Page MenuHomePhabricator
Create Task
Maniphest T278562

Cache pollution after a revert causing autoblocks on WMCS ranges
Closed, ResolvedPublicSecurity
Actions

Description

I'm making this task after the problem has already been solved as a record just in case there are any similar issues in the future. Its private for now in case there are other affected wikis that we haven't noticed yet; Security-Team this should be ok to publish by your clinic meeting on Monday unless you have other reasons to keep this private.

A patch renaming the MediaWiki:Autoblock_whitelist page was deployed on Wednesday during the train and was rolled back on Thursday due to an unrelated issue. A user moved the interface page to the new name on Commons about a day after the initial deploy, just before the train was rolled back. When the patch was reverted on the train rollback, the original name was no longer available until it was re-created about 12 hours later.

After reports from Toolforge users about autoblocks I started investigating and realized that due to caching in DatabaseBlock::isWhitelistedFromAutoblocks the version without the old (and at that point only working) exemption list page was being cached, effectively removing its effects completely.

@Urbanecm cleared those caches on commonswiki like seen below:

>>> \MediaWiki\Block\DatabaseBlock::isWhitelistedFromAutoblocks("172.16.7.167")
=> false
>>> $cache = \MediaWiki\MediaWikiServices::getInstance()->getMainWANObjectCache();
=> WANObjectCache {#527}
>>> $key = $cache->makeKey( 'ip-autoblock', 'whitelist' )
=> "commonswiki:ip-autoblock:whitelist"
>>> $cache->get($key)
=> [
     "",
   ]
>>> $cache->delete($key)
=> true
>>> $cache->get($key)
=> false
>>> \MediaWiki\Block\DatabaseBlock::isWhitelistedFromAutoblocks("172.16.7.167")
=> true

(for anyone wondering, 172.16.7.167 is a Toolforge bastion)

He also removed commonswiki autoblock #405016 with a maintenance script to remove the already-present autoblock.

Details

Author Affiliation
Wikimedia Communities

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReleasehasharT274940 1.36.0-wmf.36 deployment blockers
 ResolvedSecurityUrbanecmT278562 Cache pollution after a revert causing autoblocks on WMCS ranges

Event Timeline

taavi created this task.Mar 26 2021, 4:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 26 2021, 4:06 PM
taavi closed this task as Resolved.Mar 26 2021, 4:07 PM
taavi assigned this task to Urbanecm.
taavi added a project: cloud-services-team (Kanban).
Restricted Application added a project: User-Urbanecm. · View Herald TranscriptMar 26 2021, 4:07 PM
bd808 awarded a token.Mar 26 2021, 4:09 PM
hashar added a parent task: T274940: 1.36.0-wmf.36 deployment blockers.Mar 26 2021, 4:13 PM
hashar mentioned this in T274940: 1.36.0-wmf.36 deployment blockers.
nskaggs awarded a token.Mar 26 2021, 4:18 PM
nskaggs added a comment.Mar 26 2021, 4:20 PM

While it was noticed within a WMCS ip range first, I believe this affects everything utilizing the exemption ranges (https://commons.wikimedia.org/wiki/MediaWiki:Block-autoblock-exemptionlist).

taavi updated the task description. (Show Details)Mar 26 2021, 4:26 PM
Urbanecm added a comment.Mar 26 2021, 4:51 PM

I just checked autoblocks for other autoblocked IPs on commonswiki from that list, and found none. The clear of the cache should be enough I think.

Urbanecm added a comment.Mar 26 2021, 4:57 PM
This comment was removed by Urbanecm.
sbassett added projects: SecTeam-wikimedia-project-event, Vuln-Misconfiguration, Vuln-DoS.EditedMar 26 2021, 6:24 PM
sbassett subscribed.

@Majavah @Urbanecm -

Thanks for investigating and getting this fixed. Unless someone has an issue with exposing a toolforge IP (can't imagine anyone would), we should be able to make this public next week. Thankfully this appears to be a case where something broke and, while technically making things more secure, it introduced a Vuln-DoS for those on various exemption lists for an extended period of time.

taavi updated the task description. (Show Details)Mar 26 2021, 6:40 PM
In T278562#6949723, @sbassett wrote:

Unless someone has an issue with exposing a toolforge IP (can't imagine anyone would)

The IP in the description is a private address, and even if it wasn't, public WMF IP addresses are public information anyways, so publishing should be fine.

Urbanecm added a subscriber: Raymond.Mar 26 2021, 6:57 PM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2021, 2:10 PM
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Task published, no need to keep this private anymore.

RhinosF1 subscribed.Mar 31 2021, 2:32 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Mar 31 2021, 2:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL