Page MenuHomePhabricator
Create Task
Maniphest T340919

OAuth requests to MediaWiki endpoints not supporting OAuth should be rejected
Open, Needs TriagePublicBUG REPORT
Actions

Description

When sending an OAuth request to index.php, it will be interpreted as a valid anonymous request:

$ curl -sS -H "Authorization: Bearer 0000" -o /dev/null -D - https://en.wikipedia.org/wiki/Main_Page
HTTP/2 200
...

(It will be anonymous even if the access token is valid.)

It'd probably probably be less confusing to respond with a HTTP 400 or 403.

Details

SubjectRepoBranchLines +/-
Fail when OAuth is used with a non-API entry point (round 2)mediawiki/extensions/OAuthmaster+18 -3
Fail when OAuth is used with a non-API entry pointmediawiki/extensions/OAuthmaster+38 -17
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Jul 2 2023, 5:54 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 2 2023, 5:54 AM
Tgr mentioned this in T336624: MediaWiki does not redirect URL with OAuth credentials supplied.Jul 2 2023, 5:55 AM
Tgr added a comment.Jul 3 2023, 1:00 AM

(See also T252591: REST API endpoints give confusing errors for invalid OAuth2 access tokens.)

gerritbot added a comment.Jul 5 2023, 11:53 PM

Change 935818 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point

https://gerrit.wikimedia.org/r/935818

gerritbot added a project: Patch-For-Review.Jul 5 2023, 11:53 PM
gerritbot added a comment.Jul 9 2023, 8:00 PM

Change 935818 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point

https://gerrit.wikimedia.org/r/935818

Maintenance_bot removed a project: Patch-For-Review.Jul 9 2023, 8:10 PM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.17; 2023-07-11).Jul 9 2023, 9:00 PM
LucasWerkmeister subscribed.Jul 12 2023, 2:52 PM

Note that this had to be partially reverted again (T341656); when we redo this, we need to ensure Special:OAuth keeps working.

Tgr added a comment.Jul 13 2023, 3:56 AM

Filed T341759: Create functional tests for core OAuth functionality, although given the lack of maintainership the task is aspirational.

gerritbot added a comment.Jul 20 2023, 3:38 AM

Change 939791 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point (round 2)

https://gerrit.wikimedia.org/r/939791

gerritbot added a project: Patch-For-Review.Jul 20 2023, 3:38 AM
gerritbot added a comment.Jul 21 2023, 7:01 PM

Change 939791 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point (round 2)

https://gerrit.wikimedia.org/r/939791

Maintenance_bot removed a project: Patch-For-Review.Jul 21 2023, 7:10 PM
ReleaseTaggerBot edited projects, added MW-1.41-notes (1.41.0-wmf.19; 2023-07-25); removed MW-1.41-notes (1.41.0-wmf.17; 2023-07-11).Jul 21 2023, 8:00 PM
MusikAnimal mentioned this in T346400: AutoEdits sandbox cannot be used.Jan 16 2024, 6:04 PM
MusikAnimal mentioned this in rXT5374ae2bca38: AutomatedEditsHelper: query config page using action API.Jan 16 2024, 6:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits