Page MenuHomePhabricator
Create Task
Maniphest T260631

BotPasswords doesn't validate length of resultant bp_restrictions JSON
Closed, ResolvedPublicSecurity
Actions

Description

Forking from T260578

If you add many many IPs to an MWRestrictions object, such as via a BotPassword, it's possible to end up with a JSON string longer than BLOB will allow. This will result in truncated JSON being saved into the database, and as such, when it's retrieved, won't validate as JSON

Validation needs adding to check the length of bp_restrictions to be inserted is <= 65535 characters

And if it's longer... Some error should be thrown to the user, and the row not inserted

Technically blocks T108255: Enable MariaDB/MySQL's Strict Mode

Details

SubjectRepoBranchLines +/-
Validate max length of bp_restrictions and bp_grantsmediawiki/coreREL1_31+123 -26
Validate max length of bp_restrictions and bp_grantsmediawiki/coreREL1_35+151 -44
Validate max length of bp_restrictions and bp_grantsmediawiki/coremaster+140 -34
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurityReedyT260631 BotPasswords doesn't validate length of resultant bp_restrictions JSON

Event Timeline

Reedy created this task.Aug 17 2020, 11:34 PM
Reedy added a project: MediaWiki-User-management.
Reedy renamed this task from BotPasswords doesn't validate length of resultant JSON to BotPasswords doesn't validate length of resultant bp_restrictions JSON.Aug 17 2020, 11:38 PM
Reedy mentioned this in T260633: BotPasswords doesn't validate length of resultant bp_grants JSON.
Reedy added a project: Platform Engineering.Aug 17 2020, 11:41 PM
Reedy updated the task description. (Show Details)Aug 18 2020, 12:45 AM
eprodromou triaged this task as Medium priority.Aug 18 2020, 8:36 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.
Reedy moved this task from Incoming to Watching on the Security-Team board.Aug 24 2020, 3:13 PM
Reedy added a subscriber: gerritbot.Oct 4 2020, 1:05 AM
gerritbot added a comment.Oct 4 2020, 1:39 AM

Change 631954 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@master] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/631954

gerritbot added a project: Patch-For-Review.Oct 4 2020, 1:39 AM
Reedy edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Team Workboards (Clinic Duty Team).Oct 17 2020, 11:49 AM
gerritbot added a comment.Dec 5 2020, 3:14 AM

Change 645357 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@REL1_31] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645357

gerritbot added a comment.Dec 5 2020, 3:16 AM

Change 645358 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@REL1_35] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645358

gerritbot added a comment.Dec 5 2020, 3:19 AM

Change 631954 merged by jenkins-bot:
[mediawiki/core@master] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/631954

gerritbot added a comment.Dec 8 2020, 11:55 PM

Change 645358 merged by jenkins-bot:
[mediawiki/core@REL1_35] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645358

gerritbot added a comment.Dec 9 2020, 1:17 AM

Change 645357 merged by jenkins-bot:
[mediawiki/core@REL1_31] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645357

Clarakosi moved this task from External Code Review Needed to External Code Review Completed on the Platform Team Workboards (External Code Reviews) board.Dec 21 2020, 7:32 PM
Reedy closed this task as Resolved.Mar 13 2021, 2:32 PM
Reedy claimed this task.
Reedy removed a project: Patch-For-Review.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy mentioned this in T277399: Allow more specific error messages in SubmitControl::validateFields().Mar 14 2021, 12:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL