Page MenuHomePhabricator
Create Task
Maniphest T280590

Special:ImportFile does not check permissions from own config FileImporterRequiredRight (CVE-2021-36132)
Closed, ResolvedPublic2 Estimated Story PointsSecurity
Actions

Description

The FileImporter extension provides a Special:ImportFile and allows to set the needed rights for the special page with config FileImporterRequiredRight

Setting $wgFileImporterRequiredRight = 'editinterface'; in LocalSettings.php does not shows a permission error on the special page when logged in as non-sysop.
Without $wgFileImporterShowInputScreen = true; is does not give a input form, but it handles actions given by request params.

The function SpecialPage::userCanExecute is not executed on the special page. The SpecialPage::__constructor mention to call it itself when override execute, which is not happen here.
The permission is only taken into account on Special:SpecialPages and the page is not listed there.
It needs a call to SpecialPage::checkPermissions to handle the user right from the option.

I have not tested if one of the action of that special page could be executed without the necessary rights, I have only seen that the permission error is missing when first open the page.

The special page correctly checks if the upload is enabled on the wiki and the default permission is upload. In the default config there is no security issue, because UploadBase::isAllowed already checks for the upload right. Only when using customized the needed rights it is executed.

Maybe there is no need for such a option and the option needs to be removed without further mention of the security issue.

wmf wikis does not change or use the config.

Details

SubjectRepoBranchLines +/-
Fix incomplete check for $wgFileImporterRequiredRightmediawiki/extensions/FileImporterREL1_36+10 -4
Fix incomplete check for $wgFileImporterRequiredRightmediawiki/extensions/FileImporterREL1_35+10 -4
Fix incomplete check for $wgFileImporterRequiredRightmediawiki/extensions/FileImportermaster+10 -4
Customize query in gerrit

Related Objects

Event Timeline

Umherirrender created this task.Apr 19 2021, 7:59 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 19 2021, 7:59 PM
sbassett added a project: Move-Files-To-Commons.Apr 19 2021, 8:32 PM
sbassett added subscribers: thiemowmde, Urbanecm.
sbassett moved this task from Incoming to Watching on the Security-Team board.Apr 26 2021, 3:08 PM
sbassett subscribed.EditedApr 26 2021, 8:27 PM

This appears to be a legitimate issue, if I'm understanding the permissions model correctly. It was probably never noticed on the projects since $wgFileImporterRequiredRight defaults to upload and every non-anon user has that right. I just tested with a brand new account on commons and when I navigated to:

https://commons.wikimedia.org/wiki/Special:ImportFile

I didn't see the form, but when I navigated to:

https://commons.wikimedia.org/wiki/Special:ImportFile?clientUrl=https://test.wikipedia.org/wiki/File:SD0002test.png

I could view the import form and was able to import another example to commons (e.g. this image). This all makes sense since every non-anon has edit and upload. The relevant code for UploadBase::isAllowed hasn't changed in a long time, so I suppose SpecialImportFile::executeStandardChecks should be checking $wgFileImporterRequiredRight around here for this to be properly implemented. Maybe something like:

$permissionRequired = UploadBase::isAllowed( $user ) &&
    $user->isAllowed( $this->config->get( 'FileImporterRequiredRight' ) );
sbassett mentioned this in T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).Apr 27 2021, 6:06 PM
thiemowmde claimed this task.Apr 30 2021, 12:39 PM
thiemowmde set the point value for this task to 2.
thiemowmde moved this task from Backlog to Tickets in sprint on the Move-Files-To-Commons board.
thiemowmde added projects: WMDE-TechWish-Sprint-2021-04-28, Unplanned-Sprint-Work.
thiemowmde added subscribers: Lena_WMDE, WMDE-Fisch.
thiemowmde added a project: Patch-For-Review.Apr 30 2021, 12:47 PM
thiemowmde added subscribers: Andrew-WMDE, lilients_WMDE, awight.

As written at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FileImporter/+/683860 this is not relevant on the Wikimedia cluster. The $wgFileImporterRequiredRight config is set to "upload" by default, but the upload right is checked anyway, independent from that config. The config was introduced for 2 reasons:

  • To be able to quickly change it in case there is a legitimate reason to limit the user group allowed to use the special page.
  • For 3rd party installations.

While this is a legitimate bug, it does not allow to bypass the upload restriction. Therefor I think this does not need to be market as a restricted security issue.

thiemowmde moved this task from Sprint Backlog to Review on the WMDE-TechWish-Sprint-2021-04-28 board.Apr 30 2021, 12:55 PM
sbassett added a comment.Apr 30 2021, 2:25 PM
In T280590#7048819, @thiemowmde wrote:

While this is a legitimate bug, it does not allow to bypass the upload restriction. Therefor I think this does not need to be market as a restricted security issue.

That's a fair assessment, I'll make this task public now.

sbassett triaged this task as Medium priority.Apr 30 2021, 2:25 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
RhinosF1 subscribed.Apr 30 2021, 3:16 PM
thiemowmde moved this task from Review to Demo on the WMDE-TechWish-Sprint-2021-04-28 board.May 3 2021, 7:39 AM
gerritbot added a comment.May 3 2021, 7:45 AM

Change 683860 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@master] Fix incomplete check for $wgFileImporterRequiredRight

https://gerrit.wikimedia.org/r/683860

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.4; 2021-05-04).May 3 2021, 8:00 AM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.May 3 2021, 2:06 PM
sbassett removed a project: Patch-For-Review.
thiemowmde moved this task from Demo to Done on the WMDE-TechWish-Sprint-2021-04-28 board.May 11 2021, 12:36 PM
sbassett closed this task as Resolved.May 17 2021, 5:04 PM
gerritbot added a comment.Jul 1 2021, 9:37 PM

Change 702712 had a related patch set uploaded (by SBassett; author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@REL1_36] Fix incomplete check for $wgFileImporterRequiredRight

https://gerrit.wikimedia.org/r/702712

gerritbot added a project: Patch-For-Review.Jul 1 2021, 9:37 PM

Change 702713 had a related patch set uploaded (by SBassett; author: Thiemo Kreuz (WMDE)):

[mediawiki/extensions/FileImporter@REL1_35] Fix incomplete check for $wgFileImporterRequiredRight

https://gerrit.wikimedia.org/r/702713

gerritbot added a comment.Jul 1 2021, 9:52 PM

Change 702713 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@REL1_35] Fix incomplete check for $wgFileImporterRequiredRight

https://gerrit.wikimedia.org/r/702713

gerritbot added a comment.Jul 1 2021, 9:52 PM

Change 702712 merged by jenkins-bot:

[mediawiki/extensions/FileImporter@REL1_36] Fix incomplete check for $wgFileImporterRequiredRight

https://gerrit.wikimedia.org/r/702712

sbassett renamed this task from Special:ImportFile does not check permissions from own config FileImporterRequiredRight to Special:ImportFile does not check permissions from own config FileImporterRequiredRight (CVE-2021-36132).Jul 2 2021, 7:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL