| Dianliang233 | |
| Jun 20 2025, 2:10 PM |
| F62403625: lockdown-warning.png | |
| Jun 20 2025, 4:14 PM |
Extension:Lockdown allows any user with read permission to access content protected by the extension via Action API module compare.
Reproduction:
api.php?action=compare&fromid=<curid of protected article>&toid=1&prop=diff%7Cids%7Ctitle&formatversion=2
Checked against Special:ComparePages and this cannot be reproduced at first glance
Possibly relates to T297322 / CVE-2021-44858
Not discovered by me; this was exploited in the wild on https://lakeus.xyz/
See https://lakeus.xyz/wiki/Special:Version for further info. compare module is disabled on the site now.
Related LocalSettings.php settings:
define("NS_EDITOR", 58088);
define("NS_EDITOR_TALK", 58089);
// EDITOR
$wgExtraNamespaces[NS_EDITOR] = "Editor";
$wgExtraNamespaces[NS_EDITOR_TALK] = "Editor_talk"; // Note underscores in the namespace name
$wgNamespacesWithSubpages[NS_EDITOR] = true;
$wgNamespaceAliases['编者空间'] = NS_EDITOR;
$wgNamespaceAliases['編者空間'] = NS_EDITOR;
$wgNamespaceAliases['编者空间讨论'] = NS_EDITOR_TALK;
$wgNamespaceAliases['編者空間討論'] = NS_EDITOR_TALK;
$wgNamespacePermissionLockdown[NS_EDITOR]['*'] = [ 'autopatrol', 'sysop', 'bureaucrat', 'staff' ];
$wgNamespacePermissionLockdown[NS_EDITOR_TALK]['*'] = [ 'autopatrol', 'sysop', 'bureaucrat', 'staff' ];
$wgNonincludableNamespaces[] = NS_EDITOR;
$wgNonincludableNamespaces[] = NS_EDITOR_TALK;
$wgNamespaceRobotPolicies[NS_EDITOR] = 'noindex';
$wgNamespaceRobotPolicies[NS_EDITOR_TALK] = 'noindex';Unfortunately, ext:Lockdown seems largely unmaintained these days, so I'm not sure who to even add to this bug as potential maintainers. And ext:Lockdown and related extensions are unfortunately known to potentially have unexpected consequences like this:
This is not a bug in Extension:Lockdown, it's a bug in ApiComparePages. ApiComparePages fails to call authorizeRead( 'read', $page ). It only performs permission checks for deleted revisions and deleted pages, it doesn't perform regular read access at all. Because of this, Lockdown cannot intervene.
Note that the equivalent REST endpoint, CompareHandler, performs this check correctly.
I pushed a fix. But it's likely that there is more places like this that expose "protected" content. MediaWiki just isn't made to keep stuff secret.
Ugh, I just realized I didn't follow the proper procedure for security patches. Now it's public on gerrit. Let's get it merged soon ;)
MediaWiki just isn't made to keep stuff secret.
Yeah, we only used Lockdown just for keeping some content harder to access anyway (the actual content is still like a digest of public things so nothing that serious would happen even if it leaks); But since someone explicitly exploits it, we had to report it here.
The related patch is cherry-picked on the site; compare module is re-enabled for testing.
Related public patch: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1162057
Ideally we could get this merged today before TrainBranchBot runs. I'm happy to +2, but it would be nice if someone else with Action API knowledge could give it a quick glance.
Change #1162057 merged by jenkins-bot:
[mediawiki/core@master] Api: Fix permission checks in action=compare
Yes, which should be fairly easy to do via gerrit's UI, I'd hope. Ideally we'd want to make a good faith effort to backport to any supported release branches. Assuming the relevant code existed on one of those branches and/or would not involve a significant refactor just to get the new code merged to said branches.
Change #1163793 had a related patch set uploaded (by SBassett; author: Daniel Kinzler):
[mediawiki/core@REL1_44] Api: Fix permission checks in action=compare
Change #1163794 had a related patch set uploaded (by SBassett; author: Daniel Kinzler):
[mediawiki/core@REL1_43] Api: Fix permission checks in action=compare
Change #1163795 had a related patch set uploaded (by SBassett; author: Daniel Kinzler):
[mediawiki/core@REL1_42] Api: Fix permission checks in action=compare
Change #1163794 merged by jenkins-bot:
[mediawiki/core@REL1_43] Api: Fix permission checks in action=compare
Change #1163795 merged by jenkins-bot:
[mediawiki/core@REL1_42] Api: Fix permission checks in action=compare
Change #1163793 merged by jenkins-bot:
[mediawiki/core@REL1_44] Api: Fix permission checks in action=compare
Sure. This issue will also be re-released with the next supplemental security release (T397776), due out at the end of September 2025.