Page MenuHomePhabricator

bot passwords should call checkLoginSecurityLevel
Closed, ResolvedPublic


Creating a new botpassword allows you to take control of an account in much the same way as changing the password does as it essentially creates a new password.

Thus it should call SpecialPage::checkLoginSecurityLevel()

Maybe related T194204

Event Timeline

Bawolff created this task.May 9 2018, 7:25 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 9 2018, 7:25 AM
Anomie added a subscriber: Anomie.May 9 2018, 7:25 PM

Hmm. Doing this at a basic level would be pretty simple, but loses form data if the user takes too long on the edit screen.

Fixing that can copy some logic from AuthManagerSpecialPage which already does something similar, but it's a bit of a big change for a security patch. I wouldn't be opposed to submitting the first one (without the "SECURITY" tag) publicly for normal review.

Given this is a hardening measure, and not outright vulnerability, i think its fine to develop this in gerrit.

Bawolff added a subscriber: Tgr.Jun 10 2018, 4:13 PM

@Tgr did:

Bawolff merged a task: Restricted Task.Jun 10 2018, 4:25 PM
Bawolff added a subscriber: matmarex.
Tgr added a comment.Jun 10 2018, 4:27 PM

Which is the same as Brad's patch above, I wasn't aware of it.

[I was going to deploy this today given the attack happening again. However, when I put patch on mwdebug1002, it didn't seem to work (Despite working locally). I'm not sure why, but in any case I'm going to wait until monday to figure it out]

Ok, it appears the other one isn't merged yet.

I'm just going to throw the second one in gerrit and let it ride the train.

Tgr added a comment.Jun 10 2018, 7:18 PM

Merged but not in production yet.

Tgr added a comment.Jun 13 2018, 4:37 PM

Probably can be made public?

Ladsgroup added a subscriber: Ladsgroup.

The patch is deployed. We probably need to do a security release for 1.31 and before.

Reedy added a subscriber: Reedy.Jul 7 2018, 10:57 AM

I've just done cherry picks of the public patch onto 1.27, 1.29, 1.30, 1.31 with a fixed bug reference

Reedy closed this task as Resolved.Jul 7 2018, 5:26 PM
Reedy claimed this task.

Marking as resolved for tracking purposes.

Could be opened up in advance, as per Brian it's hardening, but it's not going to harm sitting closed till the release

Reedy reassigned this task from Reedy to Anomie.Jul 7 2018, 5:27 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:35 PM