Extensions can't fully block password changes
Closed, ResolvedPublic


Special:PasswordReset can block password changes using the AbortLogin hook, and Special:ChangePassword can block password changes via $wgAuth->authenticate. The combination of these two approaches can work, but some extensions only implement one method or the other (and in some cases shouldn't implement both).

Lack of a consistent method for handling this leads to unexpected situations where a password can be changed, even though the extension author feels they are blocking it.

A hook should be added to Special:ChangePassword for this functionality.

Version: unspecified
Severity: normal


bzimport set Reference to bz46590.
bzimport added a subscriber: Unknown Object (MLST).
RyanLane created this task.Mar 27 2013, 5:12 AM

Patch to add AbortChangePassword hook

Patch still needs proper testing. Submitting for feedback.

Attached: AbortChangePassword.patch

Updated and tested patch

One minor fix in patch. Has been tested and is working.

Attached: AbortChangePassword.patch

Patch looks fine to me. I don't think the bug this fixes effects security (unless I'm missing something?), so I think we should make it public, put it in gerrit, and make sure other developers are on board with it.

This bug does allow for two-factor authentication (OATHAuth) to be bypassed by doing a password reset, if the attacker also has access to the victim's email.

This doesn't affect the cluster, so no need to patch there, but we'll add this to the next security release.

Created attachment 12210
patch for 1.19

Attached: 46590_119_git.patch

Related URL: https://gerrit.wikimedia.org/r/61631 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

Related URL: https://gerrit.wikimedia.org/r/61641 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

Related URL: https://gerrit.wikimedia.org/r/61644 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

Related URL: https://gerrit.wikimedia.org/r/62216 (Gerrit Change I3469e90a958c4fb0f24cafd67de5590d3cc2f075)

Restricted Application added subscribers: StudiesWorld, Luke081515. · View Herald TranscriptJan 28 2016, 5:58 PM

Add Comment