Page MenuHomePhabricator

PHP Notice: Undefined offset: 8 from TOTPKey.php
Closed, ResolvedPublicSecurity

Description

Unclear if any impact, but just noticed a handful of these in logs:

[Exception ErrorException] (/srv/mediawiki/php-1.35.0-wmf.16/extensions/OATHAuth/src/Key/TOTPKey.php:188) PHP Notice: Undefined offset: 8
  #0 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OATHAuth/src/Key/TOTPKey.php(188): MWExceptionHandler::handleError(integer, string, string, integer, array)
  #1 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OATHAuth/src/Module/TOTP.php(92): MediaWiki\Extension\OATHAuth\Key\TOTPKey->verify(array, MediaWiki\Extension\OATHAuth\OATHUser)
  #2 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OATHAuth/src/HTMLForm/TOTPDisableForm.php(56): MediaWiki\Extension\OATHAuth\Module\TOTP->verify(MediaWiki\Extension\OATHAuth\OATHUser, array)
  #3 /srv/mediawiki/php-1.35.0-wmf.16/includes/htmlform/HTMLForm.php(694): MediaWiki\Extension\OATHAuth\HTMLForm\TOTPDisableForm->onSubmit(array, MediaWiki\Extension\OATHAuth\HTMLForm\TOTPDisableForm)
  #8 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OATHAuth/src/Special/OATHManage.php(187): MediaWiki\Extension\OATHAuth\Special\OATHManage->addCustomContent(MediaWiki\Extension\OATHAuth\Module\TOTP)
  #9 /srv/mediawiki/php-1.35.0-wmf.16/extensions/OATHAuth/src/Special/OATHManage.php(100): MediaWiki\Extension\OATHAuth\Special\OATHManage->addModuleHTML(MediaWiki\Extension\OATHAuth\Module\TOTP)
brennen@mwlog1001:/srv/mw-log$ grep -c 'TOTP' ./error.log 
48

Event Timeline

brennen created this task.Feb 4 2020, 11:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 4 2020, 11:58 PM
Reedy added a subscriber: Reedy.

Any sign before .16? Not been any code changes for a little while...

Looks like it relates to scratch tokens...

Reedy triaged this task as Medium priority.Feb 10 2020, 4:13 PM
Reedy moved this task from Incoming to In Progress on the Security-Team board.
Reedy closed this task as Resolved.Feb 10 2020, 11:27 PM
Reedy assigned this task to ItSpiderman.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".

Change 571386 had a related patch set uploaded (by Reedy; owner: ItSpiderman):
[mediawiki/extensions/OATHAuth@REL1_34] Fix removing scratch tokens

https://gerrit.wikimedia.org/r/571386

Change 571386 merged by jenkins-bot:
[mediawiki/extensions/OATHAuth@REL1_34] Fix removing scratch tokens

https://gerrit.wikimedia.org/r/571386