Page MenuHomePhabricator
Create Task
Maniphest T268641

PushToWatch: classic CSRF (CVE-2020-35626)
Closed, ResolvedPublicSecurity
Actions

Description

While working on T268627: PushToWatch extension does not show anything in page footer as well as fixing some unrelated issues in that unmaintained codebase, I realized that the form (which currently requires no authentication whatsoever, thus rendering the extension 100% unsuitable for a public, world-editable wiki) shown on the page footer doesn't have an edit token, rendering the extension vulnerable to cross-site request forgeries.

Quick patch (on top of all the patches I currently have open in gerrit against this extension):

diff --git a/src/PushToWatch.php b/src/PushToWatch.php
index 9a7f9a2..dd3e6bf 100644
--- a/src/PushToWatch.php
+++ b/src/PushToWatch.php
@@ -85,6 +85,7 @@ class PushToWatch {
                                $output .= Html::rawElement( 'form', [ 'method' => 'post' ],
                                        wfMessage( 'pushtowatch' )->escaped() .
                                        wfMessage( 'word-separator' )->parse() .
+                                       Html::hidden( 'wpPushToWatchToken', RequestContext::getMain()->getUser()->getEditToken() ) .
                                        Html::submitButton( '', [ 'style' => 'display:none' ] ) .
                                        // @todo FIXME: give this element class="mw-autocomplete-user" and add the
                                        // 'mediawiki.userSuggest' ResourceLoader module to output to enable
@@ -107,14 +108,21 @@ class PushToWatch {
         */
        public static function onSkinAddFooterLinks( Skin $sk, string $key, array &$footerLinks ) {
                $title = $sk->getRelevantTitle();
+               $request = $sk->getRequest();
                $output = '<hr />';
+               $isTokenOK = $sk->getUser()->matchEditToken( $request->getVal( 'wpPushToWatchToken' ) );
 
                try {
-                       $user = $sk->getRequest()->getText( 'pushtowatch_user' );
-                       // FIXME: This destroys all usernames that contain other characters!
-                       $user = preg_replace( "#[^a-z]#i", '', $user );
-                       if ( $user ) {
-                               self::addToWatch( $title, $user );
+                       if ( $request->wasPosted() && $isTokenOK ) {
+                               $user = $request->getText( 'pushtowatch_user' );
+                               // FIXME: This destroys all usernames that contain other characters!
+                               $user = preg_replace( "#[^a-z]#i", '', $user );
+                               if ( $user ) {
+                                       self::addToWatch( $title, $user );
+                               }
+                       } elseif ( $request->wasPosted() && !$isTokenOK ) {
+                               // CSRF attempt or something...
+                               $output .= Html::errorBox( $sk->msg( 'sessionfailure' )->parse() );
                        }
                } catch ( Exception $e ) {
                        $output .= Html::errorBox( $skin->msg( 'pushtowatch-error', $user )->parse() );

Details

SubjectRepoBranchLines +/-
SECURITY: Fix CSRF vulnerability by requiring a valid edit tokenmediawiki/extensions/PushToWatchREL1_35+145 -0
SECURITY: Fix CSRF vulnerability by requiring a valid edit tokenmediawiki/extensions/PushToWatchmaster+13 -5
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Nov 24 2020, 3:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 24 2020, 3:44 PM
ashley added projects: MediaWiki-extensions-PushToWatch, Vuln-CSRF.Nov 24 2020, 3:44 PM
ashley added a subscriber: Bawolff.Nov 25 2020, 9:36 AM
Bawolff added a comment.Nov 25 2020, 9:49 AM

lgtm, although i have no idea why its stripping non alphabetical characters from the username.

Urbanecm closed this task as Resolved.Nov 25 2020, 10:44 PM
Urbanecm assigned this task to ashley.
Urbanecm subscribed.

Merged as https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PushToWatch/+/643575.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 25 2020, 10:45 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".
sbassett mentioned this in T263810: Write and send supplementary release announcement for extensions and skins with security patches (1.31.11/1.35.1).Dec 1 2020, 9:44 PM
gerritbot added a comment.Dec 1 2020, 9:45 PM

Change 644501 had a related patch set uploaded (by SBassett; owner: Jack Phoenix):
[mediawiki/extensions/PushToWatch@REL1_35] SECURITY: Fix CSRF vulnerability by requiring a valid edit token

https://gerrit.wikimedia.org/r/644501

gerritbot added a project: Patch-For-Review.Dec 1 2020, 9:45 PM

Change 644501 abandoned by SBassett:
[mediawiki/extensions/PushToWatch@REL1_35] SECURITY: Fix CSRF vulnerability by requiring a valid edit token

Reason:
Apparently not applicable to REL1_35

https://gerrit.wikimedia.org/r/644501

sbassett renamed this task from PushToWatch: classic CSRF to PushToWatch: classic CSRF (CVE-2020-35626).Dec 22 2020, 8:49 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Dec 23 2020, 4:00 PM
sbassett removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits