into visiting their external website could mark all pages on A's watchlist as "visited", making it more difficult for them to notice changes to pages and revert vandalism.

Reedy closed this task as Resolved.Mar 30 2017, 5:58 PM
Reedy assigned this task to matmarex.

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:56 PM

Change 346842 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/346842

Change 346861 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/346861

Change 346851 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/346851

Change 347036 had a related patch set uploaded (by Chad; owner: Bartosz Dziewoński):
[mediawiki/core@wmf/1.29.0-wmf.19] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/347036

Change 347036 merged by jenkins-bot:
[mediawiki/core@wmf/1.29.0-wmf.19] SECURITY: SpecialWatchlist: Check CSRF token when using "Mark all pages visited"

https://gerrit.wikimedia.org/r/347036