Page MenuHomePhabricator
Create Task
Maniphest T204186

mw-config/w/static.php should not serve dotfiles ever [paranoia]
Closed, ResolvedPublic
Actions

Description

dotfiles often contain sensitive things (e.g. .git directory, or a editor swap files, temp files). We will serve them in the extension directory if they have a safe sounding file extension. For example https://en.wikipedia.org/w/extensions/WikimediaMaintenance/.phpcs.xml

While I don't think we're vulnerable in any way (We don't deploy .git files.), I think this is a good hardening step.

Fun fact: Under certain obscure circumstances (A lot of other potential file names taken), vim may use .svg as a file extension for its swap file!

Details

SubjectRepoBranchLines +/-
static.php: Explicitly disallow dotfilesoperations/mediawiki-configmaster+18 -8
static.php: Less visible distinction between HTTP 400 errorsoperations/mediawiki-configmaster+2 -2
Customize query in gerrit

Event Timeline

Bawolff created this task.Sep 13 2018, 2:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2018, 2:37 AM
Bawolff added a comment.Sep 13 2018, 3:10 AM

Additionally, given:

                $filePath = realpath( "$branchDir/$path" );
                if ( !$filePath ) { 
                        continue;
                }   

                if ( strpos( $filePath, $branchDir ) !== 0 ) { 
                        wmfStaticShowError( 'Bad request', 400 );
                        return;
                }
[...]
                wmfStaticShowError( 'Unknown file path', 404, 300 );
                $stats->increment( 'wmfstatic.notfound' );
                return;

Having the error be different for path traversal attempt where the file is found vs path traversal attempt where the file is not found might not be great (as it can expose what files are on the system). In practise this seems pretty impossible to trigger as some other layer (presumably varnish) normalizes paths before they get to this script. [And in our setup, what files are where on the system isn't exactly super secret]

Bawolff added a project: Security-Team.Sep 13 2018, 3:11 AM
Krinkle subscribed.Dec 26 2018, 6:20 AM
sbassett triaged this task as Low priority.Oct 4 2019, 5:34 PM
Krinkle added a project: Performance-Team.Oct 4 2019, 7:54 PM
Krinkle claimed this task.Oct 4 2019, 8:03 PM
sbassett moved this task from Incoming to Waiting on the Security-Team board.Oct 4 2019, 8:30 PM
sbassett closed this task as Resolved.Oct 4 2019, 8:46 PM
sbassett moved this task from Backlog / Other to Done on the acl*security board.
sbassett subscribed.

@Krinkle pushed through gerrit and deployed. Resolving and making public.

sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.Oct 4 2019, 8:46 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett awarded a token.
chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL