Page MenuHomePhabricator

Regression: CentralAuth Lock+Suppress is issuing local blocks without autoblock
Open, MediumPublicSecurity

Description

CentralAuth lock + suppress (oversight) is no longer applying autoblocks on local account blocks, allowing further registration of abusive account names.

Local blocks issued by the CentralAuth extension always had autoblock enabled.

A quick search in our logs shows this started to happen on or about June 1, 2021.

2b7a5cad7519 may be the cause (not sure). As you can see at rECAU includes/CentralAuthUser.php L1940 has 'enableAutoblock' => true, which is not being respected now.

Event Timeline

This is a direct consequence of T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128). Long story short, blocks aren't (yet) xwiki aware, and the only reason CentralAuth is able to issue any blocks at all is a ton of hacks. As of now, xwiki blocks kinda work (thanks to hacks), but autoblocks don't. Rather than having suppression not working at all, I thought disabling autoblocks until this resolves is an acceptable tradeoff (as suppression is the only case when locks offer _any_ sort of autoblock).

Both this task and T281972 will be resolved with T274817: Convert DatabaseBlock and AbstractBlock to UserIdentity, and make them cross-wiki aware. (assuming the temporary autoblock disable would be removed).

I hope this makes sense.

Change 725894 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CentralAuth@master] Reenable autoblocks for CentralAuth-issued suppression blocks

https://gerrit.wikimedia.org/r/725894

I don't think this needs to be private, there is nothing really here that is not publicly known.

Change 756131 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/CheckUser@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/756131

Change 763788 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/763788

@sbassett could you consider making this public. As I already wrote above, I don't see anything in the task that is not publicly known.

@sbassett could you consider making this public. As I already wrote above, I don't see anything in the task that is not publicly known.

I think that should be fine, especially since the related gerrit change sets are all public anyways.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 22 2022, 5:09 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.

Change 756131 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/756131

Change 763788 merged by jenkins-bot:

[mediawiki/core@master] Respect the wiki when performing autoblocks

https://gerrit.wikimedia.org/r/763788

Change 810381 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/core@master] block: Create wiki-aware target for autoblocks

https://gerrit.wikimedia.org/r/810381

Change 810381 merged by jenkins-bot:

[mediawiki/core@master] block: Create wiki-aware target for autoblocks

https://gerrit.wikimedia.org/r/810381