Page MenuHomePhabricator
Create Task
Maniphest T309028

action=edit&redirect=true bypasses protection
Closed, ResolvedPublicSecurity
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):
*Steps to reproduce not yet available, example of recent occurrence below:

On the English Wikipedia, a edit to a sysop-protected page was made, despite the editor not having the editprotected or protect rights
*Edit in question: https://en.wikipedia.org/w/index.php?title=User%3AQst&type=revision&diff=1088768331&oldid=981612139
*On page: https://en.wikipedia.org/wiki/User:Qst
*By User: https://en.wikipedia.org/wiki/User:SDZeroBot
*Examine output: https://en.wikipedia.org/wiki/Special:AbuseFilter/examine/1507548235

What happens?:
*The edit was allowed.

What should have happened instead?":
*The edit should have been disallowed

Software version (if not a Wikimedia wiki), browser information, screenshots, other information, etc.:

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
SECURITY: ApiEditPage: update title after redirectsmediawiki/coremaster+3 -1
SECURITY: ApiEditPage: update title after redirectsmediawiki/coreREL1_38+3 -1
Customize query in gerrit

Related Objects

Event Timeline

Xaosflux created this task.May 23 2022, 2:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2022, 2:46 PM
Xaosflux updated the task description. (Show Details)May 23 2022, 2:47 PM
Pppery subscribed.May 23 2022, 2:48 PM
Xaosflux updated the task description. (Show Details)May 23 2022, 2:48 PM
SD0001 subscribed.May 23 2022, 3:00 PM
Urbanecm set Security to Software security bug.May 23 2022, 3:00 PM
Urbanecm added projects: Security, Security-Team.
Urbanecm changed the visibility from "Public (No Login Required)" to "Custom Policy".
Urbanecm changed the subtype of this task from "Bug Report" to "Security Issue".
Urbanecm subscribed.

this is a security bug

Urbanecm added a subscriber: stwalkerster.May 23 2022, 3:01 PM
Xaosflux added a comment.May 23 2022, 3:02 PM

Just realized, I opened T309031 as the security report for the issue in general

stwalkerster merged a task: Restricted Task.May 23 2022, 3:02 PM
Urbanecm added a comment.May 23 2022, 3:03 PM
In T309028#7950217, @Xaosflux wrote:

Just realized, I opened T309031 as the security report for the issue in general

FYI, there's "promote to security issue" in the top-right menu you can click to fix those kind of mistakes.

taavi claimed this task.May 23 2022, 3:05 PM
taavi triaged this task as High priority.
Xaosflux merged a task: Restricted Task.May 23 2022, 3:07 PM
stwalkerster added a comment.EditedMay 23 2022, 3:07 PM

Bringing info across from duplicates T309030 and T309031 - this is an API edit request through a redirect.

Given:

An API call by a non-admin user as such:

  • action=edit
  • redirect=true
  • title=User:Stwalkerster/sandbox2
  • appendtext=Test edit
  • summary=test

The fully-protected page is edited by a non-admin. See https://en.wikipedia.org/w/index.php?title=User:Stwalkerster/sandbox&action=history

taavi added a comment.May 23 2022, 3:07 PM

Proposed patch:

0001-SECURITY-ApiEditPage-update-title-after-redirects.patch1 KBDownload

taavi renamed this task from edit allowed despite protection to action=edit&redirect=true bypasses protection.May 23 2022, 3:08 PM
taavi added a project: MediaWiki-Action-API.
DannyS712 subscribed.May 23 2022, 3:26 PM
In T309028#7950254, @Majavah wrote:

Proposed patch:

0001-SECURITY-ApiEditPage-update-title-after-redirects.patch1 KBDownload

+2 approved, happy to test during deployment if you want

taavi added a comment.May 23 2022, 3:35 PM

Noting here that this was posted on a public forum :( https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#Edit_to_User:Qst

In T309028#7950254, @Majavah wrote:

Proposed patch:

0001-SECURITY-ApiEditPage-update-title-after-redirects.patch1 KBDownload

Deployed (SAL) after this was approved by @Urbanecm on _security.

In T309028#7950300, @DannyS712 wrote:

+2 approved, happy to test during deployment if you want

Thanks for the offer, but we already deployed this.

TheresNoTime subscribed.May 23 2022, 3:40 PM
In T309028#7950336, @Majavah wrote:

Noting here that this was posted on a public forum :( https://en.wikipedia.org/wiki/Wikipedia:Village_pump_(technical)#Edit_to_User:Qst

Macro scremcat:

Xaosflux added a comment.May 23 2022, 3:56 PM

Root Cause? Was this a recent regression? Can't imagine this has been a long-standing bug that was just discovered.

DannyS712 added a comment.May 23 2022, 4:00 PM
In T309028#7950441, @Xaosflux wrote:

Root Cause? Was this a recent regression? Can't imagine this has been a long-standing bug that was just discovered.

I believe this is from T290639: Move redirect lookup logic into a service object and rMW8fe9e0317f2c: Introduce `Redirect(Lookup&Store)` services to handle redirects - previously the target of a redirect always updated $titleObj
We should include this in 1.38 before its released

TheresNoTime added a comment.EditedMay 23 2022, 4:00 PM

(wot @DannyS712 said ^)

DannyS712 added a project: MW-1.38-release.May 23 2022, 4:01 PM
taavi added a comment.May 23 2022, 4:04 PM

Could someone check that 8fe9e0317f2c didn't introduce any similar bugs to EditPage please?

Xaosflux added a project: Regression.May 23 2022, 4:05 PM
DannyS712 added a comment.EditedMay 23 2022, 4:06 PM
In T309028#7950467, @Majavah wrote:

Could someone check that 8fe9e0317f2c didn't introduce any similar bugs to EditPage please?

{{looking}}
Appears to have introduced a minor bug where ContentTransformer::preloadTransform() will be called for the wrong title, but nothing that bypasses protection - edit page doesn't care if a page is a redirect, you can still edit it, but the api will try to edit the redirect target instead. Is it okay to send the ContentTransformer fix on gerrit? Or would that raise flags?

Urbanecm added a subscriber: Primefac.May 23 2022, 7:27 PM
Xaosflux added a comment.May 23 2022, 8:40 PM

Just checking, from a deployment perspective is this currently remediated on WMF wikis? Tests seem to be passing on testwiki now.

Xaosflux added a subscriber: Izno.May 23 2022, 8:52 PM
TheresNoTime added a comment.May 23 2022, 9:19 PM
In T309028#7951278, @Xaosflux wrote:

Just checking, from a deployment perspective is this currently remediated on WMF wikis? Tests seem to be passing on testwiki now.

(just in case you didn't get an answer here @Xaosflux, yes a patch was deployed to WMF wikis)

sbassett added a parent task: T305200: Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2.May 26 2022, 7:55 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.May 31 2022, 4:28 PM
Reedy added a subscriber: gerritbot.Jun 2 2022, 8:26 PM
gerritbot added a comment.Jun 2 2022, 8:49 PM

Change 802632 had a related patch set uploaded (by Reedy; author: Majavah):

[mediawiki/core@master] SECURITY: ApiEditPage: update title after redirects

https://gerrit.wikimedia.org/r/802632

gerritbot added a project: Patch-For-Review.Jun 2 2022, 8:49 PM

Change 802608 had a related patch set uploaded (by Reedy; author: Majavah):

[mediawiki/core@REL1_38] SECURITY: ApiEditPage: update title after redirects

https://gerrit.wikimedia.org/r/802608

gerritbot added a comment.Jun 2 2022, 9:01 PM

Change 802608 merged by jenkins-bot:

[mediawiki/core@REL1_38] SECURITY: ApiEditPage: update title after redirects

https://gerrit.wikimedia.org/r/802608

gerritbot added a comment.Jun 2 2022, 9:33 PM

Change 802632 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: ApiEditPage: update title after redirects

https://gerrit.wikimedia.org/r/802632

Reedy removed a project: Patch-For-Review.Jun 2 2022, 11:22 PM
Reedy subscribed.

Merged to master and REL1_38 so it could be included in the 1.38.0 release; didn't see much reason holding it for 1.38.1 when it only affected releases without stable branches.

Xaosflux added a subscriber: Oshwah.Jun 3 2022, 12:39 PM
Jdforrester-WMF subscribed.Jun 3 2022, 1:39 PM

Time to mark this public and Resolved?

Jdforrester-WMF added projects: MW-1.38-notes, MW-1.39-notes (1.39.0-wmf.15; 2022-06-06).Jun 3 2022, 6:44 PM
sbassett closed this task as Resolved.Jun 3 2022, 9:25 PM
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
sbassett subscribed.
In T309028#7979081, @Jdforrester-WMF wrote:

Time to mark this public and Resolved?

Yes.

sbassett changed Author Affiliation from N/A to Wikimedia Communities.Jun 3 2022, 9:25 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed Risk Rating from N/A to Low.
NguoiDungKhongDinhDanh subscribed.Jun 4 2022, 2:01 AM
Zabe subscribed.Jun 6 2022, 1:46 PM
Reedy removed a parent task: T305200: Tracking bug for MediaWiki 1.35.7/1.37.3/1.38.2.Jun 6 2022, 2:59 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL