Tilde stripping in signatures is inadequate
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	cscott
	Aug 17 2019, 12:23 PM

Description

Editors have been banned for using tides in their signatures (among other things):
https://en.wikipedia.org/wiki/Wikipedia:Requests_for_arbitration/-Ril-#Sig_change

The issue is that if you set your 'fancy' signature to ~~~~ it gets inserted literally in the output, and then the next editor to save the talk page gets *their* signature substituted, causing the evil editor's comments to be misattributed.

Code was added in 2006 to prevent this: 682e6e96e035e95dc44c8f17ce050bb7c16f60e2

But this is ineffective. For example consider the signature ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~. This gets expanded on first save to ~~{{subst:1x|}}~~ which will then be treated as ~~~~ on a subsequent save (subst is handled before signature insertion).

This isn't really a security bug: we have a policy in place forbidding confusing signatures in general, and the original author is stored in the version history. But it is a case where our attempted sanitization is imperfect.

Dependencies

The patches to meet the "Requirements" described below should NOT be merged until the following tickets are resolved:

Requirements

When someone attempts to save a signature that meets the conditions below, prevent the signature from being saved and present a message that explains to people: 1) that their signature cannot be saved as it is currently written, 2) why their signature cannot be saved as it is currently written and 3) what changes they need to make to the signature they have written in order to save it.
- Conditions:
  - The signature contains syntax that produces another {{subst:...}} or ~~~... after the substitution (which would be then substituted again when the next user edits the page), as described in T230652#5966006

Testing details

Scenario A

Visit: https://en.wikipedia.org/wiki/Special:Preferences
Navigate to the Signature section
Check the Treat the above as wiki markup box
Enter a signature like: ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~
Click Save
Notice the follow message appears beneath the Signature: text field: Your signature contains nested substitution (e.g. subst: or ~~~~).

Done

Patches are written that meet the "Requirements" described above

Details

	Subject	Repo	Branch	Lines +/-
	preferences: Signature validation (lint errors, user links, nested subst)	mediawiki/core	master	+630 -8
	[WIP] preferences: Prevent "nested" substitution in signature	mediawiki/core	master	+18 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	matmarex	T230652 Tilde stripping in signatures is inadequate
Resolved	matmarex	T244519 Coordinating signature preference validation changes
Resolved	• Whatamidoing-WMF	T247046 Publicize new signature requirements proposal

Event Timeline

cscott created this task.Aug 17 2019, 12:23 PM

Restricted Application added subscribers: Liuxinyu970226, Aklapper. · View Herald TranscriptAug 17 2019, 12:23 PM

cscott mentioned this in T230653: Use a parser function to encapsulate signatures.Aug 17 2019, 1:27 PM

matmarex subscribed.Nov 8 2019, 11:24 PM

Change 549953 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] [WIP] preferences: Prevent "nested" substitution in signature

https://gerrit.wikimedia.org/r/549953

gerritbot added a project: Patch-For-Review.Nov 9 2019, 12:32 AM

matmarex claimed this task.Nov 9 2019, 12:36 AM

Change 549953 abandoned by Bartosz Dziewoński:
[WIP] preferences: Prevent "nested" substitution in signature

Reason:
It'll be easier for me to work on this and related changes in one patch, see: I07c575c2d9d2afe7a89c4847d16ac044417297bf

https://gerrit.wikimedia.org/r/549953

Change 569062 had a related patch set uploaded (by Bartosz Dziewoński; owner: Bartosz Dziewoński):
[mediawiki/core@master] preferences: Signature validation (lint errors, user links, nested subst)

https://gerrit.wikimedia.org/r/569062

Per the description - This isn't really a security bug - I'm going to un-sub Security-Team for now.

matmarex mentioned this in T244519: Coordinating signature preference validation changes.Feb 6 2020, 6:37 PM

matmarex added a project: Editing-team.

matmarex edited projects, added Editing-team (Q3 2019-2020 Kanban Board); removed Editing-team.Feb 6 2020, 6:41 PM

matmarex moved this task from Needs Discussion / Investigation to Code Review on the Editing-team (Q3 2019-2020 Kanban Board) board.Feb 6 2020, 6:42 PM

DLynch moved this task from Code Review to Blocked / Needs More Work on the Editing-team (Q3 2019-2020 Kanban Board) board.Feb 26 2020, 4:04 PM

matmarex added a subtask: T244519: Coordinating signature preference validation changes.Feb 26 2020, 6:55 PM

matmarex moved this task from Blocked / Needs More Work to Upcoming on the Editing-team (Q3 2019-2020 Kanban Board) board.

Once we get community input as mentioned in T244519 we can work on this task.

JTannerWMF moved this task from Backlog to FY 2019-20 on the Editing-team (Tracking) board.Mar 4 2020, 6:07 PM

• ppelberg closed subtask T244519: Coordinating signature preference validation changes as Resolved.Mar 6 2020, 1:44 AM

ToBeFree awarded a token.Mar 9 2020, 6:58 PM

Hello, as I read, this change targets "nested" subst's. Does this code fall into that? It changes User talk:Jack who built the house link to User talk:Jack who built the house#top if I post on my talk page.

— [[User:Jack who built the house|Jack who built the house]] {{subst:#ifeq: {{subst:FULLPAGENAME}} | {{subst:ns:3}}:Jack who built the house | ([[User talk:Jack who built the house#top|talk]]) | ([[User talk:Jack who built the house|talk]]) }}

No, it only disallows syntax that produces another {{subst:...}} or ~~~... after the substitution (which would be then substituted again when the next user edits the page).

I could not think of a better way to describe it, "nested" subst is not a very precise description. I'd love to update the documentation page with a better one :)

MichaelSchoenitzer awarded a token.Mar 17 2020, 6:41 PM

Xiplus subscribed.Mar 24 2020, 1:00 PM

I experimented with inserting my local time in my sig. At one stage I had nested {{subst:#time … {{subst:#expr … {{subst:#time …}}}}}} (subst one, subst 'em all), ~~which would be banned under this proposal~~.

Fortunately I discovered that #time can take parameters like "+10 hours" and do it in one call. But there are potentially other legitimate reasons for multi subst'ing in sigs.

If the actual test is more subtle per @matmarex's post T230652#5966006, then there shouldn't be much problem. Perhaps the title could say "chained subst" or "evil subst", rather than "nested"? In the final communication, you could use a phrase like "certain pathological uses of subst:" or "abuses of subst:" to make it clear that the exclusion will be tightly focussed.

• ppelberg mentioned this in T248632: Implement new signature requirements.Jun 5 2020, 4:46 PM

• ppelberg edited projects, added Editing-team (Q3 2019-2020 Kanban Board); removed Editing-team (Tracking).Jun 12 2020, 9:09 PM

Task description updates
Adding the following sections to the task description; please let me know if anything looks unexpected.

Dependencies
Requirements
Done

Blocked
This task will be unblocked once the following tasks are resolved:

• ppelberg updated the task description. (Show Details)Jun 12 2020, 9:53 PM

• ppelberg mentioned this in T255324: Prevent invalid signature from being saved.Jun 12 2020, 10:25 PM

So… this is a duplicate of my ancient T14495, right? :-)

@Mormegil It's a bit different. Your task is about disallowing signatures that produce {{blah}} after substitution. This task is about disallowing signatures that produce ~~~~ or {{subst:blah}} (etc.) after substitution, which would then be substituted again after another person edits the page.

matmarex moved this task from Blocked / Needs More Work to Code Review on the Editing-team (Q3 2019-2020 Kanban Board) board.Jun 19 2020, 12:35 AM

Change 569062 merged by jenkins-bot:
[mediawiki/core@master] preferences: Signature validation (lint errors, user links, nested subst)

https://gerrit.wikimedia.org/r/569062

Esanders moved this task from Code Review to QA on the Editing-team (Q3 2019-2020 Kanban Board) board.Jun 24 2020, 10:17 PM

Esanders added a project: Editing QA.

ReleaseTaggerBot added a project: MW-1.35-notes (1.35.0-wmf.39; 2020-06-30).Jun 24 2020, 11:00 PM

Maintenance_bot removed a project: Patch-For-Review.Jun 24 2020, 11:10 PM

• ppelberg mentioned this in T254614: Notify "tech audiences" about signature requirement consultation outcomes.Jun 26 2020, 10:58 PM

• ppelberg moved this task from Inbox to High Priority on the Editing QA board.Jul 2 2020, 9:56 PM

Like in T237700#6286867, @matmarex can you:

REVIEW the "Testing details" section of the task description to ensure it is accurate and exhaustive?

cc @Ryasmeen

LGTM

@matmarex:

I followed the testing details and for signature entered this exactly: ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~

And it does show the appropriate message as expected.

Is that all I need to check for this?

I tried couple of other things, although not sure if those are part of validation checks for this. For example: I tried adding tildes as part of my username with the checkbox being both checked and unchecked. For both cases, it discards the tildes after saving the changes, however it does not show any error messages.

Just thought to add this observation here.

MBinder_WMF edited projects, added Editing-team (Kanban Board); removed Editing-team (Q3 2019-2020 Kanban Board).Jul 9 2020, 4:47 PM

JTannerWMF moved this task from Incoming to QA on the Editing-team (Kanban Board) board.Jul 9 2020, 4:48 PM

In T230652#6291947, @Ryasmeen wrote:

@matmarex:

I followed the testing details and for signature entered this exactly: ~~{{subst:1x{{subst:1x|{{subst:!}}}}}}~~

And it does show the appropriate message as expected.

Is that all I need to check for this?

I think that's good enough…

If you want to dig at it, here are some more test cases (as used for unit tests), which might provide some inspiration: https://github.com/wikimedia/mediawiki/blob/master/tests/phpunit/includes/preferences/SignatureValidatorTest.php#L69-L72

We could also double-check that just using a template in the signature doesn't cause this error.

I tried couple of other things, although not sure if those are part of validation checks for this. For example: I tried adding tildes as part of my username with the checkbox being both checked and unchecked. For both cases, it discards the tildes after saving the changes, however it does not show any error messages.

Just thought to add this observation here.

That's pre-existing code, which indeed tries to automatically fix this problem by removing the tildes, but it only handles the simple cases. I'm not sure if we should try to remove that now, I think it's fine.

Ryasmeen moved this task from QA to Ready for Sign Off on the Editing-team (Kanban Board) board.Jul 9 2020, 10:13 PM

Ryasmeen removed a project: Editing QA.Jul 9 2020, 10:22 PM

• ppelberg closed this task as Resolved.Jul 29 2020, 5:17 PM

Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptJul 29 2020, 5:17 PM

Aklapper removed a subscriber: Parsing-Team--ARCHIVED.May 24 2023, 1:09 PM