Page MenuHomePhabricator

[SEVERE DESIGN PROBLEM] OpenID-created account owners cannot set their e-mail address and/or reset their password when the account lacks an e-mail address or password - race condition
Open, HighPublic

Description

Well, the subject say it all.

After fixing bug20185 ( Changing your email address should require entering your password, see https://bugzilla.wikimedia.org/show_bug.cgi?id=20185#c5 ) the following problem exists when using OpenID extension in the mode "OpenID only".

  1. when a user has added an account via OpenID, and no e-mail data was set-up (from OpenID provider to MediaWiki account)
  1. there is already the link "reset password" in Special:Preferences
  2. but user cannot set ("reset password") their password
  3. because they do not have an e-mail address
  4. The cannot set up their e-mail address (with MediaWiki methods), because they do not have a password (required since r92924 .

An ad-hoc solution is:

  • add your e-mail address in your OpenID account,
  • and let this data be updated in your MediaWiki account when logging in with OpenID.

Activate in Special:Preferences#mw-prefsection-openid -->
"Update the following information from OpenID persona every time I log in: E-mail address"

A) Log-out from MediaWiki.
B) Set in your OpenId account that you want to transmit your e-mail address when logging in on the trusted site (your MediaWiki)
C) Log-in to MediaWiki
D) in Special:Preferences you will find your e-mail address set up
E) click "Reset Password" to let the MediaWiki send you a temporary password
F) goto your mail program, get the temporary password
G) return to your MediaWiki,
H) login with the temporary password and change it with a regular one

related to bug29027 (solved) and depending on bug20185 .

I filed this bug for tracking.


Version: unspecified
Severity: normal
URL: https://www.mediawiki.org/wiki/Extension:OpenID
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35121

Details

Reference
bz34357

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:11 AM
bzimport set Reference to bz34357.
Wikinaut created this task.Feb 12 2012, 7:56 PM

This is *not* a blocker for wikis with OpenID as long as the standard password-login is not disabled ( $wgOpenIDOnly == false ).

No changes / updates for five weeks here - is this really highest priority (which implies some urgency)?

this is a * yes- keep alive ping - busy with even more important thing - this is not cookie licking *

Downgraded to normal. No user has complained so far.

"high" is more appropriate.

In short, this is the

"I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password" problem.

It came up when MediaWiki core changed and required the account password, when users want to set-up or change their e-mail address (which makes definitely sense for security reasons).

If someone can help to find a solution, pls. let me know a.s.a.p.

We may want to allow a hook to update that part of the interface, so we could have OpenID (or similar extensions) remove it, whereas other extensions might want to do a 2nd factor check there.

Aaron might have another idea, since he implemented the check (iirc).

(In reply to comment #7)

We may want to allow a hook to update that part of the interface, so we could
have OpenID (or similar extensions) remove it, whereas other extensions might
want to do a 2nd factor check there.
Aaron might have another idea, since he implemented the check (iirc).

ok.

Please be reminded, that I already introduced a special way for the special case of $wgOpenIDOnly==true

This was fixed in 2011 in https://bugzilla.wikimedia.org/show_bug.cgi?id=29027 . See https://bugzilla.wikimedia.org/show_bug.cgi?id=29027#c1 for a detailed description (copied to here for convenience):

"fixed in r88848 .

When having the OpenID extension, the preference window basic information is
changed. The section "Password" shows now links to

case i) Change Password and Reset Password:

if a password already exists

case ii) Reset Password only:

if no password has been set for this account yet, because the user opened their
account by OpenID - which setPassword( null )

This is at least one possible way and avoids modification of
Special:PasswordReset (there is no login page when only OpenID logins and
account creations are possible ($wgOpenIDOnly==true) or Special:ChangePassword
pages."

I will add this hardening ad-hoc fix to prevent problems in the future:

*Disallow* wiki account creation in the case

  • new user wants to create an account (with their OpenID) and
  • $wgOpenIDOnly=true (i.e. logins and account creations are only allowed via OpenID) and
  • no e-mail address present, or e-mail address fails the Sanitizer:validEmail() test.

This avoids any account creation without e-mail address, which makes sense because the user could not change ro setup their password without having a (confirmed) e-mail address in their wiki account.

(In reply to T. Gries from comment #6)

In short, this is the
"I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password"
problem.
It came up when MediaWiki core changed and required the account password,
when users want to set-up or change their e-mail address (which makes
definitely sense for security reasons).
If someone can help to find a solution, pls. let me know a.s.a.p.

Since MW 1.20.0 there is the $wgRequirePasswordforEmailChange parameter. Shouldn't this solve the issue. However, when talking about MW 1.19 we are still out of luck. However there are only 11 months of support left with the succeeding LTS already released.

[1] https://www.mediawiki.org/wiki/Manual:$wgRequirePasswordforEmailChange

@kgh thx for pointing me to this

You are welcome. I wish I had seen this bug before. However the big Kudos go to Reedy who made this parameter reality. This one was a life-saver on several of my wikis.

Aklapper removed Wikinaut as the assignee of this task.Jun 18 2015, 2:08 PM
Aklapper added a subscriber: Aklapper.

[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]