The code in HTMLUserTextField, as used on Special:Block, would incorrectly check IP ranges (if it worked)
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	matmarex
	Oct 3 2017, 7:37 PM

Description

The code in HTMLUserTextField, as used on Special:Block, would incorrectly check IP ranges (if it worked). This is a regression from https://gerrit.wikimedia.org/r/#/c/233762/ (rMWb73c0c4d3fc9: Enable IP ranges in HTMLUserTextField) + https://gerrit.wikimedia.org/r/#/c/218281/ (rMWd56758e13435: SpecialBlock: Switch to OOUI form).

In a rare case of three wrongs making a right, several separate issues cancel each other out so the page is not broken in practice currently.

SpecialBlock does not pass the 'iprangelimits' parameter in HTMLForm descriptor for the 'Target' field. This means that hardcoded value of [ 'IPv4' => '16', 'IPv6' => '32' ] is used instead of $wgBlockCIDRLimit, defined as [ 'IPv4' => 16, 'IPv6' => 19 ]. This would prevent blocks of IPv6 ranges smaller than /19 but greater than /32, which should be allowed.
The condition in HTMLUserTextField that checks the range limits (lines 44-49) does not work with the parameters that SpecialBlock uses. Specifically, if 'exists' => false is given (this is the default), all the other checks (e.g. for IP range) are skipped. I'm not sure what this should be, but it is definitely wrong. It should probably be split into a few different checks.
The code in SpecialBlock::validateTarget() (Block::TYPE_RANGE case) is currently correct, but it is a duplicate of HTMLUserTextField::isValidIPRange() and should be removed once the above issues are both fixed.

Details

	Project	Branch	Lines +/-	Subject
	mediawiki/core	master	+113 -24	HTMLUserTextField: Fix validation

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	Urbanecm	T250737 Special:Block should not play the role of a central blocking service/utility
Resolved	matmarex	T177329 The code in HTMLUserTextField, as used on Special:Block, would incorrectly check IP ranges (if it worked)
Resolved	Urbanecm	T263189 Move SpecialBlock::validateTarget to a BlockUtils service
Resolved	DannyS712	T263249 Move AbstractBlock::parseTarget to the BlockUtils service

Event Timeline

matmarex created this task.Oct 3 2017, 7:37 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 3 2017, 7:37 PM

@Ladsgroup Can you look into this?

Jdforrester-WMF added a subscriber: Jdforrester-WMF.Oct 3 2017, 7:39 PM

SamanthaNguyen added a subscriber: SamanthaNguyen.Oct 7 2017, 5:13 AM

Tchanders mentioned this in T250737: Special:Block should not play the role of a central blocking service/utility.Apr 20 2020, 6:30 PM

Tchanders added a parent task: T250737: Special:Block should not play the role of a central blocking service/utility.Apr 21 2020, 1:58 PM

Tchanders added a subscriber: Tchanders.May 7 2020, 6:29 PM

Hmm... Should this code be primarily in HTMLUserTextField? BlockUser would also need to validate block targets, but that's a service - I don't think services should call HTMLUserTextField. So, what about creating a service, conceptually similar to BlockPermissionChecker?

Urbanecm added a project: User-Urbanecm.Sep 17 2020, 5:19 PM

Urbanecm moved this task from Backlog to Analytics/Under discussion on the User-Urbanecm board.Sep 17 2020, 5:22 PM

DannyS712 added a subscriber: DannyS712.Sep 17 2020, 5:25 PM

Urbanecm closed subtask T263189: Move SpecialBlock::validateTarget to a BlockUtils service as Resolved.Oct 6 2020, 9:25 PM

Change 813727 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] HTMLUserTextField: Fix validation

https://gerrit.wikimedia.org/r/813727

gerritbot added a project: Patch-For-Review.Jul 14 2022, 1:15 AM

matmarex mentioned this in T309894: CVE-2022-41765: HTMLUserTextField exposes existence of hidden users.Jul 14 2022, 1:22 AM

matmarex claimed this task.Jul 14 2022, 1:25 AM

Change 813727 merged by jenkins-bot:

[mediawiki/core@master] HTMLUserTextField: Fix validation