Page MenuHomePhabricator
Create Task
Maniphest T261333

Make Consumer::normalizeValues() give consistent normalized values for null emailAuthenticated timestamp
Closed, ResolvedPublic
Actions

Description

Consumer::normalizeValues() adjusts various fields to consistent values. For timestamps, it does something like this:

$this->emailAuthenticated = wfTimestamp( TS_MW, $this->emailAuthenticated );
$this->registration = wfTimestamp( TS_MW, $this->registration );
$this->stageTimestamp = wfTimestamp( TS_MW, $this->stageTimestamp );

"registration" and "stageTimestamp" cannot be null in the db, but emailAuthenticated can.

The current code is fine in normal usage, where emailAuthenticated always has a valid value. But if it is null, it is normalized to the current timestamp. Because this timestamp is used in MWOauthDAO::getChangeToken(), this introduces a subtle timing issue where change tokens do not match if the current timestamp has incremented by (at least) a second between change token calculations.

To my knowledge, this is not a production issue, as this timestamp is always initialized in code. However, it gave inconsistent and unexpected results in local unit testing.

Suggested fix: use wfTimestampOrNull rather than wfTimestamp to normalize the emailAuthenticated value. This better reflects reality, and also causes Consumer::normalizeValues() to behave consistently, thereby eliminating the timing issue.

Details

SubjectRepoBranchLines +/-
Make Consumer::normalizeValues() consistently normalize emailAuthenticatedmediawiki/extensions/OAuthmaster+31 -4
Customize query in gerrit

Event Timeline

BPirkle created this task.Aug 26 2020, 4:52 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 26 2020, 4:52 PM
BPirkle added a comment.Aug 26 2020, 4:57 PM

Actually, looking at the db schema, "registration" and "stageTimestamp" can't be null. So this needs to be done only for emailAuthenticated.

BPirkle renamed this task from Make Consumer::normalizeValues() give consistent normalized values for null timestamps to Make Consumer::normalizeValues() give consistent normalized values for null emailAuthenticated timestamp.Aug 26 2020, 5:02 PM
BPirkle updated the task description. (Show Details)
gerritbot added a comment.Aug 26 2020, 5:06 PM

Change 622614 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/extensions/OAuth@master] Make Consumer::normalizeValues() consistently normalize emailAuthenticated

https://gerrit.wikimedia.org/r/622614

gerritbot added a project: Patch-For-Review.Aug 26 2020, 5:06 PM
gerritbot added a comment.Aug 26 2020, 7:41 PM

Change 622614 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Make Consumer::normalizeValues() consistently normalize emailAuthenticated

https://gerrit.wikimedia.org/r/622614

BPirkle closed this task as Resolved.Aug 26 2020, 7:49 PM
BPirkle moved this task from Inbox to Doing(WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
BPirkle moved this task from Doing(WIP:5) to Done on the Platform Team Workboards (Clinic Duty Team) board.
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.8; 2020-09-08).Aug 26 2020, 8:01 PM
Maintenance_bot removed a project: Patch-For-Review.Aug 26 2020, 8:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL