Remove capture feature from Special:PasswordReset
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Tgr
	Nov 17 2016, 5:43 AM

Description

Allows to send any user a new password but also see what it is (ie. allows access to any user account). Disabled by default and on Wikimedia wikis, but if some wiki enables it, that's a security catastrophe waiting to happen.

Details

	Subject	Repo	Branch	Lines +/-
	Remove passwordreset capture feature	mediawiki/core	master	+26 -134

Customize query in gerrit

Related Objects

Mentioned In: T17876: Allow user with a certain user right change/reset the passwords of others

Event Timeline

Tgr created this task.Nov 17 2016, 5:43 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 17 2016, 5:43 AM

I already have a patch for this in gerrit

Change 321838 had a related patch set uploaded (by Gergő Tisza):
Remove passwordreset capture feature

https://gerrit.wikimedia.org/r/321838

gerritbot added a project: Patch-For-Review.Nov 17 2016, 6:24 AM

Change 321838 merged by jenkins-bot:
Remove passwordreset capture feature

https://gerrit.wikimedia.org/r/321838

Tgr closed this task as Resolved.Nov 24 2016, 2:48 AM

Tgr assigned this task to Bawolff.

ReleaseTaggerBot added projects: MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2016-11-29_(1.29.0-wmf.4)).Nov 28 2016, 12:01 AM

Tgr mentioned this in T17876: Allow user with a certain user right change/reset the passwords of others.May 15 2019, 4:51 PM

Remove capture feature from Special:PasswordResetClosed, ResolvedPublicActions

Description

Details

Related Objects

Event Timeline

Remove capture feature from Special:PasswordReset
Closed, ResolvedPublic
Actions