Page MenuHomePhabricator
Create Task
Maniphest T335702

createAndPromote.php throws an error when the provided password for a newly created user is not valid according to the password policy
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Run php run.php createAndPromote.php T335702 ' '

What happens?:

[9f644d3d3abdf5fdf514e3c5] [no req]   PasswordError: Passwords must be at least 8 characters.
Backtrace:
from ./mediawiki/maintenance/createAndPromote.php(141)
#0  ./mediawiki/maintenance/includes/MaintenanceRunner.php(681): CreateAndPromote->execute()
#1 ./mediawiki/maintenance/run.php(51): MediaWiki\Maintenance\MaintenanceRunner->run()
#2 {main}

A user is created, they have no password at all. (No ability to authenticate)

What should have happened instead?:

A better error (not a stack trace) is shown and no user is created, as the provided password was invalid.

Software version (skip for WMF-hosted wikis like Wikipedia):
Latest master (rMW446d11dfba317108ac79b54107288ef580af26d7)

Other information (browser name/version, screenshots, etc.):
This happened before, apparently, see T21157: createAndPromote error on bad password.

Also, the row in the database has no value for user_password, it is an empty string.

Details

Other Assignee
Mainframe98
SubjectRepoBranchLines +/-
createAndPromote.php: Do not show stack trace on user errormediawiki/coremaster+1 -1
createAndPromote.php: check password before creating the usermediawiki/coremaster+17 -4
Customize query in gerrit

Related Objects

Event Timeline

Mainframe98 created this task.May 1 2023, 4:43 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 1 2023, 4:43 PM
Mainframe98 added a project: MediaWiki-Core-AuthManager.May 1 2023, 4:47 PM
Mainframe98 updated the task description. (Show Details)
Mainframe98 updated the task description. (Show Details)May 1 2023, 4:51 PM
Tgr subscribed.May 2 2023, 8:30 PM

Probably the error handling in the maintenance framework changed? createAndPromote.php always threw a PasswordError.

T21157 seems unrelated (also, ancient).

Mainframe98 added a comment.May 5 2023, 5:23 PM

For T21157, the description matches:

If createAndPromote is fed a bad password, the account is created anyway. Should roll back the creation if we can't make a valid PW.

Which is something createAndPromote should do. I don't have a preference about throwing an error, although displaying a stack trace seems unnecessary.

gerritbot added a comment.May 5 2023, 8:27 PM

Change 916602 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] createAndPromote.php: Do not show stack trace on user error

https://gerrit.wikimedia.org/r/916602

gerritbot added a project: Patch-For-Review.May 5 2023, 8:27 PM
Tgr added a comment.May 5 2023, 8:29 PM

When you give an invalid password, the user gets created but the password does not get set. There isn't really a good way to roll back user creation at that point.

Mainframe98 added a comment.May 5 2023, 8:46 PM

I'd noticed that too. Maybe just print a warning then? Or generate a valid password and print that perhaps, although given the flexibility of password policy requirements, that might not be achievable.

gerritbot added a comment.May 6 2023, 8:45 AM

Change 916687 had a related patch set uploaded (by Mainframe98; author: Mainframe98):

[mediawiki/core@master] createAndPromote.php: check password before creating the user

https://gerrit.wikimedia.org/r/916687

Mainframe98 added a comment.May 6 2023, 10:56 AM

I0ce7c2cd3eed958bb99f1a2e7c4a45c51668869d takes a different approach: check the password before creation. This will only fail like mentioned in the description when the groups added have a different password policy than the default. That should be rare: most times those group changes happen on-wiki to record them in the logs.

Mainframe98 updated the task description. (Show Details)May 6 2023, 10:58 AM
gerritbot added a comment.May 6 2023, 1:46 PM

Change 916687 merged by jenkins-bot:

[mediawiki/core@master] createAndPromote.php: check password before creating the user

https://gerrit.wikimedia.org/r/916687

gerritbot added a comment.May 6 2023, 2:34 PM

Change 916602 merged by jenkins-bot:

[mediawiki/core@master] createAndPromote.php: Do not show stack trace on user error

https://gerrit.wikimedia.org/r/916602

Mainframe98 closed this task as Resolved.May 6 2023, 2:52 PM
Mainframe98 assigned this task to Tgr.
Mainframe98 updated Other Assignee, added: Mainframe98.
Mainframe98 removed a project: Patch-For-Review.
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.10; 2023-05-23).May 16 2023, 1:02 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL