Page MenuHomePhabricator

Possible to circumvent title-blacklist (CVE-2019-19709)
Closed, ResolvedPublic

Description

Based on T239428: API edit on page with non-resolvable redirect and redirect=1 creates page with invalid title.

Reproduce:

# Google
google.*\.html

Probably it can be used to circumvent <noedit> restriction.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 29 2019, 11:35 AM
Restricted Application added a project: Core Platform Team. · View Herald TranscriptNov 29 2019, 11:35 AM
Anomie added a comment.Dec 2 2019, 2:28 PM

Yes, that's indeed the case. TitleBlacklist thinks the page being created is "w:Google.123.html", which doesn't match the specific rule in question. Rules beginning with .*, like most on the current blacklist, do not seem able to be bypassed in this manner since the .* will match the spurious interwiki prefix.

sbassett triaged this task as Medium priority.Dec 2 2019, 4:46 PM
mobrovac closed this task as Resolved.Dec 5 2019, 1:27 PM
mobrovac assigned this task to Anomie.
sbassett moved this task from Backlog / Other to Done on the Security board.Dec 5 2019, 2:54 PM
Anomie added a subscriber: sbassett.Dec 5 2019, 3:09 PM

@sbassett: I'm backporting the fix for this to Wikimedia sites now. I'll leave it to your team to backport the fix to 1.34 and earlier, if you feel that would be desirable.

sbassett added a comment.EditedDec 5 2019, 3:59 PM

@Anomie - sounds good, I can try to pick 554084 to each supported release branch and see how it goes. I might solicit some help if those are more complicated than what gerrit can handle. I'm going to make this task public now since the code is on master, wmf.5 and wmf.8 and has been deployed. This probably warrants a CVE as well.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 5 2019, 3:59 PM
Reedy added a parent task: Restricted Task.Dec 10 2019, 11:04 PM
sbassett added a subscriber: Reedy.EditedDec 10 2019, 11:20 PM

Update: Picked to supported release branches and the bot updates are on the other bug (T239428). There was a minor conflict in includes/api/ApiEditPage.php for each of these, so I kept the old conditional instead of the newer ternary operator statement for now. Patches tested fine, they just need a +2, which I'll do if nobody else does.

This was kind of a strange one in that it was technically a security issue that was incidentally fixed by a well-timed, separate public task/patch. @Reedy is tracking it for the next release in T233495, but it wasn't "held" due to the aforementioned process oddities. I'll still request a CVE and update this bug once I have it.

sbassett renamed this task from Possible to circumvent title-blacklist to Possible to circumvent title-blacklist (CVE-2019-19709).Dec 11 2019, 3:06 PM

Do we know what MediaWiki version this was introduced in?

At a quick glance, I don't see any indication that the bug has ever not existed since the redirect parameter was added in MW 1.17. But I haven't actually tested.