Page MenuHomePhabricator
Create Task
Maniphest T333050

CVE-2023-45363: RequestTimeoutException when querying pages redirected to other variants with redirects and converttitles set
Closed, ResolvedPublicSecurity
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:
Query the page with redirects=1&converttitles=1
https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/注销&redirects=1&converttitles=1&formatversion=2 gives

{
    "error": {
        "code": "internal_api_error_Wikimedia\\RequestTimeout\\RequestTimeoutException",
        "info": "[29504362-a016-4bc3-a4d6-5e095abc99ba] Caught exception of type Wikimedia\\RequestTimeout\\RequestTimeoutException",
        "errorclass": "Wikimedia\\RequestTimeout\\RequestTimeoutException"
    },
    "servedby": "mw2321"
}

https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/註銷&redirects=1&converttitles=1&formatversion=2 gives

{
    "error": {
        "code": "internal_api_error_Wikimedia\\RequestTimeout\\RequestTimeoutException",
        "info": "[6ba7b057-19b8-4d6d-87ce-d1d911c95dd7] Caught exception of type Wikimedia\\RequestTimeout\\RequestTimeoutException",
        "errorclass": "Wikimedia\\RequestTimeout\\RequestTimeoutException"
    },
    "servedby": "mw2296"
}

Note: It works with only single option used.
https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/註銷&converttitles=1&formatversion=2

{
    "batchcomplete": true,
    "query": {
        "pages": [
            {
                "pageid": 8322422,
                "ns": 2,
                "title": "User:Xiplus/註銷"
            }
        ]
    }
}

https://zh.wikipedia.org/w/api.php?action=query&format=jsonfm&titles=User:Xiplus/註銷&redirects=1&formatversion=2

{
    "batchcomplete": true,
    "query": {
        "redirects": [
            {
                "from": "User:Xiplus/註銷",
                "to": "User:Xiplus/注销"
            }
        ],
        "pages": [
            {
                "ns": 2,
                "title": "User:Xiplus/注销",
                "missing": true
            }
        ]
    }
}

Software version (skip for WMF-hosted wikis like Wikipedia):
1.41.0-wmf.1 (4de0415)

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
Fix infinite loop for self-redirects with variants conversionmediawiki/coreREL1_35+64 -1
Fix infinite loop for self-redirects with variants conversionmediawiki/coreREL1_40+62 -1
Fix infinite loop for self-redirects with variants conversionmediawiki/coreREL1_39+62 -1
Fix infinite loop for self-redirects with variants conversionmediawiki/corewmf/1.41.0-wmf.4+62 -1
Fix infinite loop for self-redirects with variants conversionmediawiki/coremaster+62 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Xiplus created this task.Mar 25 2023, 6:27 AM
Restricted Application added subscribers: Ericliu1912, Stang, Aklapper. · View Herald TranscriptMar 25 2023, 6:27 AM
gerritbot added a comment.Mar 25 2023, 2:12 PM

Change 902842 had a related patch set uploaded (by A2093064; author: A2093064):

[mediawiki/core@master] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/902842

gerritbot added a project: Patch-For-Review.Mar 25 2023, 2:12 PM
taavi set Security to Software security bug.Mar 25 2023, 3:03 PM
taavi added projects: Security, Security-Team.
taavi changed the visibility from "Public (No Login Required)" to "Custom Policy".
taavi changed the subtype of this task from "Bug Report" to "Security Issue".
taavi subscribed.

This is a DOS vector.

sbassett added a subscriber: gerritbot.Mar 27 2023, 4:22 PM
Mstyles moved this task from Incoming to In Progress on the Security-Team board.Apr 3 2023, 4:03 PM
sbassett added a subscriber: Jdlrobson.Apr 4 2023, 4:08 PM
thcipriani moved this task from Untriaged to Mar 2023 on the Wikimedia-production-error board.Apr 13 2023, 3:49 PM
matmarex added subscribers: Mstyles, matmarex.Apr 17 2023, 8:15 PM

(@Mstyles asked for someone to review the patch and I volunteered)

I recreated the scenario on a test wiki with the patch applied: https://patchdemo.wmflabs.org/wikis/f18e1e5ec5/wiki/User:Xiplus/註銷
…and a test wiki without the patch, for comparison: https://patchdemo.wmflabs.org/wikis/7f7146e7ca/wiki/User:Xiplus/註銷

The API doesn't time out, and the responses look correct to me, in both of the cases with '&redirects=1&converttitles=1'. It's a bit weird that the response is exactly the same in both cases, regardless of the order in which the redirect and the conversion happens, but I don't think there's any way to represent that in the output format we have.

PatchedUnpatched
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/注销&redirects=1&converttitles=17f7146e7ca/w/api.php?action=query&titles=User:Xiplus/注销&redirects=1&converttitles=1
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/註銷&redirects=1&converttitles=17f7146e7ca/w/api.php?action=query&titles=User:Xiplus/註銷&redirects=1&converttitles=1
{
    "batchcomplete": true,
    "query": {
        "converted": [
            {
                "from": "User:Xiplus/注销",
                "to": "User:Xiplus/註銷"
            }
        ],
        "redirects": [
            {
                "from": "User:Xiplus/註銷",
                "to": "User:Xiplus/注销"
            }
        ]
    }
}

The API responses in cases with just one or none of the parameters are the same as before:

PatchedUnpatched
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/注销&redirects=17f7146e7ca/w/api.php?action=query&titles=User:Xiplus/注销&redirects=1
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/註銷&redirects=17f7146e7ca/w/api.php?action=query&titles=User:Xiplus/註銷&redirects=1
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/注销&converttitles=17f7146e7ca/w/api.php?action=query&titles=User:Xiplus/注销&converttitles=1
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/註銷&converttitles=17f7146e7ca/w/api.php?action=query&titles=User:Xiplus/註銷&converttitles=1
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/注销7f7146e7ca/w/api.php?action=query&titles=User:Xiplus/注销
f18e1e5ec5/w/api.php?action=query&titles=User:Xiplus/註銷7f7146e7ca/w/api.php?action=query&titles=User:Xiplus/註銷

I'm not really an expert in this area of the code, but I'm not sure if we have one, and this makes me sufficiently confident that this is the right fix.

Thank you for the bug report and the patch, @Xiplus!

matmarex updated the task description. (Show Details)Apr 17 2023, 8:17 PM
gerritbot added a comment.Apr 17 2023, 8:33 PM

Change 902842 merged by jenkins-bot:

[mediawiki/core@master] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/902842

sbassett subscribed.Apr 17 2023, 9:15 PM

Thanks, @matmarex and @Xiplus!

sbassett added a parent task: T333617: Tracking bug for MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0.Apr 17 2023, 9:15 PM
gerritbot added a comment.Apr 17 2023, 9:34 PM

Change 909277 had a related patch set uploaded (by Zabe; author: A2093064):

[mediawiki/core@wmf/1.41.0-wmf.4] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/909277

Zabe subscribed.Apr 17 2023, 9:35 PM
gerritbot added a comment.Apr 17 2023, 9:53 PM

Change 909277 merged by jenkins-bot:

[mediawiki/core@wmf/1.41.0-wmf.4] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/909277

sbassett closed this task as Resolved.Apr 20 2023, 9:27 PM
sbassett assigned this task to Xiplus.
sbassett triaged this task as Medium priority.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.

I don't think there's anything else to be done here?

Stang moved this task from Backlog to Closed on the Chinese-Sites board.Apr 20 2023, 9:41 PM
Mstyles added a comment.Apr 24 2023, 4:40 PM

The security team would like to make this ticket public, is there any information on this ticket that should not be public? We don't see anything, but want to check.

Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".May 1 2023, 11:24 PM
Maintenance_bot removed a project: Patch-For-Review.May 1 2023, 11:30 PM
Winston_Sung moved this task from Backlog to Core on the MediaWiki-Language-converter board.EditedMay 2 2023, 2:39 AM
Winston_Sung subscribed.
This comment has been deleted.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.May 2 2023, 3:08 PM
sbassett changed Risk Rating from N/A to Medium.
Stang unsubscribed.May 5 2023, 10:33 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.9; 2023-05-15).May 15 2023, 2:47 PM
sbassett added a project: Vuln-DoS.Jun 13 2023, 4:14 PM
gerritbot added a comment.Jun 30 2023, 5:44 PM

Change 934484 had a related patch set uploaded (by Reedy; author: A2093064):

[mediawiki/core@REL1_40] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/934484

gerritbot added a project: Patch-For-Review.Jun 30 2023, 5:44 PM

Change 934485 had a related patch set uploaded (by Reedy; author: A2093064):

[mediawiki/core@REL1_39] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/934485

gerritbot added a comment.Jun 30 2023, 5:44 PM

Change 934606 had a related patch set uploaded (by Reedy; author: A2093064):

[mediawiki/core@REL1_35] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/934606

Reedy removed a parent task: T333617: Tracking bug for MediaWiki 1.35.11/1.38.7/1.39.4/1.40.0.Jun 30 2023, 5:45 PM
gerritbot added a comment.Jun 30 2023, 5:59 PM

Change 934485 merged by jenkins-bot:

[mediawiki/core@REL1_39] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/934485

ReleaseTaggerBot added a project: MW-1.39-notes.Jun 30 2023, 6:00 PM
gerritbot added a comment.Jun 30 2023, 6:05 PM

Change 934484 merged by jenkins-bot:

[mediawiki/core@REL1_40] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/934484

gerritbot added a comment.Jun 30 2023, 6:17 PM

Change 934606 merged by jenkins-bot:

[mediawiki/core@REL1_35] Fix infinite loop for self-redirects with variants conversion

https://gerrit.wikimedia.org/r/934606

Maintenance_bot removed a project: Patch-For-Review.Jun 30 2023, 6:31 PM
ReleaseTaggerBot added projects: MW-1.40-notes, MW-1.35-notes.Jun 30 2023, 7:00 PM
Ericliu1912 unsubscribed.Jul 10 2023, 12:22 AM
Reedy added a parent task: Restricted Task.Sep 27 2023, 1:19 PM
MoritzMuehlenhoff subscribed.Oct 9 2023, 9:54 AM

This got CVE-2023-45363 assigned: https://www.cve.org/CVERecord?id=CVE-2023-45363

Reedy renamed this task from RequestTimeoutException when querying pages redirected to other variants with redirects and converttitles set to CVE-2023-45363: RequestTimeoutException when querying pages redirected to other variants with redirects and converttitles set.Oct 9 2023, 1:31 PM
Winston_Sung moved this task from Core to Security on the MediaWiki-Language-converter board.Dec 27 2023, 6:19 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL