Page MenuHomePhabricator

Use composer/semver to validate oauth registration versions
Closed, ResolvedPublic

Description

src/Control/ConsumerSubmitControl.php has

'version'      => '/^\d{1,3}(\.\d{1,2}){0,2}(-(dev|alpha|beta))?$/',

Seems better if we can just use composer/semver to validate rather than wheel reinvention?

See also T277388: OAuth doesn't validate length of oarc_version (CVE-2021-31555)

Event Timeline

Change 671707 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/OAuth@master] Better validation of oauth_registered_consumer.oarc_version

https://gerrit.wikimedia.org/r/671707

Change 671707 merged by jenkins-bot:
[mediawiki/extensions/OAuth@master] Better validation of oauth_registered_consumer.oarc_version

https://gerrit.wikimedia.org/r/671707

Legoktm assigned this task to Reedy.

Change 676364 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_35] Better validation of oauth_registered_consumer.oarc_version

https://gerrit.wikimedia.org/r/676364

Change 676365 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OAuth@REL1_31] Better validation of oauth_registered_consumer.oarc_version

https://gerrit.wikimedia.org/r/676365

Change 676364 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_35] Better validation of oauth_registered_consumer.oarc_version

https://gerrit.wikimedia.org/r/676364

Change 676365 merged by jenkins-bot:

[mediawiki/extensions/OAuth@REL1_31] Better validation of oauth_registered_consumer.oarc_version

https://gerrit.wikimedia.org/r/676365