Page MenuHomePhabricator
Create Task
Maniphest T169545

$wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503)
Closed, ResolvedPublic
Actions

Assigned To
matmarex
Authored By
matmarex
Jul 3 2017, 3:42 PM
Tags
Referenced Files
F23421768: 01-T169545-master.patch
Jul 7 2018, 5:55 PM
F23421796: 01-T169545-REL1_31.patch
Jul 7 2018, 5:55 PM
F23421769: 01-T169545-REL1_29.patch
Jul 7 2018, 5:55 PM
F23421770: 01-T169545-REL1_27.patch
Jul 7 2018, 5:55 PM
F23421797: 01-T169545-REL1_30.patch
Jul 7 2018, 5:55 PM
F8608778: 0001-Make-newbie-limit-in-wgRateLimits-really-override-us.patch
Jul 3 2017, 4:18 PM
Subscribers
aaron
Aklapper
Bawolff
Jdforrester-WMF
matmarex
mmodell
Reedy
tstarling

Description

Contrary to the documentation, $wgRateLimits entry for 'user' overrides that for 'newbie'.

For example, with the following configuration, newly registered accounts are able to edit 10 pages per hour instead of 5:

$wgRateLimits[ 'edit' ] = [
  'user' => [ 10, 60*60 ],
  'newbie' => [ 5, 60*60 ],
];

This seems to be the opposite of what documentation in DefaultSettings.php says:

'newbie' => [ x, y ], // each new autoconfirmed accounts; overrides 'user'

(although that should probably be 'non-autoconfirmed'…).

Details

SubjectRepoBranchLines +/-
SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limitmediawiki/coremaster+5 -4
SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limitmediawiki/coreREL1_31+5 -4
SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limitmediawiki/coreREL1_30+5 -4
SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limitmediawiki/coreREL1_29+5 -4
SECURITY: Make 'newbie' limit in $wgRateLimits really override 'user' limitmediawiki/coreREL1_27+5 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

matmarex created this task.Jul 3 2017, 3:42 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 3 2017, 3:42 PM
matmarex added a comment.Jul 3 2017, 3:56 PM

This affects some of the built-in rate limits too, e.g. for page moves.

Looks like the issue was introduced in 2008 by 5ac6ff8294a54bce7994b2eeb55a246609016b99 (rSVN35130), due to the changed order of operations? I'm finding this a bit hard to believe that no one noticed.

matmarex set Security to Software security bug.Jul 3 2017, 3:59 PM
matmarex added a project: acl*security.
matmarex changed the visibility from "Public (No Login Required)" to "Custom Policy".

Probably should have filed this as a security task, whoops.

matmarex added a subscriber: tstarling.Jul 3 2017, 4:04 PM
matmarex added a comment.Jul 3 2017, 4:18 PM

Proposed patch:

0001-Make-newbie-limit-in-wgRateLimits-really-override-us.patch1 KBDownload

On a more general note, configuring this would be simpler if it allowed setting a limit for the 'autoconfirmed' group, which acted the same as all the other group limits, instead of using the 'newbie' limit with this custom behavior. Currently setting a limit for 'autoconfirmed' is ignored (the code uses User::getGroups() instead of getAllGroups()).

matmarex mentioned this in T169268: Limiting thanks for new users at pl.wikipedia.Jul 3 2017, 4:38 PM
Jdforrester-WMF subscribed.Jul 3 2017, 5:53 PM
Bawolff moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Jul 4 2017, 9:40 PM
Bawolff subscribed.
In T169545#3401481, @matmarex wrote:

Proposed patch:

0001-Make-newbie-limit-in-wgRateLimits-really-override-us.patch1 KBDownload

On a more general note, configuring this would be simpler if it allowed setting a limit for the 'autoconfirmed' group, which acted the same as all the other group limits, instead of using the 'newbie' limit with this custom behavior. Currently setting a limit for 'autoconfirmed' is ignored (the code uses User::getGroups() instead of getAllGroups()).

Patch looks good.

It would be nice to add unit tests for this somehow, as the logic in that method is kind of convoluted, but that's a separate issue.

Reedy subscribed.Jul 10 2017, 10:08 PM
[23:08:07] <logmsgbot> !log reedy@tin Synchronized php-1.30.0-wmf.7/includes/: (no justification provided) (duration: 01m 33s)

Deployed

Reedy lowered the priority of this task from High to Medium.Jul 10 2017, 10:08 PM
Reedy moved this task from Patch pending deployment to Pending deployment / release on the acl*security board.
Bawolff added a parent task: T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Nov 29 2017, 7:00 PM
mmodell subscribed.May 22 2018, 8:19 PM

Do we still need to be carrying this in production? Why hasn't this been fixed in a released version?

mmodell raised the priority of this task from Medium to High.May 22 2018, 8:19 PM
Bawolff added a comment.May 23 2018, 10:24 AM

Its waiting on next swcurity release. Hopefully in next 3 weeks maybe...

Reedy mentioned this in T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 5:24 PM
Reedy closed this task as Resolved.Jul 7 2018, 5:55 PM
Reedy assigned this task to matmarex.

01-T169545-REL1_27.patch1 KBDownload

01-T169545-REL1_29.patch1 KBDownload

01-T169545-master.patch1 KBDownload

01-T169545-REL1_30.patch1 KBDownload

01-T169545-REL1_31.patch1 KBDownload

Legoktm mentioned this in T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Aug 29 2018, 12:55 AM
Legoktm mentioned this in T199027: Obtain CVEs for 1.27.5/1.29.3/1.30.1/1.31.1 security releases.Aug 29 2018, 1:14 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:34 PM
ReleaseTaggerBot added projects: MW-1.29-release-notes, MW-1.30-release-notes, MW-1.31-release-notes, MW-1.32-notes (WMF-deploy-2018-09-25 (1.32.0-wmf.23)), MW-1.27-release-notes.Sep 20 2018, 10:00 PM
MoritzMuehlenhoff renamed this task from $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' to $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503).Sep 21 2018, 7:24 AM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:30 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL