|Resolved||Reedy||T233494 Release MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0|
|Resolved||Reedy||T233495 Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release|
SpecialUserLogin extends LoginSignupSpecialPage... SpecialPasswordReset extends FormSpecialPage
LoginSignupSpecialPage calls OutputPage::disallowUserJs... SpecialPasswordReset and FormSpecialPage don't.
@Ladsgroup - patch above still applies to MW 1.35. I'm personally fine with this as a stop-gap measure or even if it becomes more of a permanent mitigation. Though I'm not really sure there's a demonstrated security issue here. Yes, certain user css/js can do unintentional or bad things on wiki pages where it's run, but that's a fundamental part of such functionality existing in the first place. Anyhow, I'm happy to deploy this as a core security patch and backport it to supported release branches, though IMO, it might barely meet the security patch threshold.
So the biggest part of the problem is that people can steal others' email addresses that is considered private data. It's not as bad as stealing their passwords (that's what I initially thought, it's PasswordReset) but I realized it's email address only. I tested it locally and it works.
[[ https://codesearch.wmflabs.org/core/?q=disallowUserJs%5C(%5C)&i=nope&files=&repos= | Most other specials seem to call it in execute() ]] though SpecialPasswordReset.php doesn't call execute() right now. I'm not sure there's anything wrong with calling disallowUserJs() within the constructor, though I'm sure that could be modified to look more like what is done in SpecialChangeEmail for consistency's sake. Anyhow, whatever you want to do, I'd like to try to deploy this during the security deployment window this Monday, if possible.
Deployed to wmf.5 and wmf.8. Tested on enwiki and all looks good to me and nothing bad happening in logstash:FatalMonitor. I'm going to resolve for now and make public. I don't think this merits a CVE (it's really more code-hardening IMO) but backports to supported release branches could certainly happen.