Page MenuHomePhabricator
Create Task
Maniphest T271037

CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value
Closed, ResolvedPublicSecurity
Actions

Assigned To
matmarex
Authored By
Func
Jan 2 2021, 5:48 AM
Tags
Referenced Files
F34527995: 0001-SECURITY-Fix-use-of-EditFilterMergedContent-hook-whe.patch
Jun 26 2021, 2:46 PM
Subscribers
Aklapper
Daimona
DannyS712
Func
gerritbot
matmarex
Mstyles
View All 11 Subscribers

Description

The EditFilterMergedContent hook in ContentModelChange class required returning false to interrupt edit action, but handling function of AbuseFilter don't have a return value.

So when use Special:ChangeContentModel in a non-existent title, it will create the page, while the AbuseFilter's log assumed the creation was blocked.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: Fix use of EditFilterMergedContent hook when changing content modelmediawiki/coremaster+6 -0
SECURITY: Fix use of EditFilterMergedContent hook when changing content modelmediawiki/coreREL1_36+6 -0
SECURITY: Fix use of EditFilterMergedContent hook when changing content modelmediawiki/coreREL1_37+6 -0
SECURITY: Fix use of EditFilterMergedContent hook when changing content modelmediawiki/coreREL1_35+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Func created this task.Jan 2 2021, 5:48 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2021, 5:48 AM
Func added a comment.Jan 2 2021, 6:01 AM

Note that the handling of EditFilterMergedContent hook's return value in ContentModelChange class is different compare to which in EditFilterMergedContentHookConstraint class, should it to be modified or put up a warning to avoid such a mistake?

DannyS712 added projects: MediaWiki-Page-editing, User-DannyS712.Jan 2 2021, 8:24 AM
DannyS712 subscribed.

See also T271038: Use edit constraints within ContentModelChange

DannyS712 added a subscriber: taavi.Jan 2 2021, 8:29 AM
Reedy added a project: AbuseFilter.Jan 4 2021, 4:21 PM
Reedy updated the task description. (Show Details)
sbassett moved this task from Incoming to Watching on the Security-Team board.Jan 4 2021, 4:23 PM
sbassett added a subscriber: Daimona.
Daimona added a comment.Jan 4 2021, 9:08 PM

Returning false from the hook seems a good temporary solution, and I think it can be pushed publicly on gerrit, pretending it's some standardization / cleanup. But yes, core being inconsistent is the real problem.

DannyS712 added a comment.Jan 5 2021, 12:27 AM
In T271037#6720953, @Daimona wrote:

Returning false from the hook seems a good temporary solution, and I think it can be pushed publicly on gerrit, pretending it's some standardization / cleanup. But yes, core being inconsistent is the real problem.

Yeah, core is really inconsistent. You can see the logic used for saving edits at EditFilterMergedContentHookConstraint. Note that switching to returning false might result in different behavior for saving edits, not sure since I'm not familiar enough with what AbuseFilter currently does in that hook

Daimona added a comment.Jan 5 2021, 11:16 AM
In T271037#6721469, @DannyS712 wrote:
In T271037#6720953, @Daimona wrote:

Returning false from the hook seems a good temporary solution, and I think it can be pushed publicly on gerrit, pretending it's some standardization / cleanup. But yes, core being inconsistent is the real problem.

Yeah, core is really inconsistent. You can see the logic used for saving edits at EditFilterMergedContentHookConstraint. Note that switching to returning false might result in different behavior for saving edits, not sure since I'm not familiar enough with what AbuseFilter currently does in that hook

OK, fair. I didn't check the core code, but then perhaps we can copy part of EditFilterMergedContentHookConstraint into ContentModelChange? Specifically the part which checks the Status.

Func added a comment.Jan 10 2021, 2:37 AM
In T271037#6720953, @Daimona wrote:

Returning false from the hook seems a good temporary solution, and I think it can be pushed publicly on gerrit, pretending it's some standardization / cleanup. But yes, core being inconsistent is the real problem.

If return false, you should set $status->value after $status->merge( $filterResultApi ); manually, such as $status->value = MediaWiki\EditPage\IEditObject::AS_HOOK_ERROR_EXPECTED;.
I tested in my install of mw1.35, it's fine with edit and changecontentmodel both. But I wonder if that is a correct way to handle this hook?

I hope the code in ContentModelChange can be improved, because almost all hooks (originally) provide by EditPage.php support set Status object without return false.

Func mentioned this in T273354: Set $status->value in EditFilterMergedContentHookConstraint::checkConstraint() properly to display error message.Feb 5 2021, 3:22 PM
Tgr subscribed.Mar 31 2021, 9:49 AM

I wonder if the intention with ignoring the status in ContentModelChange is to allow users to go (content1, model1) -> (content1, model2) -> (content2, model2) when there's no content that would be valid under both model1 and model2 so you couldn't otherwise get from one to the other.

On the net it still seems like a bad idea though. The API allows changing the content and the model at the same time, and it's a sufficiently infrequent problem that that should be a valid solution.

Func added a comment.Apr 4 2021, 5:38 AM
In T271037#6959898, @Tgr wrote:

On the net it still seems like a bad idea though. The API allows changing the content and the model at the same time, and it's a sufficiently infrequent problem that that should be a valid solution.

Sorry for my poor english, what change should be done to solve this bug in your opinion?

Func added a comment.Apr 4 2021, 5:39 AM
This comment was removed by Func.
sbassett added projects: SecTeam-Processed, Vuln-MissingAuthz.Apr 5 2021, 7:08 PM
Func added a subscriber: matmarex.Jun 26 2021, 1:36 PM

@matmarex , Changes related to T280312 can actually solve this security issue, so I considered doing backports.
I stopped creating backport changes now, If backports really shouldn't be done, please fell free to abandon them.

matmarex added a comment.Jun 26 2021, 2:39 PM

Extensions outside of our version control could also trigger this issue, right?

If so, it seems to me that it should be fixed in the ContentModelChange class, by changing the logic to match the EditFilterMergedContentHookConstraint class. And then that's the patch that should be backported.

matmarex added a project: Patch-For-Review.Jun 26 2021, 2:46 PM

And the required patch appears to be this:

0001-SECURITY-Fix-use-of-EditFilterMergedContent-hook-whe.patch1 KBDownload

sbassett moved this task from Watching to Incoming on the Security-Team board.Jun 28 2021, 4:22 PM
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jul 12 2021, 3:36 PM
Reedy renamed this task from Title which blocked in AbuseFilter can be create via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook to Title which blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value.Jul 12 2021, 3:37 PM
sbassett mentioned this in T287124: Grant access to OIT-LDAP Diffusion repo to contractor Danielattevelt.Jul 21 2021, 9:30 PM
Mstyles subscribed.Nov 1 2021, 9:12 PM

The security team would be happy to deploy this patch as soon as it can be reviewed by another person.

matmarex added a comment.Nov 3 2021, 7:10 PM

@Daimona @Func Are you able to have a look at the patch? It's very short and hopefully trivial.

Func added a comment.Nov 4 2021, 1:03 PM

LGTM.

Mstyles added a parent task: T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Dec 6 2021, 10:23 PM
sbassett subscribed.EditedDec 6 2021, 10:23 PM

Patch from T271037#7178772 was deployed during today's security window:

22:19 mstyles@deploy1002: Synchronized php-1.38.0-wmf.9/includes/content/ContentModelChange.php: Deploy security patch for T271037 (duration: 00m 56s)

Tracking as part of the next security release: T292226. We're not seeing any errors in logstash, but if other folks subscribed on this task could perform some additional verification that the patch is behaving properly within production, that'd be great.

sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.Dec 6 2021, 10:27 PM
sbassett removed a project: Patch-For-Review.
sbassett triaged this task as Low priority.Dec 6 2021, 10:39 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed Risk Rating from N/A to Low.
Reedy renamed this task from Title which blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value to Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value.Dec 10 2021, 5:48 PM
Reedy closed this task as Resolved.Dec 10 2021, 5:52 PM
Reedy assigned this task to matmarex.
Legoktm mentioned this in T297322: CVE-2021-44857, CVE-2021-44858: Unauthorized users can undo edits on any protected page and view contents of private wikis using mcrundo .Dec 10 2021, 7:44 PM
Reedy mentioned this in T292227: Tracking bug for MediaWiki 1.35.5/1.36.3/1.37.1.Dec 10 2021, 7:55 PM
Reedy subscribed.Dec 10 2021, 8:04 PM

Patch applies to all supported branches cleanly.

Reedy renamed this task from Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value to CVE-2021-44856: Title blocked in AbuseFilter can be created via Special:ChangeContentModel due to the mishandling of EditFilterMergedContent hook return value.Dec 13 2021, 3:04 AM
Reedy added a subscriber: gerritbot.Dec 13 2021, 9:40 PM
gerritbot added a comment.Dec 15 2021, 7:30 PM

Change 747574 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@REL1_35] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747574

gerritbot added a project: Patch-For-Review.Dec 15 2021, 7:30 PM

Change 747581 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@REL1_36] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747581

gerritbot added a comment.Dec 15 2021, 7:32 PM

Change 747588 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@REL1_37] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747588

gerritbot added a comment.Dec 15 2021, 7:46 PM

Change 747599 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/core@master] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747599

gerritbot added a comment.Dec 15 2021, 7:47 PM

Change 747574 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747574

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 15 2021, 7:53 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
ReleaseTaggerBot added a project: MW-1.35-notes.Dec 15 2021, 8:00 PM
gerritbot added a comment.Dec 15 2021, 8:02 PM

Change 747588 merged by jenkins-bot:

[mediawiki/core@REL1_37] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747588

gerritbot added a comment.Dec 15 2021, 8:25 PM

Change 747581 merged by jenkins-bot:

[mediawiki/core@REL1_36] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747581

gerritbot added a comment.Dec 15 2021, 8:48 PM

Change 747599 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Fix use of EditFilterMergedContent hook when changing content model

https://gerrit.wikimedia.org/r/747599

ReleaseTaggerBot added projects: MW-1.38-notes (1.38.0-wmf.16; 2022-01-03), MW-1.36-notes, MW-1.37-notes.Dec 15 2021, 9:00 PM
Osnard mentioned this in T297896: Apply changes from 1.35.5 to unsupported legacy branch `REL1_31`.Dec 16 2021, 4:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits