Page MenuHomePhabricator

spamRegexList#deleteFromList is suspectible to CSRF
Closed, ResolvedPublic

Description

Like T217662, just for SpamRegex this time around. (Makes sense as they both are similar-ish codebase-wise and originate from the same developer/company and time frame.)

Test case: as a privileged user (one who has the spamregex right), visit a URL like http://localhost/mediawiki-1.32.0/index.php?title=Special:SpamRegex&action=delete&text=MyCSRFTest (assuming the string MyCSRFTest has been spamregexed prior to visit the URL, of course). In an ideal world it'd fail since a token isn't provided in the URL, but actually it'll succeed.

cc'ing @lcawte because we use SpamRegex on ShoutWiki.

Event Timeline

ashley created this task.Mar 7 2019, 11:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 7 2019, 11:05 PM

Adding SpamRegex. (Please add a project tag so the task shows up (for people with access) in search results / on workboards related to that project. Thanks!)

chasemp triaged this task as Medium priority.Dec 9 2019, 4:29 PM


Proposed patch. Tested and should do the trick, even if the JS part is really fugly (IMO)...

cc @Bawolff for CR

ashley moved this task from Backlog to Bugs on the SpamRegex board.Mar 10 2020, 10:23 PM


Proposed patch. Tested and should do the trick, even if the JS part is really fugly (IMO)...

cc @Bawolff for CR

 	+			}
	 		} else {
	-			/* text doesn't exist */
	 			$action = 'failure_unblock';
	 		}

You might want to use the error code sessionfailure for the case the token doesn't match.

Otherwise this looks good.

ashley closed this task as Resolved.Mar 11 2020, 7:45 AM
ashley claimed this task.

You might want to use the error code sessionfailure for the case the token doesn't match.

Otherwise this looks good.

Thanks for the swift review! I implemented this suggestion in the submitted & merged patch.

This task done for, except someone with the sufficient access should declassify this so that everyone can view the details. (I don't have the access to do that.)

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 12 2020, 11:15 PM