Page MenuHomePhabricator
Create Task
Maniphest T260633

BotPasswords doesn't validate length of resultant bp_grants JSON
Closed, ResolvedPublicSecurity
Actions

Description

Very similar to T260631: BotPasswords doesn't validate length of resultant bp_restrictions JSON, but for bp_grants

If you for some reason had many many many many grants.... IT would be possible to end up with JSON longer than MySQL BLOB...

As such, in the same way as T260631, the length should be validated and an error thrown if it's too long

Technically blocks T108255: Enable MariaDB/MySQL's Strict Mode

Details

SubjectRepoBranchLines +/-
Validate max length of bp_restrictions and bp_grantsmediawiki/coreREL1_31+123 -26
Validate max length of bp_restrictions and bp_grantsmediawiki/coreREL1_35+151 -44
Validate max length of bp_restrictions and bp_grantsmediawiki/coremaster+140 -34
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurityReedyT260633 BotPasswords doesn't validate length of resultant bp_grants JSON

Event Timeline

Reedy created this task.Aug 17 2020, 11:40 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2020, 11:40 PM
Reedy added a project: MediaWiki-User-management.Aug 17 2020, 11:40 PM
Reedy added a project: Platform Engineering.
Reedy updated the task description. (Show Details)Aug 18 2020, 12:45 AM
eprodromou triaged this task as Medium priority.Aug 18 2020, 8:33 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou moved this task from Inbox to Later on the Platform Team Workboards (Clinic Duty Team) board.
Reedy moved this task from Incoming to Watching on the Security-Team board.Aug 24 2020, 3:12 PM
Reedy added a subscriber: gerritbot.Oct 4 2020, 1:04 AM
gerritbot added a comment.Oct 4 2020, 1:39 AM

Change 631954 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@master] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/631954

gerritbot added a project: Patch-For-Review.Oct 4 2020, 1:39 AM
Reedy edited projects, added Platform Team Workboards (External Code Reviews); removed Platform Team Workboards (Clinic Duty Team).Oct 17 2020, 11:49 AM
gerritbot added a comment.Dec 5 2020, 3:14 AM

Change 645357 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@REL1_31] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645357

gerritbot added a comment.Dec 5 2020, 3:16 AM

Change 645358 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/core@REL1_35] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645358

gerritbot added a comment.Dec 5 2020, 3:19 AM

Change 631954 merged by jenkins-bot:
[mediawiki/core@master] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/631954

Jdforrester-WMF added a project: MW-1.36-notes (1.36.0-wmf.21; 2020-12-08).Dec 5 2020, 6:47 PM
Jdforrester-WMF added projects: MW-1.35-notes, MW-1.31-release-notes.
Jdforrester-WMF subscribed.
gerritbot added a comment.Dec 8 2020, 11:55 PM

Change 645358 merged by jenkins-bot:
[mediawiki/core@REL1_35] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645358

gerritbot added a comment.Dec 9 2020, 1:17 AM

Change 645357 merged by jenkins-bot:
[mediawiki/core@REL1_31] Validate max length of bp_restrictions and bp_grants

https://gerrit.wikimedia.org/r/645357

Clarakosi moved this task from External Code Review Needed to External Code Review Completed on the Platform Team Workboards (External Code Reviews) board.Dec 21 2020, 7:32 PM
Reedy closed this task as Resolved.Mar 13 2021, 2:31 PM
Reedy claimed this task.
Reedy removed a project: Patch-For-Review.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy added a parent task: Restricted Task.Mar 13 2021, 2:35 PM
Reedy mentioned this in T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON.Mar 13 2021, 5:06 PM
Reedy mentioned this in T277399: Allow more specific error messages in SubmitControl::validateFields().Mar 14 2021, 12:56 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL