Echo Notification Mute (Block List) can be bypassed by changing username
Closed, ResolvedPublic5 Estimated Story Points
Actions

Assigned To

Authored By

	dbarratt
	Aug 16 2017, 11:35 PM

Description

The Echo Notification Mute (Block List) (introduced in T150419) can by bypassed by changing your username. This is a security issue because it is a form of access bypass: User Apples removes access of User Bananas to send notifications to User Apples. User Bananas then changes their username to User Oranges. User Oranges can now send notifications to User Apples and thereby bypass the access restriction imposed by User Apples.

This is because the block list is stored as a new line delimited list of usernames in the user_properties table. The Renameuser extension does not update the username in the preference(s).

This could be resolved by updating Renameuser to update the preference for every user. But this would be an expensive operation as it would have to go through every user and update the preference (if the username is in their list) or it would have to do a fulltext search (and exclude instances where the is part of a different username). Regardless, that is also expensive.

Alternatively, the Mute list should be updated to use the centralauth id retrieved from CentralIdLookup.

Another solution could be to use a separate table rather than a user preference. But ideally should still use a centralauth id, so perhaps that is outside of the scope of this issue.

Details

Subject	Repo	Branch	Lines +/-
updatePerUserBlacklist wfWaitForSlaves()	mediawiki/extensions/Echo	master	+1 -1
updatePerUserBlacklist wfWaitForSlaves()	mediawiki/extensions/Echo	wmf/1.31.0-wmf.2	+1 -1
Reapply "Use User Ids instead of User Names for Echo Mute""	mediawiki/extensions/Echo	wmf/1.31.0-wmf.2	+130 -5
Use main Database Connection for Maintenance Script	mediawiki/extensions/Echo	master	+2 -3
Use User Ids instead of User Names for Echo Mute	mediawiki/extensions/Echo	wmf/1.31.0-wmf.2	+131 -5
Use User Ids instead of User Names for Echo Mute	mediawiki/extensions/Echo	wmf/1.31.0-wmf.1	+131 -5
Use User Ids instead of User Names for Echo Mute	mediawiki/extensions/Echo	master	+131 -5
Fix PHPDoc Documentation	mediawiki/extensions/Echo	master	+26 -18

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	matmarex	T192147 Regression: Changes to email blacklist or muted users do not activate Save button in Preferences
Resolved	dbarratt	T173973 Preferences/Notification, Save button stays disable when editing Block list
Resolved	None	T164542 Epic: ⚡️ General user mute/block feature
Resolved	• jmatazzoni	T150419 Allow users to restrict who can send them notifications
Resolved	dmaza	T138165 Allow users to restrict which user groups that can send them direct emails via Special:EmailUser
Resolved	dbarratt	T177319 Enable Email Mute on all Wikimedia wikis
Resolved	dbarratt	T138166 Allow users to restrict who can send them direct emails via Special:EmailUser
Resolved	dbarratt	T173475 Echo Notification Mute (Block List) can be bypassed by changing username
Resolved	dbarratt	T177437 Update Echo and Run Maintenance Script

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

@MaxSem: Oh that's handy. In that case I guess there's no reason not to switch it. @dbarratt: I have no strong opinion on the storage format. The existing format was new line separated. Comma separated isn't ideal since commas are allowed in usernames so then you have to quote them as well.

T173475.patch2 KBDownload

dbarratt moved this task from In progress to Code Review on the Anti-Harassment (AHT Sprint 3) board.Aug 23 2017, 3:02 PM

@dbarratt: We'll also need a maintenance script for migrating all the existing entries in the preferences. See https://www.mediawiki.org/wiki/Manual:Maintenance_scripts and the existing maintenance scripts in Echo for examples. Usernames are not allowed to be numbers, so you should be able to assume that any non-numbers in the prefs need to be replaced with global IDs.

In T173475#3545751, @kaldari wrote:

@dbarratt: We'll also need a maintenance script for migrating all the existing entries in the preferences. See https://www.mediawiki.org/wiki/Manual:Maintenance_scripts and the existing maintenance scripts in Echo for examples. Usernames are not allowed to be numbers, so you should be able to assume that any non-numbers in the prefs need to be replaced with global IDs.

Doh! I knew that, I just completely forgot about it. :) I'll take care of it.

dbarratt moved this task from Code Review to In progress on the Anti-Harassment (AHT Sprint 3) board.Aug 23 2017, 5:16 PM

kaldari mentioned this in T138166: Allow users to restrict who can send them direct emails via Special:EmailUser.Aug 23 2017, 7:01 PM

T173475-2.patch6 KBDownload

@kaldari Should I register the schema update like this?
https://github.com/wikimedia/mediawiki-extensions-Flow/blob/master/Hooks.php#L266
or should it be left unregistered?

@dbarratt: This sounds like a script that will be run once rather than regularly, so I don't think you'll need to register it.

T173475-3.patch6 KBDownload

I discovered that sometimes it's already an array.

T173475-4.patch6 KBDownload

T173475-5.patch6 KBDownload

dbarratt added subscribers: MusikAnimal, Samwilson, Niharika.Aug 30 2017, 4:40 AM

T173475-6.patch6 KBDownload

In T173475#3566752, @dbarratt wrote:

T173475-6.patch6 KBDownload

Why is this not on gerrit...?

@Niharika because it's not public, but maybe it ought to be?

Given...

In T173475#3543501, @kaldari wrote:

Considering that less than 1 rename happens per day across all WMF wikis, this is definitely an edge case. I would favor declining.

I'm not sure how big an abuse threat this is. Not anyone can rename themselves, IIRC. It's a job for the stewards or someone to approve renames.

In T173475#3566945, @Niharika wrote:

In T173475#3566752, @dbarratt wrote:

T173475-6.patch6 KBDownload

Why is this not on gerrit...?

In T173475#3566970, @dbarratt wrote:

@Niharika because it's not public, but maybe it ought to be?

Yeah, since it's an abuse vector I'd personally prefer it be patched on the server before it goes into gerrit and becomes public but since it's a moderately difficult one (you have to ask to be globally named and have that done which is a moderately slow process and difficult to do frequently) if it's a huge pain to go through the security patch process then that's ok.

Also, given that this feature did not exist a week ago, I am not convinced that it's worth the hassles of getting this in as a security patch. We should put this on gerrit.

dbarratt removed a project: acl*security.Aug 30 2017, 7:19 PM

dbarratt changed the visibility from "Custom Policy" to "Public (No Login Required)".

Restricted Application added a project: acl*security. · View Herald TranscriptAug 30 2017, 7:19 PM

Making Public Per @Niharika

Change 374871 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/Echo@master] Use User Ids instead of User Names for Echo Mute

https://gerrit.wikimedia.org/r/374871

gerritbot added a project: Patch-For-Review.Aug 30 2017, 7:20 PM

dbarratt moved this task from AHT Sprint 3 to AHT Sprint 4 on the Anti-Harassment board.Aug 31 2017, 4:06 PM

dbarratt edited projects, added Anti-Harassment (AHT Sprint 4); removed Anti-Harassment (AHT Sprint 3).

dbarratt moved this task from Ready to Code Review on the Anti-Harassment (AHT Sprint 4) board.

Need to wait for T138166: Allow users to restrict who can send them direct emails via Special:EmailUser to use new method in CentralIdLookup

dbarratt moved this task from Code Review to In progress on the Anti-Harassment (AHT Sprint 4) board.Sep 1 2017, 5:06 PM

• TBolliger moved this task from AHT Sprint 4 to AHT Sprint 5 on the Anti-Harassment board.Sep 12 2017, 6:37 PM

• TBolliger edited projects, added Anti-Harassment (AHT Sprint 5); removed Anti-Harassment (AHT Sprint 4).

dbarratt changed the task status from Stalled to Open.Sep 14 2017, 8:36 AM

dbarratt moved this task from Ready to Code Review on the Anti-Harassment (AHT Sprint 5) board.

• TBolliger moved this task from AHT Sprint 5 to AHT Sprint 6 on the Anti-Harassment board.Sep 27 2017, 6:25 PM

• TBolliger edited projects, added Anti-Harassment (AHT Sprint 6); removed Anti-Harassment (AHT Sprint 5).

dbarratt moved this task from Ready to Code Review on the Anti-Harassment (AHT Sprint 6) board.Sep 27 2017, 6:36 PM

Change 381890 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/Echo@master] Fix PHPDoc Documentation

https://gerrit.wikimedia.org/r/381890

In T173475#3652510, @gerritbot wrote:

Change 381890 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/Echo@master] Fix PHPDoc Documentation

https://gerrit.wikimedia.org/r/381890

@MaxSem Here's a patch with only the documentation fixes. Once that is merged then I'll rebase the main patch which will fix the tests. :)

Change 381890 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Fix PHPDoc Documentation

https://gerrit.wikimedia.org/r/381890

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)).Oct 3 2017, 12:02 AM

dmaza moved this task from Code Review to Done on the Anti-Harassment (AHT Sprint 6) board.Oct 3 2017, 3:25 PM

Here's the feature patch that needs to be reviewed/merged:
https://gerrit.wikimedia.org/r/#/c/374871/

dbarratt moved this task from Done to Code Review on the Anti-Harassment (AHT Sprint 6) board.Oct 3 2017, 6:04 PM

• TBolliger mentioned this in T177319: Enable Email Mute on all Wikimedia wikis.Oct 3 2017, 7:01 PM

@kaldari or @MaxSem
How do we have this script run on deployment?

In T173475#3655116, @dbarratt wrote:

@kaldari or @MaxSem
How do we have this script run on deployment?

You ask the deployer to run it for you. Or poke MaxSem to run it. He has a special bond with maintenance scripts.

Change 374871 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Use User Ids instead of User Names for Echo Mute

https://gerrit.wikimedia.org/r/374871

In T173475#3655145, @Niharika wrote:

You ask the deployer to run it for you. Or poke MaxSem to run it. He has a special bond with maintenance scripts.

but wont this go out with the weekly train? How do I find out who the deployer is?

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-10-10 (1.31.0-wmf.3)); removed MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)).Oct 3 2017, 10:01 PM

dbarratt closed this task as Resolved.Oct 4 2017, 12:36 PM

dbarratt moved this task from Code Review to Done on the Anti-Harassment (AHT Sprint 6) board.

In T173475#3655281, @dbarratt wrote:

In T173475#3655145, @Niharika wrote:

You ask the deployer to run it for you. Or poke MaxSem to run it. He has a special bond with maintenance scripts.

but wont this go out with the weekly train? How do I find out who the deployer is?

Ah, I imagined you'd SWAT this. The train left before your change was merged this week so you should SWAT it and ask the deployer to run it for you. Otherwise this change won't be live on wikis until Thursday next week.

dbarratt mentioned this in T177437: Update Echo and Run Maintenance Script.Oct 4 2017, 7:18 PM

dbarratt added a subtask: T177437: Update Echo and Run Maintenance Script.

@dbarratt: There's basically two different ways to do this:

SWAT deployment: You schedule the deployment in a SWAT window and once the code is deployed, you ask the deployer to run it for you.
Riding the train: The maintenance script rides the deployment train and ends up on all the wikis a week after merging. Then you, or someone with access to terbium, runs the maintenance script.

If you want to run the maintenance script yourself, there are instructions on wikitech, although they don't seem to mention foreachwiki <command> which is basically a shortcut for mwscriptwikiset <command> all.dblist.

Added documentation for foreachwiki :)

Change 382508 had a related patch set uploaded (by Thcipriani; owner: Dbarratt):
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.2] Use User Ids instead of User Names for Echo Mute

https://gerrit.wikimedia.org/r/382508

Change 382511 had a related patch set uploaded (by Thcipriani; owner: Dbarratt):
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.1] Use User Ids instead of User Names for Echo Mute

https://gerrit.wikimedia.org/r/382511

Change 382508 merged by jenkins-bot:
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.2] Use User Ids instead of User Names for Echo Mute

https://gerrit.wikimedia.org/r/382508

Change 382511 merged by jenkins-bot:
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.1] Use User Ids instead of User Names for Echo Mute

https://gerrit.wikimedia.org/r/382511

Mentioned in SAL (#wikimedia-operations) [2017-10-05T18:58:44Z] <thcipriani@tin> Synchronized php-1.31.0-wmf.2/extensions/Echo: SWAT: [[gerrit:382508|Use User Ids instead of User Names for Echo Mute]] T173475 (duration: 00m 56s)

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-09-26 (1.31.0-wmf.1)); removed MW-1.31-release-notes (WMF-deploy-2017-10-10 (1.31.0-wmf.3)).Oct 5 2017, 7:01 PM

Mentioned in SAL (#wikimedia-operations) [2017-10-05T19:05:14Z] <thcipriani@tin> Synchronized php-1.31.0-wmf.1/extensions/Echo: SWAT: [[gerrit:382511|Use User Ids instead of User Names for Echo Mute]] T173475 (duration: 00m 55s)

dbarratt reopened this task as Open.Oct 5 2017, 8:31 PM

dbarratt moved this task from Done to In progress on the Anti-Harassment (AHT Sprint 6) board.

Change 382561 had a related patch set uploaded (by Dbarratt; owner: Dbarratt):
[mediawiki/extensions/Echo@master] Use main Database Connection for Maintenance Script

https://gerrit.wikimedia.org/r/382561

Change 382561 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] Use main Database Connection for Maintenance Script

https://gerrit.wikimedia.org/r/382561

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-10-10 (1.31.0-wmf.3)); removed MW-1.31-release-notes (WMF-deploy-2017-09-26 (1.31.0-wmf.1)).Oct 5 2017, 10:00 PM

dbarratt closed this task as Resolved.Oct 6 2017, 3:31 AM

dbarratt moved this task from In progress to Done on the Anti-Harassment (AHT Sprint 6) board.

Change 383173 had a related patch set uploaded (by Hashar; owner: Hashar):
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.2] Reapply "Use User Ids instead of User Names for Echo Mute""

https://gerrit.wikimedia.org/r/383173

Change 383173 merged by jenkins-bot:
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.2] Reapply "Use User Ids instead of User Names for Echo Mute""

https://gerrit.wikimedia.org/r/383173

Mentioned in SAL (#wikimedia-operations) [2017-10-09T19:17:52Z] <hashar@tin> Synchronized php-1.31.0-wmf.2/extensions/Echo: Reapply "Use User Ids instead of User Names for Echo Mute"" - T173475 (duration: 00m 52s)

Change 383182 had a related patch set uploaded (by Hashar; owner: Hashar):
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.2] updatePerUserBlacklist wfWaitForSlaves()

https://gerrit.wikimedia.org/r/383182

The updatePerUserBlacklist script required a live hack. I did a commit for the wmf branch but that needs to be ported to the master branch https://gerrit.wikimedia.org/r/383182 updatePerUserBlacklist wfWaitForSlaves()

Mentioned in SAL (#wikimedia-operations) [2017-10-09T19:50:42Z] <hashar@tin> Synchronized php-1.31.0-wmf.2/extensions/Echo/maintenance/updatePerUserBlacklist.php: Sync a live hack in Echo updatePerUserBlacklist https://gerrit.wikimedia.org/r/#/c/383182/ - T173475 (duration: 00m 47s)

Change 383182 merged by jenkins-bot:
[mediawiki/extensions/Echo@wmf/1.31.0-wmf.2] updatePerUserBlacklist wfWaitForSlaves()

https://gerrit.wikimedia.org/r/383182

Change 383183 had a related patch set uploaded (by Dbarratt; owner: Hashar):
[mediawiki/extensions/Echo@master] updatePerUserBlacklist wfWaitForSlaves()

https://gerrit.wikimedia.org/r/383183

dbarratt moved this task from Done to Code Review on the Anti-Harassment (AHT Sprint 6) board.Oct 9 2017, 7:53 PM

dbarratt closed subtask T177437: Update Echo and Run Maintenance Script as Resolved.Oct 9 2017, 7:56 PM

ReleaseTaggerBot edited projects, added MW-1.31-release-notes (WMF-deploy-2017-10-03 (1.31.0-wmf.2)); removed MW-1.31-release-notes (WMF-deploy-2017-10-10 (1.31.0-wmf.3)).Oct 9 2017, 8:00 PM

In T173475#3670451, @hashar wrote:

The updatePerUserBlacklist script required a live hack. I did a commit for the wmf branch but that needs to be ported to the master branch https://gerrit.wikimedia.org/r/383182 updatePerUserBlacklist wfWaitForSlaves()

Tracked by T177437 and the live hack patch is proposed to master branch. The script ran fine once applied :)

dbarratt moved this task from Code Review to Done on the Anti-Harassment (AHT Sprint 6) board.Oct 9 2017, 8:15 PM

Change 383183 merged by jenkins-bot:
[mediawiki/extensions/Echo@master] updatePerUserBlacklist wfWaitForSlaves()

https://gerrit.wikimedia.org/r/383183

dbarratt mentioned this in T178512: Prevent Echo Notification Blacklist is storing Zeros in the database.Oct 18 2017, 4:27 PM

• chasemp added a project: Security.Feb 10 2020, 10:58 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM

	F9227023: T173475-6.patch
	Aug 30 2017, 4:50 PM

	F9205105: T173475-5.patch
	Aug 29 2017, 2:56 PM

	F9194843: T173475-4.patch
	Aug 28 2017, 3:56 PM

	F9173537: T173475-3.patch
	Aug 25 2017, 1:32 PM

Echo Notification Mute (Block List) can be bypassed by changing usernameClosed, ResolvedPublic5 Estimated Story PointsActions

Description

Details

Related ObjectsSearch...

Event Timeline

Echo Notification Mute (Block List) can be bypassed by changing username
Closed, ResolvedPublic5 Estimated Story Points
Actions

Related Objects
Search...