Page MenuHomePhabricator
Create Task
Maniphest T194237

bot passwords should call checkLoginSecurityLevel
Closed, ResolvedPublic
Actions

Description

Creating a new botpassword allows you to take control of an account in much the same way as changing the password does as it essentially creates a new password.

Thus it should call SpecialPage::checkLoginSecurityLevel()

Maybe related T194204

Details

SubjectRepoBranchLines +/-
SECURITY: Special:BotPasswords should reauthenticatemediawiki/coreREL1_31+10 -1
SECURITY: Special:BotPasswords should reauthenticatemediawiki/coreREL1_30+10 -1
SECURITY: Special:BotPasswords should reauthenticatemediawiki/coreREL1_27+7 -0
SECURITY: Special:BotPasswords should reauthenticatemediawiki/coreREL1_29+7 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bawolff created this task.May 9 2018, 7:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 9 2018, 7:25 AM
Bawolff added a project: MediaWiki-Core-AuthManager.May 9 2018, 7:25 AM
Anomie subscribed.May 9 2018, 7:25 PM

Hmm. Doing this at a basic level would be pretty simple, but loses form data if the user takes too long on the edit screen.

Fixing that can copy some logic from AuthManagerSpecialPage which already does something similar, but it's a bit of a big change for a security patch. I wouldn't be opposed to submitting the first one (without the "SECURITY" tag) publicly for normal review.

0001-SECURITY-Add-getLoginSecurityLevel-support-to-FormSp.patch6 KBDownload

0002-SECURITY-Special-BotPasswords-should-reauthenticate.patch1 KBDownload

Bawolff added a comment.May 9 2018, 10:33 PM

Given this is a hardening measure, and not outright vulnerability, i think its fine to develop this in gerrit.

Anomie added a comment.May 10 2018, 2:32 PM

Filed https://gerrit.wikimedia.org/r/432382 to replace the first patch.

Bawolff added a subscriber: Tgr.Jun 10 2018, 4:13 PM

@Tgr did:

0001-SECURITY-Enable-elevated-login-security-for-bot-pass.patch1 KBDownload

Bawolff merged a task: Restricted Task.Jun 10 2018, 4:25 PM
Bawolff added a subscriber: matmarex.
Tgr added a comment.Jun 10 2018, 4:27 PM

Which is the same as Brad's patch above, I wasn't aware of it.

Bawolff added a comment.Jun 10 2018, 5:14 PM

[I was going to deploy this today given the attack happening again. However, when I put patch on mwdebug1002, it didn't seem to work (Despite working locally). I'm not sure why, but in any case I'm going to wait until monday to figure it out]

Bawolff added a parent task: T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jun 10 2018, 6:15 PM

Ok, it appears the other one isn't merged yet.

I'm just going to throw the second one in gerrit and let it ride the train.

Tgr added a comment.Jun 10 2018, 7:18 PM

Merged but not in production yet.

Bawolff added a comment.Jun 11 2018, 5:47 AM

For cross reference: https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/439498/

Tgr added a comment.Jun 13 2018, 4:37 PM

Probably can be made public?

Tgr mentioned this in T197160: All security-sensitive MediaWiki functionality should require elevated security.Jun 13 2018, 5:22 PM
Tgr added a parent task: T197160: All security-sensitive MediaWiki functionality should require elevated security.Jun 13 2018, 5:24 PM
Ladsgroup moved this task from Backlog / Other to Pending deployment / release on the acl*security board.Jun 20 2018, 5:11 AM
Ladsgroup subscribed.

The patch is deployed. We probably need to do a security release for 1.31 and before.

Reedy subscribed.Jul 7 2018, 10:57 AM

I've just done cherry picks of the public patch onto 1.27, 1.29, 1.30, 1.31 with a fixed bug reference

https://gerrit.wikimedia.org/r/#/q/I9a38a3109492753fff1f33c0f280e5b0f1fc1a76

Reedy mentioned this in T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 5:24 PM
Reedy closed this task as Resolved.Jul 7 2018, 5:26 PM
Reedy claimed this task.

Marking as resolved for tracking purposes.

Could be opened up in advance, as per Brian it's hardening, but it's not going to harm sitting closed till the release

Reedy reassigned this task from Reedy to Anomie.Jul 7 2018, 5:27 PM
Legoktm mentioned this in T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Aug 29 2018, 12:55 AM
Legoktm mentioned this in T199027: Obtain CVEs for 1.27.5/1.29.3/1.30.1/1.31.1 security releases.Aug 29 2018, 1:14 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:35 PM
Se4598 mentioned this in T193237: Harmonise Fortnox invoice reference.Sep 21 2018, 11:57 AM
sbassett moved this task from Pending deployment / release to Done on the acl*security board.Sep 26 2019, 2:29 PM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL