Page MenuHomePhabricator
Create Task
Maniphest T192134

Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset
Closed, ResolvedPublic
Actions

Assigned To
Ladsgroup
Authored By
Nirmos
Apr 13 2018, 5:56 AM
Tags
Referenced Files
F31462082: 0001-Security-Do-not-allow-user-scripts-on-Special-Passwo.patch
Dec 7 2019, 10:39 PM
F22263525: 0001-Do-not-allow-user-scripts-on-Special-PasswordReset.patch
Jun 15 2018, 5:22 PM
Subscribers
Aklapper
Bawolff
Ladsgroup
Nirmos
Reedy
sbassett

Description

Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset. Is this not a security issue?

Details

SubjectRepoBranchLines +/-
SECURITY: Do not allow user scripts on Special:PasswordResetmediawiki/coremaster+9 -0
SECURITY: Do not allow user scripts on Special:PasswordResetmediawiki/coreREL1_34+9 -0
SECURITY: Do not allow user scripts on Special:PasswordResetmediawiki/coreREL1_33+9 -0
SECURITY: Do not allow user scripts on Special:PasswordResetmediawiki/coreREL1_32+9 -0
SECURITY: Do not allow user scripts on Special:PasswordResetmediawiki/coreREL1_31+9 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Nirmos created this task.Apr 13 2018, 5:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 13 2018, 5:56 AM
Aklapper added a project: MediaWiki-Special-pages.Apr 13 2018, 8:38 AM
Reedy subscribed.Apr 13 2018, 8:56 AM

SpecialUserLogin extends LoginSignupSpecialPage... SpecialPasswordReset extends FormSpecialPage

LoginSignupSpecialPage calls OutputPage::disallowUserJs... SpecialPasswordReset and FormSpecialPage don't.

Ladsgroup moved this task from Backlog / Other to Patch pending review on the acl*security board.Jun 15 2018, 5:22 PM
Ladsgroup subscribed.

Is this good for now?

0001-Do-not-allow-user-scripts-on-Special-PasswordReset.patch877 BDownload

Ladsgroup added a comment.Jun 28 2018, 12:38 PM
In T192134#4293721, @Ladsgroup wrote:

Is this good for now?

0001-Do-not-allow-user-scripts-on-Special-PasswordReset.patch877 BDownload

Maybe I should call that method in alterForm instead of construct. Can't say for sure tbh.

Ladsgroup added a subscriber: Bawolff.Nov 26 2018, 1:18 PM

ping @Bawolff

sbassett subscribed.Nov 26 2018, 4:12 PM
Urbanecm triaged this task as Low priority.Nov 12 2019, 8:52 AM
sbassett added a comment.Nov 21 2019, 10:42 PM

@Ladsgroup - patch above still applies to MW 1.35. I'm personally fine with this as a stop-gap measure or even if it becomes more of a permanent mitigation. Though I'm not really sure there's a demonstrated security issue here. Yes, certain user css/js can do unintentional or bad things on wiki pages where it's run, but that's a fundamental part of such functionality existing in the first place. Anyhow, I'm happy to deploy this as a core security patch and backport it to supported release branches, though IMO, it might barely meet the security patch threshold.

sbassett added a project: Security-Team.Nov 21 2019, 10:42 PM
sbassett moved this task from Patch pending review to Pending deployment / release on the acl*security board.
sbassett moved this task from Incoming to Watching on the Security-Team board.
Ladsgroup added a comment.Nov 23 2019, 1:50 PM
In T192134#5682990, @sbassett wrote:

@Ladsgroup - patch above still applies to MW 1.35. I'm personally fine with this as a stop-gap measure or even if it becomes more of a permanent mitigation. Though I'm not really sure there's a demonstrated security issue here. Yes, certain user css/js can do unintentional or bad things on wiki pages where it's run, but that's a fundamental part of such functionality existing in the first place. Anyhow, I'm happy to deploy this as a core security patch and backport it to supported release branches, though IMO, it might barely meet the security patch threshold.

So the biggest part of the problem is that people can steal others' email addresses that is considered private data. It's not as bad as stealing their passwords (that's what I initially thought, it's PasswordReset) but I realized it's email address only. I tested it locally and it works.

sbassett added a comment.Dec 6 2019, 9:16 PM
In T192134#4321709, @Ladsgroup wrote:

Maybe I should call that method in alterForm instead of construct. Can't say for sure tbh.

[[ https://codesearch.wmflabs.org/core/?q=disallowUserJs%5C(%5C)&i=nope&files=&repos= | Most other specials seem to call it in execute() ]] though SpecialPasswordReset.php doesn't call execute() right now. I'm not sure there's anything wrong with calling disallowUserJs() within the constructor, though I'm sure that could be modified to look more like what is done in SpecialChangeEmail for consistency's sake. Anyhow, whatever you want to do, I'd like to try to deploy this during the security deployment window this Monday, if possible.

sbassett added a project: user-sbassett.Dec 6 2019, 9:17 PM
sbassett moved this task from Backlog to Waiting on the user-sbassett board.
Ladsgroup added a comment.Dec 7 2019, 10:39 PM
In T192134#5719482, @sbassett wrote:
In T192134#4321709, @Ladsgroup wrote:

Maybe I should call that method in alterForm instead of construct. Can't say for sure tbh.

[[ https://codesearch.wmflabs.org/core/?q=disallowUserJs%5C(%5C)&i=nope&files=&repos= | Most other specials seem to call it in execute() ]] though SpecialPasswordReset.php doesn't call execute() right now. I'm not sure there's anything wrong with calling disallowUserJs() within the constructor, though I'm sure that could be modified to look more like what is done in SpecialChangeEmail for consistency's sake. Anyhow, whatever you want to do, I'd like to try to deploy this during the security deployment window this Monday, if possible.

Okay, I made another patch that makes me feel better (I was worried that construct would have been ran in other contexts like in Special:SpecialPages)

0001-Security-Do-not-allow-user-scripts-on-Special-Passwo.patch1 KBDownload

sbassett added a comment.Dec 9 2019, 10:25 PM

Thanks, @Ladsgroup. Patch applies and tests fine locally on MW master. Will deploy shortly.

sbassett closed this task as Resolved.Dec 9 2019, 10:45 PM
sbassett assigned this task to Ladsgroup.
sbassett moved this task from Pending deployment / release to Done on the acl*security board.

Deployed to wmf.5 and wmf.8. Tested on enwiki and all looks good to me and nothing bad happening in logstash:FatalMonitor. I'm going to resolve for now and make public. I don't think this merits a CVE (it's really more code-hardening IMO) but backports to supported release branches could certainly happen.

Restricted Application added a project: User-Ladsgroup. · View Herald TranscriptDec 9 2019, 10:45 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.Dec 9 2019, 10:45 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
gerritbot added a comment.Dec 9 2019, 10:47 PM

Change 556073 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@master] Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556073

gerritbot added a project: Patch-For-Review.Dec 9 2019, 10:47 PM
gerritbot added a comment.Dec 9 2019, 10:50 PM

Change 556074 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_34] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556074

gerritbot added a comment.Dec 9 2019, 10:50 PM

Change 556075 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_33] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556075

gerritbot added a comment.Dec 9 2019, 10:51 PM

Change 556076 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_32] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556076

gerritbot added a comment.Dec 9 2019, 10:51 PM

Change 556077 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_31] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556077

sbassett removed a project: user-sbassett.Dec 9 2019, 10:52 PM
gerritbot added a comment.Dec 9 2019, 11:06 PM

Change 556077 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556077

gerritbot added a comment.Dec 9 2019, 11:09 PM

Change 556076 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556076

gerritbot added a comment.Dec 9 2019, 11:10 PM

Change 556075 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556075

gerritbot added a comment.Dec 9 2019, 11:10 PM

Change 556074 merged by jenkins-bot:
[mediawiki/core@REL1_34] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556074

gerritbot added a comment.Dec 9 2019, 11:13 PM

Change 556073 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Do not allow user scripts on Special:PasswordReset

https://gerrit.wikimedia.org/r/556073

Maintenance_bot moved this task from Incoming to Done on the User-Ladsgroup board.Dec 9 2019, 11:15 PM
ReleaseTaggerBot added projects: MW-1.31-release-notes, MW-1.33-notes, MW-1.34-notes, MW-1.35-notes (1.35.0-wmf.10; 2019-12-10), MW-1.32-notes.Dec 10 2019, 12:00 AM
Maintenance_bot removed a project: Patch-For-Review.Dec 10 2019, 12:10 AM
Reedy added a parent task: T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release.Dec 12 2019, 12:07 PM
Legoktm mentioned this in T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release.Dec 12 2019, 7:12 PM
sbassett mentioned this in T243608: User scripts shouldn't run on Special:Manage_Two-factor_authentication.Jan 24 2020, 9:03 PM
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL