Page MenuHomePhabricator
Create Task
Maniphest T36212

ApiBlock/ApiUnblock allow action to take place without a token parameter present
Closed, ResolvedPublic
Actions

Description

Fix!

It was noted on IRC by "Krenair" that the block/unblock modules in the API would allow a user to block/unblock another user without passing a token (never mind whether the token was actually valid)

Some poking around and I noticed it was due to the 'gettoken' parameter that both have, whereas the other modules do not have this.

$foo['bar'] = false;
...
!isset( $foo['bar'] ) evaluates to false, and it meant the code to die for a missing token parameter was never met due to the wrong evaluation

if ( $salt !== false && !$moduleParams['gettoken'] ) {

Version: unspecified
Severity: normal

Attached:

gettoken.patch584 BDownload

Details

Reference
bz34212

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedNoneT36212 ApiBlock/ApiUnblock allow action to take place without a token parameter present

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:11 AM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz34212.
bzimport added a subscriber: Unknown Object (MLST).
Reedy created this task.Feb 5 2012, 6:27 PM
Reedy added a comment.Feb 5 2012, 6:30 PM

Fixed it on the cluster.

I'm presuming this warrants a security release of some sort?

Reedy added a comment.Feb 5 2012, 6:37 PM

Both REL1_17 and REL1_18 are vulnerable to this too

Catrope added a comment.Feb 8 2012, 2:03 PM

Ouch, this was an embarrassing oversight on my part ~3 years ago.

Patch looks good.

MarkAHershberger added a comment.Feb 11 2012, 6:45 PM

I'm confused: why isn't this patched on trunk?

Reedy added a comment.Feb 11 2012, 8:14 PM

Although its a crsf issue, its not a major issue, as its in quite a small use case.

Hence it warrants a security release, but it's not urgent. issue is patched on wmf currently.

It can wait for the next releases, or a more important fix also

MZMcBride added a comment.Mar 22 2012, 7:46 PM

Related revision: r114429.

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL