Page MenuHomePhabricator
Create Task
Maniphest T44334

Disabling two-factor authentication does not verify OATH token
Closed, ResolvedPublic
Actions

Description

When a user wants to disable the two-factor authentication, he/she needs to supply a valid token to verify the request. However, OATH does not verify the token value provided by the user – the token is just passed from SpecialOATH::tryDisableSubmit to OATHUser::disable, probably assuming the latter verifies it. Which it does not, OATHUser::disable just disables the two-factor authentication, without paying any attention to the passed token.

Version: unspecified
Severity: major

Details

Reference
bz42334

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:51 AM
bzimport added a project: MediaWiki-extensions-OATHAuth.
bzimport set Reference to bz42334.
Mormegil created this task.Nov 21 2012, 8:10 PM
Mormegil added a comment.Nov 21 2012, 8:42 PM

Patch committed to Gerrit as If5f6bc33.

RyanLane added a comment.Nov 21 2012, 8:55 PM

Thanks for the bug report and fix. It's merged in!

Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:10 PM
Restricted Application added a subscriber: StudiesWorld. · View Herald TranscriptJan 28 2016, 6:10 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL