Page MenuHomePhabricator
Create Task
Maniphest T281972

ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128)
Closed, ResolvedPublicSecurity
Actions

Assigned To
Pchelolo
Authored By
hoo
May 5 2021, 11:36 AM
Tags
Referenced Files
F34454933: T281972.patch
May 15 2021, 1:18 PM
Subscribers
Aklapper
alaa
AmandaNP
brennen
Daimona
daniel
gerritbot
View All 19 Subscribers

Description

2021-05-05 04:47:56 [a01fcf53-0205-401e-b080-1baf777f439c] mw1272 metawiki 1.37.0-wmf.3 exception ERROR: [a01fcf53-0205-401e-b080-1baf777f439c] /w/index.php?title=Special:CentralAuth&target=…   InvalidArgumentException: DB connection domain 'jawiki' does not match 'metawiki' {"exception_url":"/w/index.php?title=Special:CentralAuth&target=…","caught_by":"entrypoint"}
[Exception InvalidArgumentException] (/srv/mediawiki/php-1.37.0-wmf.3/includes/user/ActorStore.php:672) DB connection domain 'jawiki' does not match 'metawiki'
  #0 /srv/mediawiki/php-1.37.0-wmf.3/includes/user/ActorStore.php(412): MediaWiki\User\ActorStore->checkDatabaseDomain(Wikimedia\Rdbms\DBConnRef)
  #1 /srv/mediawiki/php-1.37.0-wmf.3/includes/block/DatabaseBlockStore.php(357): MediaWiki\User\ActorStore->acquireActorId(MediaWiki\User\UserIdentityValue, Wikimedia\Rdbms\DBConnRef)
  #2 /srv/mediawiki/php-1.37.0-wmf.3/includes/block/DatabaseBlockStore.php(166): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
  #3 /srv/mediawiki/php-1.37.0-wmf.3/includes/block/DatabaseBlock.php(523): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
  #4 /srv/mediawiki/php-1.37.0-wmf.3/extensions/CentralAuth/includes/CentralAuthUser.php(1951): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
  #5 /srv/mediawiki/php-1.37.0-wmf.3/extensions/CentralAuth/includes/CentralAuthUser.php(1882): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
  #6 /srv/mediawiki/php-1.37.0-wmf.3/extensions/CentralAuth/includes/CentralAuthUser.php(1860): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
  #7 /srv/mediawiki/php-1.37.0-wmf.3/extensions/CentralAuth/includes/CentralAuthUser.php(1811): CentralAuthUser->suppress(string, string)
  #8 /srv/mediawiki/php-1.37.0-wmf.3/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
  #9 /srv/mediawiki/php-1.37.0-wmf.3/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
  #10 /srv/mediawiki/php-1.37.0-wmf.3/includes/specialpage/SpecialPage.php(646): SpecialCentralAuth->execute(NULL)
  #11 /srv/mediawiki/php-1.37.0-wmf.3/includes/specialpage/SpecialPageFactory.php(1397): SpecialPage->run(NULL)
  #12 /srv/mediawiki/php-1.37.0-wmf.3/includes/MediaWiki.php(313): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
  #13 /srv/mediawiki/php-1.37.0-wmf.3/includes/MediaWiki.php(916): MediaWiki->performRequest()
  #14 /srv/mediawiki/php-1.37.0-wmf.3/includes/MediaWiki.php(550): MediaWiki->main()
  #15 /srv/mediawiki/php-1.37.0-wmf.3/index.php(53): MediaWiki->run()
  #16 /srv/mediawiki/php-1.37.0-wmf.3/index.php(46): wfIndexMain()
  #17 /srv/mediawiki/w/index.php(3): require(string)
  #18 {main}

Details

Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Reenable autoblocks for CentralAuth-issued suppression blocksmediawiki/extensions/CentralAuthmaster+1 -4
Load potential current ip block from correct wikimediawiki/coremaster+26 -1
block: Create wiki-aware target for autoblocksmediawiki/coremaster+2 -1
Respect the wiki when performing autoblocksmediawiki/coremaster+3 -2
Respect the wiki when performing autoblocksmediawiki/extensions/CheckUsermaster+12 -8
Follow-Up: I10fbd4b6a: Update @since tags as those were backportedmediawiki/coremaster+2 -2
Follow-Up: I10fbd4b6a: Update @since tags as those were backportedmediawiki/coreREL1_36+2 -2
Follow-Up: I10fbd4b6a: Update @since tags as those were backportedmediawiki/coreREL1_37+2 -2
Follow-up bbc75d404: Update @since tag as we're back-portingmediawiki/coremaster+1 -1
SECURITY: Disable autoblocks for CentralAuth-issued suppression blocksmediawiki/extensions/CentralAuthREL1_36+4 -1
SECURITY: Disable autoblocks for CentralAuth-issued suppression blocksmediawiki/extensions/CentralAuthmaster+4 -1
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthREL1_36+3 -1
UserIdentityValue: Introduce convenience static factory methodsmediawiki/coreREL1_36+82 -1
DatabaseBlockStore: fetch correct ActorNormalization (part 2/2)mediawiki/corewmf/1.37.0-wmf.4+3 -10
DatabaseBlockStore: fetch correct ActorNormalization (part 1/2)mediawiki/corewmf/1.37.0-wmf.4+23 -10
DatabaseBlockStore: fetch correct ActorNormalizationmediawiki/coremaster+16 -11
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthwmf/1.37.0-wmf.4+3 -1
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthwmf/1.37.0-wmf.3+3 -1
UserIdentityValue: Introduce convenience static factory methodsmediawiki/corewmf/1.37.0-wmf.3+82 -1
UserIdentityValue: Introduce convenience static factory methodsmediawiki/corewmf/1.37.0-wmf.4+82 -1
Cross-wiki block should pass correct wiki blockermediawiki/extensions/CentralAuthmaster+3 -1
UserIdentityValue: Introduce convenience static factory methodsmediawiki/coremaster+82 -1
Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
gerritbot added a project: Patch-For-Review.May 10 2021, 4:42 PM

Change 688290 had a related patch set uploaded (by Urbanecm; author: Ppchelko):

[mediawiki/core@REL1_36] UserIdentityValue: Introduce convenience static factory methods

https://gerrit.wikimedia.org/r/688290

Urbanecm added a comment.May 11 2021, 2:56 PM
In T281972#7075007, @Reedy wrote:

Just 1.36 to go?

I think so.

Urbanecm added a comment.May 11 2021, 4:10 PM
This comment was removed by Legoktm.
Pchelolo added a comment.May 11 2021, 4:17 PM

AFAICS CheckUser was not mentioned in the first stacks, so it is probably something there that causes this error sometimes.

This is definitely a different error, you're right. Will have a look.

Pchelolo added a comment.May 11 2021, 4:29 PM

Okey. The problem is pretty clear.

Now that we are ably to correctly insert cross-wiki block with a correct blocker, CheckUser is doing auto blocking of IPs that are associated with the block. But CheckUser is oblivious towards which wiki the block actually belongs to, so it does everything in the context of metawiki.

BTW, none of these errors are regressions. They just indicate before some of these blocks were inserted with invalid blockers..

I guess the best fix is to actually make blocks wiki-aware and support cross-wiki blocking properly. How urgent is this?

gerritbot added a comment.May 12 2021, 12:53 AM

Change 689379 had a related patch set uploaded (by Jforrester; author: Jforrester):

[mediawiki/core@master] Follow-up bbc75d404: Update @since tag as we're back-porting

https://gerrit.wikimedia.org/r/689379

Jdforrester-WMF closed this task as Resolved.May 12 2021, 12:57 AM
gerritbot added a comment.May 12 2021, 1:05 AM

Change 688290 merged by jenkins-bot:

[mediawiki/core@REL1_36] UserIdentityValue: Introduce convenience static factory methods

https://gerrit.wikimedia.org/r/688290

gerritbot added a comment.May 12 2021, 1:19 AM

Change 689379 merged by jenkins-bot:

[mediawiki/core@master] Follow-up bbc75d404: Update @since tag as we're back-porting

https://gerrit.wikimedia.org/r/689379

ReleaseTaggerBot edited projects, added MW-1.37-notes (1.37.0-wmf.6; 2021-05-18), MW-1.36-notes; removed MW-1.37-notes (1.37.0-wmf.4; 2021-05-04).May 12 2021, 2:00 AM
gerritbot added a comment.May 12 2021, 11:16 AM

Change 688289 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_36] Cross-wiki block should pass correct wiki blocker

https://gerrit.wikimedia.org/r/688289

AmandaNP reopened this task as Open.May 14 2021, 7:25 AM
AmandaNP subscribed.
This comment was removed by Legoktm.
taavi set Security to Software security bug.May 14 2021, 7:31 AM
taavi added a project: Security-Team.
taavi changed the visibility from "Public (No Login Required)" to "Custom Policy".
Stryn subscribed.May 14 2021, 7:31 AM
taavi added a project: PermanentlyPrivate.May 14 2021, 7:34 AM
Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptMay 14 2021, 7:34 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Operator873 subscribed.May 15 2021, 12:54 AM

https://873gear.com/irc/uploads/1d222380b2567746/image.png

Account was not locked, attempted to lock/hide

Aklapper added a comment.May 15 2021, 8:51 AM

@Operator873: Please provide a stack trace, as text.

Urbanecm added a comment.May 15 2021, 1:11 PM
This comment was removed by Legoktm.
Urbanecm added a comment.May 15 2021, 1:17 PM

Let me try to summarize where are we at right now:

  • CentralAuth-issued suppresions don't work, because making xwiki autoblocks is not possible. The proper solution for that would be T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware., which is something the platform team would likely work at one point.
  • Simple workaround would be to disable autoblocks. Stewards do not autoblocks to work for locks, because there is currently no such mechanism. In case we need an autoblock-like mechanism, we manually checkuser the user and block the IP manually. So, let's do that for now, and let T274817 be the proper solution. I'll upload a patch momentarily.
Urbanecm added a comment.May 15 2021, 1:18 PM

T281972.patch1 KBDownload

@Pchelolo Could you please review this one here, and provide a +2 as a Phabricator comment? I can then deploy it (or maybe it can actually go through Gerrit instead?).

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.May 17 2021, 3:35 PM
Krinkle moved this task from Untriaged to May 2021 on the Wikimedia-production-error board.May 19 2021, 9:38 PM
Jdforrester-WMF moved this task from Blocker to Not a blocker on the MW-1.36-release board.May 20 2021, 5:39 PM
Tks4Fish added a project: Stewards-and-global-tools.Jun 2 2021, 5:57 PM

Is there any plan to review this patch? If an user doxxes someone on the username, or creates an account with a phone number, there is no way to hide that. This is a big security issue that has a patch pending review for 15 days. I understand we are all volunteers, but it'd be really good for this to be reviewed.

Pchelolo added a comment.Jun 2 2021, 6:00 PM

@Urbanecm +2 for the patch.

Urbanecm added a comment.Jun 2 2021, 6:15 PM
20:11 <urbanecm> !log Deployed security patch for T281972
20:11 <stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

Thanks @Pchelolo, appreciated. Deployed. A proper fix can happen later.

Urbanecm triaged this task as Lowest priority.Jun 2 2021, 6:27 PM
Urbanecm added a subscriber: sbassett.

@sbassett Hi, would you mind doing the final honors (backports here; should need only master)? Thanks!

sbassett mentioned this in T279733: Write and send supplementary release announcement for extensions and skins with security patches (1.31.15/1.35.3/1.36.1).Jun 2 2021, 10:17 PM
sbassett added a comment.Jun 2 2021, 10:19 PM
In T281972#7129975, @Urbanecm wrote:

@sbassett Hi, would you mind doing the final honors (backports here; should need only master)? Thanks!

Sure, tracking at T276237 and T279733 for now. This will definitely get backported before the end of this quarter (2021-06-30) but I can't guarantee when, unless someone else wants to run with it. Though I'd question if we even want this on master since it's kind of a Wikimedia production-specific config change if I'm reading this bug and the patch comment correctly.

Urbanecm added a comment.Jun 3 2021, 10:45 AM
In T281972#7130744, @sbassett wrote:
In T281972#7129975, @Urbanecm wrote:

@sbassett Hi, would you mind doing the final honors (backports here; should need only master)? Thanks!

Sure, tracking at T276237 and T279733 for now. This will definitely get backported before the end of this quarter (2021-06-30) but I can't guarantee when, unless someone else wants to run with it. Though I'd question if we even want this on master since it's kind of a Wikimedia production-specific config change if I'm reading this bug and the patch comment correctly.

The error would be very likely present on any Wikimedia-like wikifarm. The underlying bug is in MediaWiki core (which doesn't support xwiki blocks [an user from wiki A blocks on wiki B] properly, and while xwiki blocks work somehow, autoblocks sometimes fail with this error message, which is why this task exists]). Fixing that bug properly would be possible, but the platform team asked for time to refactor blocks to support xwiki blocks in the proper way, rather than adding hacks at top of hacks.

You're right that the bug very likely apprears only in Wikimedia production, but that's not because we have a special configuration – it is because non-Wikimedia wikis shouldn't use centralauth because of its complexity (and in parts, Wikimedia-specificness), see the big red warning at https://www.mediawiki.org/wiki/Extension:CentralAuth.

I personally vote for including into master (as that'd avoid conflicts as master progresses), but I defer to your judgement.

sbassett added a comment.Jun 3 2021, 3:14 PM
In T281972#7131468, @Urbanecm wrote:

The error would be very likely present on any Wikimedia-like wikifarm. The underlying bug is in MediaWiki core (which doesn't support xwiki blocks [an user from wiki A blocks on wiki B] properly, and while xwiki blocks work somehow, autoblocks sometimes fail with this error message, which is why this task exists]). Fixing that bug properly would be possible, but the platform team asked for time to refactor blocks to support xwiki blocks in the proper way, rather than adding hacks at top of hacks.

Ok, that all makes sense, thanks. We can plan to backport this to master.

sbassett removed a project: Patch-For-Review.Jun 3 2021, 9:26 PM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.
daniel moved this task from Unsorted pile to UserStore pile on the Platform Team Workboards (MW Expedition) board.Jun 8 2021, 11:46 AM
Urbanecm mentioned this in T284873: Regression: CentralAuth Lock+Suppress is issuing local blocks without autoblock.Jun 13 2021, 11:15 AM
Urbanecm added a parent task: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..Jun 14 2021, 4:35 PM
Urbanecm removed a parent task: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..
Urbanecm added a subtask: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..
Urbanecm mentioned this in T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..Jun 14 2021, 4:37 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.Jul 1 2021, 10:11 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptJul 1 2021, 10:11 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Zabe added a subscriber: gerritbot.Jul 2 2021, 4:01 PM
gerritbot added a comment.Jul 2 2021, 4:12 PM

Change 702717 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_36] SECURITY: Disable autoblocks for CentralAuth-issued suppression blocks

https://gerrit.wikimedia.org/r/702717

Legoktm subscribed.Jul 2 2021, 4:51 PM

I've deleted comments above that contained private information so this task can be made public. They're quoted below with the private info redacted:

In T281972#7087384, @DeltaQuad wrote:

Still currently getting an error.
[8008a778-58be-418c-8be8-72bbc8c57a76] 2021-05-14 07:24:13: Fatal exception of type "InvalidArgumentException"
URL: https://meta.wikimedia.org/w/index.php?title=Special:CentralAuth&target=<redacted>

In T281972#7090229, @Urbanecm wrote:
In T281972#7089889, @Aklapper wrote:

@Operator873: Please provide a stack trace, as text.

Note AFAIK, Operator873 does not have access to logstash, so he cannot see the stack. Here it is through:

Stack trace
[urbanecm@mwlog1002 /srv/mw-log]$ grep -A 27 fccd3bd6-2816-44e2-b525-c068ccf3d42d archive/exception.log-20210515
2021-05-15 00:51:30 [fccd3bd6-2816-44e2-b525-c068ccf3d42d] mw1373 metawiki 1.37.0-wmf.5 exception ERROR: [fccd3bd6-2816-44e2-b525-c068ccf3d42d] /w/index.php?title=Special:CentralAuth&target=<redacted>   InvalidArgumentException: DB connection domain 'metawiki' does not match 'loginwiki' {"exception_url":"/w/index.php?title=Special:CentralAuth&target=<redacted>","reqId":"fccd3bd6-2816-44e2-b525-c068ccf3d42d","caught_by":"entrypoint"}
[Exception InvalidArgumentException] (/srv/mediawiki/php-1.37.0-wmf.5/includes/user/ActorStore.php:704) DB connection domain 'metawiki' does not match 'loginwiki'
  #0 /srv/mediawiki/php-1.37.0-wmf.5/includes/user/ActorStore.php(412): MediaWiki\User\ActorStore->checkDatabaseDomain(Wikimedia\Rdbms\DBConnRef)
  #1 /srv/mediawiki/php-1.37.0-wmf.5/includes/block/DatabaseBlockStore.php(360): MediaWiki\User\ActorStore->acquireActorId(MediaWiki\User\UserIdentityValue, Wikimedia\Rdbms\DBConnRef)
  #2 /srv/mediawiki/php-1.37.0-wmf.5/includes/block/DatabaseBlockStore.php(166): MediaWiki\Block\DatabaseBlockStore->getArrayForDatabaseBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
  #3 /srv/mediawiki/php-1.37.0-wmf.5/includes/block/DatabaseBlock.php(690): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock)
  #4 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CheckUser/src/Hooks.php(708): MediaWiki\Block\DatabaseBlock->doAutoblock(string)
  #5 /srv/mediawiki/php-1.37.0-wmf.5/includes/HookContainer/HookContainer.php(330): MediaWiki\CheckUser\Hooks::doRetroactiveAutoblock(MediaWiki\Block\DatabaseBlock, array)
  #6 /srv/mediawiki/php-1.37.0-wmf.5/includes/HookContainer/HookContainer.php(137): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)
  #7 /srv/mediawiki/php-1.37.0-wmf.5/includes/HookContainer/HookRunner.php(2981): MediaWiki\HookContainer\HookContainer->run(string, array)
  #8 /srv/mediawiki/php-1.37.0-wmf.5/includes/block/DatabaseBlockStore.php(440): MediaWiki\HookContainer\HookRunner->onPerformRetroactiveAutoblock(MediaWiki\Block\DatabaseBlock, array)
  #9 /srv/mediawiki/php-1.37.0-wmf.5/includes/block/DatabaseBlockStore.php(206): MediaWiki\Block\DatabaseBlockStore->doRetroactiveAutoblock(MediaWiki\Block\DatabaseBlock)
  #10 /srv/mediawiki/php-1.37.0-wmf.5/includes/block/DatabaseBlock.php(535): MediaWiki\Block\DatabaseBlockStore->insertBlock(MediaWiki\Block\DatabaseBlock, Wikimedia\Rdbms\DBConnRef)
  #11 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CentralAuth/includes/CentralAuthUser.php(1952): MediaWiki\Block\DatabaseBlock->insert(Wikimedia\Rdbms\DBConnRef)
  #12 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CentralAuth/includes/CentralAuthUser.php(1881): CentralAuthUser->doLocalSuppression(boolean, string, string, string)
  #13 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CentralAuth/includes/CentralAuthUser.php(1859): CentralAuthUser->doCrosswikiSuppression(boolean, string, string)
  #14 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CentralAuth/includes/CentralAuthUser.php(1810): CentralAuthUser->suppress(string, string)
  #15 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(245): CentralAuthUser->adminLockHide(boolean, string, string, RequestContext)
  #16 /srv/mediawiki/php-1.37.0-wmf.5/extensions/CentralAuth/includes/specials/SpecialCentralAuth.php(143): SpecialCentralAuth->doSubmit()
  #17 /srv/mediawiki/php-1.37.0-wmf.5/includes/specialpage/SpecialPage.php(646): SpecialCentralAuth->execute(NULL)
  #18 /srv/mediawiki/php-1.37.0-wmf.5/includes/specialpage/SpecialPageFactory.php(1396): SpecialPage->run(NULL)
  #19 /srv/mediawiki/php-1.37.0-wmf.5/includes/MediaWiki.php(313): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)
  #20 /srv/mediawiki/php-1.37.0-wmf.5/includes/MediaWiki.php(916): MediaWiki->performRequest()
  #21 /srv/mediawiki/php-1.37.0-wmf.5/includes/MediaWiki.php(550): MediaWiki->main()
  #22 /srv/mediawiki/php-1.37.0-wmf.5/index.php(53): MediaWiki->run()
  #23 /srv/mediawiki/php-1.37.0-wmf.5/index.php(46): wfIndexMain()
  #24 /srv/mediawiki/w/index.php(3): require(string)
  #25 {main}
[urbanecm@mwlog1002 /srv/mw-log]$

It looks to match what I offered at T281972#7078879.

Legoktm removed a project: PermanentlyPrivate.Jul 2 2021, 4:58 PM
Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Legoktm changed the edit policy from "Custom Policy" to "All Users".
sbassett renamed this task from ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth to ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128).Jul 2 2021, 8:02 PM
sbassett closed this task as Resolved.Jul 2 2021, 8:12 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Jdforrester-WMF edited projects, added MW-1.37-notes (1.37.0-wmf.14; 2021-07-12); removed MW-1.37-notes (1.37.0-wmf.6; 2021-05-18).Jul 3 2021, 7:46 AM
Zabe mentioned this in T286490: PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'enwiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId].Jul 12 2021, 5:30 PM
mmodell mentioned this in T287625: Deprecated passing invalid cross-wiki user. Expected: 'metawiki', Actual: the local wiki..Jul 28 2021, 7:58 PM
mmodell mentioned this in T287630: PHP Deprecated: Deprecated cross-wiki access to MediaWiki\User\UserIdentityValue. Expected: the local wiki, Actual: 'loginwiki'. Pass expected $wikiId. [Called from MediaWiki\User\UserIdentityValue::getId].
Zabe mentioned this in T291994: Properly support cross-wiki blocking.Sep 28 2021, 6:27 PM
gerritbot added a comment.Nov 13 2021, 10:02 PM

Change 738549 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Follow-Up: I10fbd4b6a: Update @since tags as those were backported

https://gerrit.wikimedia.org/r/738549

gerritbot added a project: Patch-For-Review.Nov 13 2021, 10:02 PM
gerritbot added a comment.Nov 13 2021, 10:05 PM

Change 738400 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_37] Follow-Up: I10fbd4b6a: Update @since tags as those were backported

https://gerrit.wikimedia.org/r/738400

gerritbot added a comment.Nov 13 2021, 10:06 PM

Change 738401 had a related patch set uploaded (by Reedy; author: Zabe):

[mediawiki/core@REL1_36] Follow-Up: I10fbd4b6a: Update @since tags as those were backported

https://gerrit.wikimedia.org/r/738401

gerritbot added a comment.Nov 13 2021, 10:16 PM

Change 738400 merged by jenkins-bot:

[mediawiki/core@REL1_37] Follow-Up: I10fbd4b6a: Update @since tags as those were backported

https://gerrit.wikimedia.org/r/738400

gerritbot added a comment.Nov 13 2021, 10:17 PM

Change 738401 merged by jenkins-bot:

[mediawiki/core@REL1_36] Follow-Up: I10fbd4b6a: Update @since tags as those were backported

https://gerrit.wikimedia.org/r/738401

gerritbot added a comment.Nov 13 2021, 10:29 PM

Change 738549 merged by jenkins-bot:

[mediawiki/core@master] Follow-Up: I10fbd4b6a: Update @since tags as those were backported

https://gerrit.wikimedia.org/r/738549

ReleaseTaggerBot edited projects, added MW-1.38-notes (1.38.0-wmf.9; 2021-11-16), MW-1.37-notes; removed MW-1.37-notes (1.37.0-wmf.14; 2021-07-12).Nov 13 2021, 11:00 PM
Zabe removed a project: Patch-For-Review.Jan 17 2022, 10:43 PM
Zabe removed a subtask: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..Jan 17 2022, 11:11 PM
Zabe added a subtask: T291994: Properly support cross-wiki blocking.
gerritbot added a comment.Jan 17 2022, 11:21 PM

Change 725894 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CentralAuth@master] Reenable autoblocks for CentralAuth-issued suppression blocks

https://gerrit.wikimedia.org/r/725894

gerritbot added a project: Patch-For-Review.Jan 17 2022, 11:21 PM
gerritbot added a comment.Jan 23 2022, 12:06 AM

Change 756131 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CheckUser@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/756131

gerritbot added a comment.Feb 18 2022, 5:16 PM

Change 763788 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/763788

Zabe added a comment.EditedApr 3 2022, 10:24 PM

"Fun" fact: The second part of this was actually predicted almost a year before it showed up.

From the task description of T258866:

CentralAuthUser::doLocalSuppression is an example that passes the database to insert:
The block is always autoblocking (presumably the autoblocks are not being inserted correctly?)

gerritbot added a comment.Jun 13 2022, 7:12 PM

Change 756131 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/756131

Tchanders added a project: Anti-Harassment (AHaT Sprint 10: The Mokorotlo).Jun 15 2022, 4:50 PM
Tchanders moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to Code Review 🔍 on the Anti-Harassment (AHaT Sprint 10: The Mokorotlo) board.
gerritbot added a comment.Jun 30 2022, 10:12 PM

Change 763788 merged by jenkins-bot:

[mediawiki/core@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/763788

gerritbot added a comment.Jul 8 2022, 8:57 PM

Change 810381 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] block: Create wiki-aware target for autoblocks

https://gerrit.wikimedia.org/r/810381

gerritbot added a comment.Jul 9 2022, 8:02 AM

Change 810381 merged by jenkins-bot:

[mediawiki/core@master] block: Create wiki-aware target for autoblocks

https://gerrit.wikimedia.org/r/810381

gerritbot added a comment.Aug 30 2022, 11:54 PM

Change 828126 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Load potential current ip block from correct wiki

https://gerrit.wikimedia.org/r/828126

gerritbot added a comment.Jun 14 2023, 6:51 PM

Change 828126 merged by jenkins-bot:

[mediawiki/core@master] Load potential current ip block from correct wiki

https://gerrit.wikimedia.org/r/828126

gerritbot added a comment.Feb 8 2024, 7:31 PM

Change 725894 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Reenable autoblocks for CentralAuth-issued suppression blocks

https://gerrit.wikimedia.org/r/725894

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL