Page MenuHomePhabricator

AuthPlugin allows the creation of locally forbidden names.
Closed, ResolvedPublic

Description

User::isValidUserName prevents the local creation of usernames that are prefixed with namespace keys, i.e. User:Wikipedia:Bob is forbidden when Wikipedia: is a local namespace.

However, the vandal mentioned in bug 17877 demonstrated that CentralAuth (and AuthPlugins in general) can allow one to bypass this.

For example, create an account such as User:WP:ANI in a wiki that does not have a WP: namespace and then use single user login to create the same account on enwiki, where it would normally be forbidden.

I'm filing this separately from 17877 because strictly speaking one could address that issue without addressing this one (or vice versa), but I believe that if the AuthPlugin functionality is fixed to prevent the creation of accounts whose names are locally forbidden due to naming conflicts then that would eliminate the most likely and accessible path that leads to the bug described in 17877. (Other paths to a 17877 scenario include the post-facto creation of a conflicting namespace, or the use of RenameUser to intentionally move an account to a conflicting name.)

Also, I think the best approach is to patch Mediawiki to prevent AuthPlugins from creating new accounts for locally forbidden names, but I suppose one might also consider patching just CentralAuth to accomplish the same thing for just Wikimedia.


Version: unspecified
Severity: normal

Details

Reference
bz17879

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:32 PM
bzimport set Reference to bz17879.
bzimport added a subscriber: Unknown Object (MLST).

The way Andrew approached 17877 essentially made it a duplicate of this. Marking as such.

*** This bug has been marked as a duplicate of bug 17877 ***