Page MenuHomePhabricator

Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477)
Closed, ResolvedPublicSecurity

Description

Steps to reproduce:
Set MediaWiki:Mainpage to Special:MyLanguage/Main Page
Go to a log entry on Special:Log and toggle the check box next to it
Click "Change visibility of selected log entries"

Expected result:
Revision deletion form is shown

Actual result:
User is redirect to main page with action=historysubmit

The same applies for trying to add/remove change tags


Original report:
Hi,

I've noticed today that when attempting to change the visibility of a log entry, I was no longer able to do so and redirected to Meta-Wiki's Main Page instead.

I started by selecting a log/checkbox here: https://meta.wikimedia.org/wiki/Special:Log/delete and then clicking change visibility.

It then redirects to https://meta.wikimedia.org/w/index.php?action=historysubmit&type=logging&revisiondelete=1&ids%5B28602506%5D=1
Which /should/ have loaded up the form to preform the change.

But instead the link just immediately redirects to https://meta.wikimedia.org/w/index.php?title=Main_Page&action=historysubmit

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

As a workaround it is still possible to use API for this. You can use your favourite bot framework or Special:APISandbox:

Just as a note since there’s been some confusion: this doesn’t appear to be affecting en.wp

It seems that to observe this bug the permissions needed for actual page usage are not necessary. You either get redirected to main page when this is observed, or get permission error.

With this I was able to see that besides wikimania2018 this is also observed on wikimania2017, wikimania2016, and wikimania2015, but not on other wikimania wikis.

This might as well be some faulty rewrite or other server misconfiguration, thus adding Operations.

Krenair added a subscriber: Krenair.

This is likely between MW code and Wikimedia's MW config.

I can reproduce the observed issue at https://meta.wikimedia.org/w/index.php?action=historysubmit&type=logging&revisiondelete=1&ids%5B28602506%5D=1.

However, there is no redirect. It's a JavaScript address bar change. As such, not due to server or rewrite configuration. I looked at this because we're currently doing some maintenance on the Apache server configurations. And ruled it out as a possible cause.

With the above in mind I have decided to see what happens when I have JavaScript disabled. It looks that the URL indeed does not change. That being said I still see Main Page instead of the Special page.

Jalexander set Security to Software security bug.Nov 28 2018, 7:45 PM
Jalexander added a project: acl*security.
Jalexander changed the visibility from "Public (No Login Required)" to "Custom Policy".
Jalexander added a subscriber: Jalexander.

moving to security given attack vector possibilites

When visiting https://meta.wikimedia.org/w/index.php?action=historysubmit&type=logging&revisiondelete=1&ids%5B28602506%5D=1, MediaWiki::parseTitle() doesn't find any of various parameters that would specify the title, so it loads the main page as the title. Since September 27, 2018‎, at Meta that has been "Special:MyLanguage/Main Page".

Slightly later in the request, Action::getActionName() correctly determines that the action it wants is "revisiondelete", but then it hits a check that says if the current Title is a Special page it forces the 'view' action instead. Thus it acts like you actually visited https://meta.wikimedia.org/wiki/Special:MyLanguage/Main_Page and you wind up redirected to the main page.

I see that outreachwiki and wikimania2018wiki have MediaWiki:Mainpage set to similar values.

So the quick fix would be to not have MediaWiki:Mainpage be set to a Special page. Or if that's really wanted someone could figure out a code change to work around using Special:MyLanguage for the main page, e.g. resolving the RedirectSpecialPage in Title::newMainPage(), or set $wgForceUIMsgAsContentMsg on those wikis like Commons does.

I think that rather than loading the main page, and get confused when it's a special page, it should not attempt to use that as a title.

As an even faster workaround, I would try using https://meta.wikimedia.org/w/index.php?action=historysubmit&type=logging&revisiondelete=1&ids%5B28602506%5D=1&title=foo

I think that rather than loading the main page, and get confused when it's a special page, it should not attempt to use that as a title.

The defaulting to the main page there is also what makes a link like https://en.wikipedia.org/wiki/ go to the main page rather than being some sort of error. And in turn that's what makes an interwiki link to e.g. [[en:]] work to get to enwiki's main page without having to know that it's named "Main Page" rather than "Main page" or "Wikipedia:Main Page" or "Portal:Main page" or whatever.

Vogone claimed this task.

Thanks a lot for investigating the issue!

So the quick fix would be to not have MediaWiki:Mainpage be set to a Special page. Or if that's really wanted someone could figure out a code change to work around using Special:MyLanguage for the main page, e.g. resolving the RedirectSpecialPage in Title::newMainPage(), or set $wgForceUIMsgAsContentMsg on those wikis like Commons does.

That sounds like a terrible idea, since Commons's main page is broken. Just try setting your interface to a less common language (for example ht, but it is the case with all interface languages which do not have a main page translation available) and you will have a lot of fun with a red link main page.

Hello. As an oversighter for Meta, I am unable to perform my duties due to this bug. Is there anything we can do locally, for now, to solve this? Thanks.

As mentioned in T205908#4787443, you could change https://meta.wikimedia.org/wiki/MediaWiki:Mainpage to not be referring to a Special page.

There is any progress for resolving this bug?

Works for me, closing.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 4 2020, 7:21 PM

@Urbanecm, was it really resolved? It works on Meta since the main page target is temporarily (until this ticket is resolved[1]) pointing to Main Page, rather than Special:MyLanguage/Main Page

[1] https://meta.wikimedia.org/wiki/Special:Undelete/MediaWiki:Mainpage

@Urbanecm, was it really resolved? It works on Meta since the main page target is temporarily (until this ticket is resolved[1]) pointing to Main Page, rather than Special:MyLanguage/Main Page

[1] https://meta.wikimedia.org/wiki/Special:Undelete/MediaWiki:Mainpage

Can confirm that if MediaWiki:Mainpage is Special:MyLanguage/Main Page it still doesn't work (tested at https://meta.wikimedia.beta.wmflabs.org/wiki/MediaWiki:Mainpage)

DannyS712 raised the priority of this task from High to Needs Triage.
DannyS712 triaged this task as High priority.
DannyS712 set Security to Software security bug.
DannyS712 added a project: Security-Team.
DannyS712 changed the visibility from "Public (No Login Required)" to "Custom Policy".
DannyS712 changed the subtype of this task from "Task" to "Security Issue".

->back to high, used the protect as security issue option to restrict visibility

DannyS712 renamed this task from Unable to change visibility of log entries on at least metawiki, outreachwiki and wikimania2018wiki to Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage.Oct 30 2020, 7:39 PM
DannyS712 updated the task description. (Show Details)
DannyS712 moved this task from Unsorted to Awaiting review and deployment on the User-DannyS712 board.

Discussed with @Urbanecm via IRC, scheduled for deployment Monday, November 02 19:00–20:00 UTC (Morning backport window)


Fixed commit message


Fixed commit message

Approved as of this patch.

Deployed and fixed for real

20:07 <Urbanecm> !log Deployed security fix for T205908
20:07 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

@sbassett Can you do the final honors please (CVE/backport)?

sbassett lowered the priority of this task from High to Low.EditedNov 2 2020, 8:43 PM

@sbassett Can you do the final honors please (CVE/backport)?

As discussed over IRC, let's hold this task and patch for the next security release (T263803). Also setting task priority to low for now since the patch is in production.

Reedy added a subscriber: Reedy.

Patch applies cleanly to REL1_35 and REL1_31.

Closing for ease of tracking. Can/will be made public later

Reedy renamed this task from Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage to Unable to change visibility of log entries when MediaWiki:Mainpage uses Special:MyLanguage (CVE-2020-35477).Dec 16 2020, 7:56 PM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2020, 12:23 AM

Change 650312 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Set a dummy title for Action buttons on Special:Log

https://gerrit.wikimedia.org/r/650312