Add CSRF checks to Special:CreateCategory
Closed, ResolvedPublic

Description

Add and check csrf token in form

Special:CreateCategory doesn't add and validate an anti-csrf token in the form. Logged in users can be tricked into creating categories by visiting a site that makes a request on behalf of the user.

Basic patch attached, but I don't have a system to test this available. Can someone check this?


Version: unspecified
Severity: normal
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=928470

Attached: 0001-SECURITY-Add-CSRF-check-to-CreateCategory.patch

bzimport set Reference to bz57025.
csteipp created this task.Via LegacyNov 13 2013, 7:15 PM
csteipp added a comment.Via ConduitNov 13 2013, 7:16 PM

Reported by Ravindra Singh Rathore to Mozilla.

Yaron_Koren added a comment.Via ConduitNov 13 2013, 8:22 PM

Hi Chris,

Thanks for this patch! A few questions and comments:

  • It looks like the method User::getEditToken() was only added in MediaWiki 1.19 - Semantic Forms currently supports MW 1.17 and higher, so there would need to be an "if" statement to only apply this handling if for MW 1.19 and higher.
  • Would there be a benefit to displaying an error message if the token validation fails, instead of just ignoring the attempt as the current patch seems to do?
  • Semantic Forms defines four other special pages with similar forms: CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they could all similarly benefit from an anti-CSRF check?
csteipp added a comment.Via ConduitNov 13 2013, 8:28 PM

Yaron,

Yeah, feel free to update the patch. That was just something quick to address the issue. I wasn't sure how actively the extension is maintained.

If you can get a patch today, I'll add a note about it in the upcomming security release. Typically, just add a patch here, and we'll push it into gerrit when we make the announcement.

Or, if you need more time, we'll add it to the next one.

csteipp added a comment.Via ConduitNov 13 2013, 8:28 PM

(In reply to comment #2)

  • Semantic Forms defines four other special pages with similar forms: CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they could all similarly benefit from an anti-CSRF check?

And yes, definitely, to this.

Yaron_Koren added a comment.Via ConduitDec 27 2013, 1:20 AM

Okay, this security vulnerability has now been fixed for those five special pages, for MW 1.19 and higher. Thanks for the patch!

I have to say that I was surprised by the comment about announcing this in a security release - I wasn't aware that the WMF ever made announcements about non-WMF extensions, security-related or otherwise.

demon added a comment.Via ConduitDec 27 2013, 1:24 AM

(In reply to comment #5)

I have to say that I was surprised by the comment about announcing this in a
security release - I wasn't aware that the WMF ever made announcements about
non-WMF extensions, security-related or otherwise.

We don't. This is weird to me too :)

csteipp added a comment.Via ConduitDec 30 2013, 5:43 PM

Thanks Yaron, can you add links to the gerrit patches that fixed this?

(In reply to comment #6)

(In reply to comment #5)
> I have to say that I was surprised by the comment about announcing this in a
> security release - I wasn't aware that the WMF ever made announcements about
> non-WMF extensions, security-related or otherwise.

We don't. This is weird to me too :)

We're using SemanticForms on Wikitech, so I assumed we treated it like a WMF-deployed extension. It's also widely enough deployed that I'll probably mention it when we do the release.

Adding Ryan/Coren so they can get wikitech patched.

Yaron_Koren added a comment.Via ConduitDec 30 2013, 6:19 PM

Yes, you found it. Well, it's nice to hear that SF is considered (by some) to be a WMF extension!

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.