Page MenuHomePhabricator

bot passwords should call checkLoginSecurityLevel
Closed, ResolvedPublic

Description

Creating a new botpassword allows you to take control of an account in much the same way as changing the password does as it essentially creates a new password.

Thus it should call SpecialPage::checkLoginSecurityLevel()

Maybe related T194204

Event Timeline

Hmm. Doing this at a basic level would be pretty simple, but loses form data if the user takes too long on the edit screen.

Fixing that can copy some logic from AuthManagerSpecialPage which already does something similar, but it's a bit of a big change for a security patch. I wouldn't be opposed to submitting the first one (without the "SECURITY" tag) publicly for normal review.


Given this is a hardening measure, and not outright vulnerability, i think its fine to develop this in gerrit.

@Tgr did:

Bawolff added a subscriber: matmarex.

Which is the same as Brad's patch above, I wasn't aware of it.

[I was going to deploy this today given the attack happening again. However, when I put patch on mwdebug1002, it didn't seem to work (Despite working locally). I'm not sure why, but in any case I'm going to wait until monday to figure it out]

Ok, it appears the other one isn't merged yet.

I'm just going to throw the second one in gerrit and let it ride the train.

Merged but not in production yet.

Probably can be made public?

Ladsgroup subscribed.

The patch is deployed. We probably need to do a security release for 1.31 and before.

I've just done cherry picks of the public patch onto 1.27, 1.29, 1.30, 1.31 with a fixed bug reference

https://gerrit.wikimedia.org/r/#/q/I9a38a3109492753fff1f33c0f280e5b0f1fc1a76

Reedy claimed this task.

Marking as resolved for tracking purposes.

Could be opened up in advance, as per Brian it's hardening, but it's not going to harm sitting closed till the release

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:35 PM