Page MenuHomePhabricator

OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON
Closed, ResolvedPublicSecurity

Description

Basically the same as T260633: BotPasswords doesn't validate length of resultant bp_grants JSON

The length of oarc_grants is not validated before it's inserted into the DB

So if "too many" grants are selected (and/or too many with long names) and end up with truncated JSON

Technically blocks T108255: Enable MariaDB/MySQL's Strict Mode. See also {T260635}

Event Timeline

Reedy triaged this task as Low priority.Mar 13 2021, 5:06 PM
Reedy updated the task description. (Show Details)
Reedy updated the task description. (Show Details)

Change 671655 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@master] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671655

Change 671658 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@master] Make sure oauth_registered_consumer.oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671658

Change 671655 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671655

Change 673567 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@REL1_35] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673567

Change 673567 merged by jenkins-bot:
[mediawiki/extensions/OAuth@REL1_35] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673567

Change 673569 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@REL1_31] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673569

Change 673569 merged by jenkins-bot:
[mediawiki/extensions/OAuth@REL1_31] Make sure oauth_registered_consumer.oarc_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/673569

Reedy added a parent task: Restricted Task.Mar 20 2021, 7:45 PM
Reedy renamed this task from OAuth doesn't validate length of oarc_grants JSON to OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON.Apr 2 2021, 1:17 AM
sbassett assigned this task to Reedy.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett added a subscriber: sbassett.

Looks to be completed with the above change sets merged?

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".

The patch for oarc_oauth2_allowed_grants isn't actually finished

Change 671658 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Make sure oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/671658

Change 879997 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_39] Make sure oarc_oauth2_allowed_grants fits in a MySQL blob

https://gerrit.wikimedia.org/r/879997