Page MenuHomePhabricator
Create Task
Maniphest T298581

Mobile version of Special:Contributions leaks existence of globally suppressed users (CVE-2022-28325)
Closed, ResolvedPublicSecurity
Actions

Assigned To
Jdlrobson
Authored By
Zabe
Jan 5 2022, 1:22 AM
Tags
Referenced Files
F34907706: contributions_desktop.png
Jan 5 2022, 1:22 AM
F34907710: mobile_contributions_expected.png
Jan 5 2022, 1:22 AM
F34907708: contributions_mobile.png
Jan 5 2022, 1:22 AM
Subscribers
Aklapper
bwang
cjming
DannyS712
dduvall
gerritbot
Jdlrobson
View All 14 Subscribers

Description

The account Suppressed is globally suppressed in my local wiki.

On the desktop view of Special:Contributions it is treated like a non-existent account.

contributions_desktop.png (326×715 px, 25 KB)

On mobile view not. For globally suppressed accounts it looks like the following.

contributions_mobile.png (252×478 px, 12 KB)

While for nonexistent account it looks like the following (yes it basically shows nothing, but that is unrelated).

mobile_contributions_expected.png (219×389 px, 11 KB)

I think this was fixed in the desktop version as part of T120883 (I can't say for sure since that ticket is still protected).

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
contributions: Use PermissionManager servicemediawiki/extensions/MobileFrontendmaster+28 -3
Use ->getAuthority() instead of ->getUser()mediawiki/extensions/MobileFrontendmaster+1 -1
SECURITY: contributions: Do not show contributions for hidden usersmediawiki/extensions/MobileFrontendmaster+4 -1
SECURITY: contributions: Do not show contributions for hidden usersmediawiki/extensions/MobileFrontendREL1_35+46 -0
SECURITY: contributions: Do not show contributions for hidden usersmediawiki/extensions/MobileFrontendREL1_37+4 -1
Customize query in gerrit

Related Objects

Event Timeline

Zabe created this task.Jan 5 2022, 1:22 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 5 2022, 1:22 AM
Zabe added projects: Vuln-Infoleak, MobileFrontend.Jan 5 2022, 1:22 AM
Zabe added subscribers: Jdlrobson, phuedx, nray, ovasileva.Jan 5 2022, 1:26 AM

Adding some readers team folks per https://www.mediawiki.org/wiki/Developers/Maintainers.

DannyS712 subscribed.Jan 5 2022, 9:44 AM

Confirmed to also apply to WMF prod, checked on enwiki
Relevant place to fix is probably https://gerrit.wikimedia.org/g/mediawiki/extensions/MobileFrontend/+/c16d95225b6195f19296d1b62c5391902b85a4b9/includes/specials/SpecialMobileContributions.php#81, something like (untested, I don't have mobile frontend installed locally)

if ( $this->user->isHidden() && !$this->getUser()->isAllowed( 'hideuser' ) ) {
	// Pretend like the user doesn't exist if they are hidden and the viewer
	// lacks the necessary rights
	$this->showPageNotFound();
	return;
}
phuedx added a comment.EditedJan 5 2022, 11:57 AM

@DannyS712's suggested fix is correct. I simply combined it with the line above the one they linked to:

T298581.patch
From dca9d3805893e1d3308475acbe55575c80291c6f Mon Sep 17 00:00:00 2001
From: Sam Smith <phuedx@wikimedia.org>
Date: Wed, 5 Jan 2022 11:40:09 +0000
Subject: [PATCH] SECURITY: contributions: Do not show contributions for hidden
 users

Bug: T298581
Change-Id: I4dbb315226af267d43154d1a5a5c4635d68d1038
---
 includes/specials/SpecialMobileContributions.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/includes/specials/SpecialMobileContributions.php b/includes/specials/SpecialMobileContributions.php
index 7a3ff3836..c00f64668 100644
--- a/includes/specials/SpecialMobileContributions.php
+++ b/includes/specials/SpecialMobileContributions.php
@@ -74,7 +74,10 @@ class SpecialMobileContributions extends SpecialMobileHistory {
 			}
 		}
 
-		if ( !$this->user ) {
+		if (
+			!$this->user
+			|| ( $this->user->isHidden() && !$this->getUser()->isAllowed( 'hideuser' ) )
+		) {
 			$this->showPageNotFound();
 			return;
 		}
-- 
2.33.1

With the patch applied and attempting to view the contributions of a suppressed user, I see the see the "Cannot look for contributions…" message as expected.

phuedx added subscribers: cjming, bwang, Jdrewniak.EditedJan 5 2022, 3:26 PM

Adding more Readers Web folks so that they can review the patch.

ovasileva triaged this task as High priority.Jan 5 2022, 3:41 PM
ovasileva added a project: Web-Team-Backlog (Kanbanana-FY-2021-22).
Jdlrobson added a comment.Jan 5 2022, 3:53 PM

@ovasileva another reason to prioritize the work in T219349. We keep getting errors like this while we use our bespoke version of this page.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Jan 5 2022, 4:33 PM
sbassett subscribed.Jan 5 2022, 4:37 PM

@phuedx @Jdlrobson - if @phuedx's patch from T298581#7598274 looks good, I can deploy it to wmf.13 and wmf.16 soon, before the backport window in a couple of hours. It looks fine to me, but if anyone else who's closer to the code wanted to have a quick look, that would be nice.

Jdlrobson added a comment.Jan 5 2022, 4:38 PM

Fix looks fine to me.

sbassett added a comment.EditedJan 5 2022, 4:43 PM

@Zabe -

I think this was fixed in the desktop version as part of T120883 (I can't say for sure since that ticket is still protected).

Unfortunately that task needs to stay permanently private and it appears I can't just sub you to it for some reason, perhaps because it's also NDA-protected. But yes, it does appear that this issue was addressed across OutputPage, Article, Skin and SpecialContributions there, at least for the non-mobile views.

sbassett mentioned this in T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Jan 5 2022, 5:30 PM
sbassett lowered the priority of this task from High to Low.Jan 5 2022, 5:33 PM

The patch from T298581#7598274 has been deployed to wmf.13 and wmf.16. mediawiki-errors seems fine for now. Just testing a few globally suppressed accounts on enwiki, the patch appears to be working for me. Also now tracking at T276237 and T297839.

One small difference I noticed is that the fix for SpecialContributions for T120883 uses the PermissionsManager service to check the hideuser right instead of $this->getUser()->isAllowed( 'hideuser' ). I believe either are fine, but the PM service (or Authority) are the more modern approaches.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Jan 5 2022, 5:34 PM
sbassett changed Risk Rating from N/A to Low.
Jdlrobson added a comment.Jan 5 2022, 5:46 PM

Just to check -we can post this to Gerrit now? if so I will happily merge.

Jdlrobson moved this task from Needs Analysis to Doing on the Web-Team-Backlog (Kanbanana-FY-2021-22) board.Jan 5 2022, 5:46 PM
Jdlrobson moved this task from Doing to Upcoming on the Web-Team-Backlog (Kanbanana-FY-2021-22) board.
sbassett added a comment.EditedJan 5 2022, 5:49 PM
In T298581#7599419, @Jdlrobson wrote:

Just to check -we can post this to Gerrit now? if so I will happily merge.

Yes. Once it's patched in WMF production, we can make the task public (I can do that now) and push any relevant backports through gerrit, if the relevant extension, etc. is not part of the bundled release. Which in this case, MobileFrontend is not. This issue will likely get a CVE for the next supplemental security release, where it will be re-disclosed/announced, sometime around the end of March 2022.

sbassett assigned this task to phuedx.Jan 5 2022, 5:50 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett added a subscriber: gerritbot.
phuedx added a comment.Jan 5 2022, 6:26 PM
In T298581#7599368, @sbassett wrote:

One small difference I noticed is that the fix for SpecialContributions for T120883 uses the PermissionsManager service to check the hideuser right instead of $this->getUser()->isAllowed( 'hideuser' ). I believe either are fine, but the PM service (or Authority) are the more modern approaches.

I'm happy to move to the more modern approach in a follow-on patch.

sbassett added a comment.Jan 5 2022, 7:32 PM
In T298581#7599559, @phuedx wrote:
In T298581#7599368, @sbassett wrote:

One small difference I noticed is that the fix for SpecialContributions for T120883 uses the PermissionsManager service to check the hideuser right instead of $this->getUser()->isAllowed( 'hideuser' ). I believe either are fine, but the PM service (or Authority) are the more modern approaches.

I'm happy to move to the more modern approach in a follow-on patch.

Sounds good, thanks.

sbassett added a project: SecTeam-Processed.Jan 5 2022, 7:45 PM
Jdlrobson added a comment.Jan 5 2022, 9:32 PM

@phuedx the web team committed to T293268 today so hopefully that means we'll see the back of this page in about a month or so.

gerritbot added a comment.Jan 5 2022, 9:36 PM

Change 751811 had a related patch set uploaded (by SBassett; author: Phuedx):

[mediawiki/extensions/MobileFrontend@master] SECURITY: contributions: Do not show contributions for hidden users

https://gerrit.wikimedia.org/r/751811

gerritbot added a project: Patch-For-Review.Jan 5 2022, 9:36 PM

Change 751827 had a related patch set uploaded (by SBassett; author: Phuedx):

[mediawiki/extensions/MobileFrontend@REL1_37] SECURITY: contributions: Do not show contributions for hidden users

https://gerrit.wikimedia.org/r/751827

gerritbot added a comment.Jan 5 2022, 9:48 PM

Change 751812 had a related patch set uploaded (by Zabe; author: Zabe):

[mediawiki/extensions/MobileFrontend@master] Use ->getAuthority() instead of ->getUser()

https://gerrit.wikimedia.org/r/751812

gerritbot added a comment.Jan 5 2022, 9:54 PM

Change 751828 had a related patch set uploaded (by RhinosF1; author: Phuedx):

[mediawiki/extensions/MobileFrontend@REL1_35] SECURITY: contributions: Do not show contributions for hidden users

https://gerrit.wikimedia.org/r/751828

gerritbot added a comment.Jan 5 2022, 9:56 PM

Change 751827 merged by jenkins-bot:

[mediawiki/extensions/MobileFrontend@REL1_37] SECURITY: contributions: Do not show contributions for hidden users

https://gerrit.wikimedia.org/r/751827

gerritbot added a comment.Jan 5 2022, 10:05 PM

Change 751828 abandoned by RhinosF1:

[mediawiki/extensions/MobileFrontend@REL1_35] SECURITY: contributions: Do not show contributions for hidden users

Reason:

https://gerrit.wikimedia.org/r/751828

gerritbot added a comment.Jan 5 2022, 10:12 PM

Change 751811 merged by jenkins-bot:

[mediawiki/extensions/MobileFrontend@master] SECURITY: contributions: Do not show contributions for hidden users

https://gerrit.wikimedia.org/r/751811

ReleaseTaggerBot added a project: MW-1.38-notes (1.38.0-wmf.17; 2022-01-10).Jan 5 2022, 11:00 PM
gerritbot added a comment.Jan 6 2022, 12:08 AM

Change 751812 merged by jenkins-bot:

[mediawiki/extensions/MobileFrontend@master] Use ->getAuthority() instead of ->getUser()

https://gerrit.wikimedia.org/r/751812

Maintenance_bot removed a project: Patch-For-Review.Jan 6 2022, 12:11 AM
gerritbot added a comment.Jan 6 2022, 12:35 PM

Change 751934 had a related patch set uploaded (by Phuedx; author: Phuedx):

[mediawiki/extensions/MobileFrontend@master] contributions: Use PermissionManager service

https://gerrit.wikimedia.org/r/751934

gerritbot added a project: Patch-For-Review.Jan 6 2022, 12:35 PM
Jdlrobson moved this task from Upcoming to Ready for Signoff on the Web-Team-Backlog (Kanbanana-FY-2021-22) board.Jan 6 2022, 10:29 PM
RhinosF1 subscribed.Jan 9 2022, 8:58 AM
gerritbot added a comment.Jan 10 2022, 10:23 AM

Change 751934 abandoned by Phuedx:

[mediawiki/extensions/MobileFrontend@master] contributions: Use PermissionManager service

Reason:

Per Daniel's comment above.

https://gerrit.wikimedia.org/r/751934

Maintenance_bot removed a project: Patch-For-Review.Jan 10 2022, 11:10 AM
Jdlrobson claimed this task.Jan 11 2022, 6:03 PM
dduvall subscribed.Jan 11 2022, 7:19 PM

Seems /srv/patches/1.38.0-wmf.17/extensions/MobileFrontend/01-T298581.patch has been merged already so I've removed it from the deployment server.

sbassett added a comment.Jan 11 2022, 7:25 PM
In T298581#7614136, @dduvall wrote:

Seems /srv/patches/1.38.0-wmf.17/extensions/MobileFrontend/01-T298581.patch has been merged already so I've removed it from the deployment server.

Ah, yes. I've updated T276237 to reflect this as well.

Jdlrobson edited projects, added MobileFrontend (MobileFrontend Special Pages); removed MobileFrontend.Jan 20 2022, 1:23 AM
Jdlrobson closed this task as Resolved.Jan 24 2022, 6:21 PM

LGTM. Note we plan to remove this special page in future to reduce security issues associated with this poorly maintained code: https://phabricator.wikimedia.org/T293268

sbassett renamed this task from Mobile version of Special:Contributions leaks existence of globally suppressed users to Mobile version of Special:Contributions leaks existence of globally suppressed users (CVE-2022-28325).May 2 2022, 2:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL