Page MenuHomePhabricator
Create Task
Maniphest T284873

Regression: CentralAuth Lock+Suppress is issuing local blocks without autoblock
Closed, ResolvedPublicSecurity
Actions

Description

CentralAuth lock + suppress (oversight) is no longer applying autoblocks on local account blocks, allowing further registration of abusive account names.

Local blocks issued by the CentralAuth extension always had autoblock enabled.

A quick search in our logs shows this started to happen on or about June 1, 2021.

2b7a5cad7519 may be the cause (not sure). As you can see at rECAU includes/CentralAuthUser.php L1940 has 'enableAutoblock' => true, which is not being respected now.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Reenable autoblocks for CentralAuth-issued suppression blocksmediawiki/extensions/CentralAuthmaster+1 -4
DatabaseBlock: Fetch correct DatabaseBlockStoremediawiki/coremaster+6 -2
Load potential current ip block from correct wikimediawiki/coremaster+26 -1
block: Create wiki-aware target for autoblocksmediawiki/coremaster+2 -1
Respect the wiki when performing autoblocksmediawiki/coremaster+3 -2
Respect the wiki when performing autoblocksmediawiki/extensions/CheckUsermaster+12 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

MarcoAurelio created this task.Jun 13 2021, 10:59 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2021, 10:59 AM
MarcoAurelio added projects: MediaWiki-extensions-CentralAuth, Regression, Stewards-and-global-tools.Jun 13 2021, 11:00 AM
MarcoAurelio updated the task description. (Show Details)Jun 13 2021, 11:09 AM
MarcoAurelio updated the task description. (Show Details)
Urbanecm subscribed.Jun 13 2021, 11:15 AM

This is a direct consequence of T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128). Long story short, blocks aren't (yet) xwiki aware, and the only reason CentralAuth is able to issue any blocks at all is a ton of hacks. As of now, xwiki blocks kinda work (thanks to hacks), but autoblocks don't. Rather than having suppression not working at all, I thought disabling autoblocks until this resolves is an acceptable tradeoff (as suppression is the only case when locks offer _any_ sort of autoblock).

Both this task and T281972 will be resolved with T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware. (assuming the temporary autoblock disable would be removed).

I hope this makes sense.

MarcoAurelio updated the task description. (Show Details)Jun 13 2021, 11:16 AM
Reedy edited projects, added SecTeam-Processed, Platform Engineering; removed Security-Team.Jun 14 2021, 3:43 PM
Urbanecm added a parent task: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..Jun 14 2021, 4:35 PM
Urbanecm removed a parent task: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..
Urbanecm added a subtask: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..
Urbanecm mentioned this in T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..Jun 14 2021, 4:37 PM
BPirkle triaged this task as Medium priority.Jun 22 2021, 9:07 PM
BPirkle edited projects, added Platform Team Workboards (MW Expedition); removed Platform Engineering.
Dsharpe added a subscriber: Zabe.Jan 11 2022, 2:51 PM
Zabe removed a subtask: T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware..Jan 17 2022, 11:11 PM
Zabe added a subtask: T291994: Properly support cross-wiki blocking.
Zabe added a subscriber: gerritbot.
gerritbot added a comment.Jan 17 2022, 11:21 PM

Change 725894 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CentralAuth@master] Reenable autoblocks for CentralAuth-issued suppression blocks

https://gerrit.wikimedia.org/r/725894

gerritbot added a project: Patch-For-Review.Jan 17 2022, 11:21 PM
Zabe added a comment.Jan 17 2022, 11:23 PM

I don't think this needs to be private, there is nothing really here that is not publicly known.

gerritbot added a comment.Jan 23 2022, 12:06 AM

Change 756131 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CheckUser@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/756131

Zabe claimed this task.Jan 23 2022, 12:18 AM
gerritbot added a comment.Feb 18 2022, 5:16 PM

Change 763788 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/763788

Zabe added a subscriber: sbassett.Feb 18 2022, 5:46 PM

@sbassett could you consider making this public. As I already wrote above, I don't see anything in the task that is not publicly known.

sbassett added a comment.Feb 22 2022, 5:09 PM
In T284873#7721747, @Zabe wrote:

@sbassett could you consider making this public. As I already wrote above, I don't see anything in the task that is not publicly known.

I think that should be fine, especially since the related gerrit change sets are all public anyways.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 22 2022, 5:09 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
RhinosF1 subscribed.Feb 22 2022, 5:13 PM
gerritbot added a comment.Jun 13 2022, 7:12 PM

Change 756131 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/756131

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.16; 2022-06-13).Jun 13 2022, 8:00 PM
gerritbot added a comment.Jun 30 2022, 10:12 PM

Change 763788 merged by jenkins-bot:

[mediawiki/core@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/763788

gerritbot added a comment.Jul 8 2022, 8:58 PM

Change 810381 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] block: Create wiki-aware target for autoblocks

https://gerrit.wikimedia.org/r/810381

gerritbot added a comment.Jul 9 2022, 8:02 AM

Change 810381 merged by jenkins-bot:

[mediawiki/core@master] block: Create wiki-aware target for autoblocks

https://gerrit.wikimedia.org/r/810381

ReleaseTaggerBot edited projects, added MW-1.39-notes (1.39.0-wmf.21; 2022-07-18); removed MW-1.39-notes (1.39.0-wmf.16; 2022-06-13).Jul 11 2022, 11:01 PM
gerritbot added a comment.Aug 30 2022, 11:54 PM

Change 828126 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Load potential current ip block from correct wiki

https://gerrit.wikimedia.org/r/828126

gerritbot added a comment.Jun 14 2023, 6:51 PM

Change 828126 merged by jenkins-bot:

[mediawiki/core@master] Load potential current ip block from correct wiki

https://gerrit.wikimedia.org/r/828126

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.15; 2023-06-27).Jun 14 2023, 7:00 PM
tstarling mentioned this in T346293: ipblocks schema redesign for multiblocks.Sep 19 2023, 2:10 AM
tstarling mentioned this in T346716: Split user suppression/hiding (ipb_deleted) out of the ipblocks table.Sep 19 2023, 7:02 AM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Oct 10 2023, 5:23 AM
gerritbot added a comment.Feb 8 2024, 1:12 AM

Change 998601 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] DatabaseBlock: Fetch correct DatabaseBlockStore for autoblock

https://gerrit.wikimedia.org/r/998601

gerritbot added a project: Patch-For-Review.Feb 8 2024, 1:12 AM
Restricted Application removed a project: Patch-Needs-Improvement. · View Herald TranscriptFeb 8 2024, 1:12 AM
gerritbot added a comment.Feb 8 2024, 2:34 AM

Change 998601 merged by jenkins-bot:

[mediawiki/core@master] DatabaseBlock: Fetch correct DatabaseBlockStore

https://gerrit.wikimedia.org/r/998601

gerritbot added a comment.Feb 8 2024, 7:31 PM

Change 725894 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Reenable autoblocks for CentralAuth-issued suppression blocks

https://gerrit.wikimedia.org/r/725894

ReleaseTaggerBot added a project: MW-1.42-notes (1.42.0-wmf.18; 2024-02-13).Feb 8 2024, 9:00 PM
Bugreporter moved this task from Backlog to Global account management (lock/hide/suppress) on the MediaWiki-extensions-CentralAuth board.Mar 5 2024, 11:41 AM
Umherirrender closed this task as Resolved.Mar 20 2024, 10:17 PM
Umherirrender removed a project: Patch-For-Review.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits