Add CSRF checks to Special:CreateCategory
Closed, ResolvedPublic

Description

Add and check csrf token in form

Special:CreateCategory doesn't add and validate an anti-csrf token in the form. Logged in users can be tricked into creating categories by visiting a site that makes a request on behalf of the user.

Basic patch attached, but I don't have a system to test this available. Can someone check this?


Version: unspecified
Severity: normal
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=928470

Attached: 0001-SECURITY-Add-CSRF-check-to-CreateCategory.patch

bzimport set Reference to bz57025.
csteipp created this task.Via LegacyNov 13 2013, 7:15 PM
csteipp added a comment.Via ConduitNov 13 2013, 7:16 PM

Reported by Ravindra Singh Rathore to Mozilla.

Yaron_Koren added a comment.Via ConduitNov 13 2013, 8:22 PM

Hi Chris,

Thanks for this patch! A few questions and comments:

  • It looks like the method User::getEditToken() was only added in MediaWiki 1.19 - Semantic Forms currently supports MW 1.17 and higher, so there would need to be an "if" statement to only apply this handling if for MW 1.19 and higher.
  • Would there be a benefit to displaying an error message if the token validation fails, instead of just ignoring the attempt as the current patch seems to do?
  • Semantic Forms defines four other special pages with similar forms: CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they could all similarly benefit from an anti-CSRF check?
csteipp added a comment.Via ConduitNov 13 2013, 8:28 PM

Yaron,

Yeah, feel free to update the patch. That was just something quick to address the issue. I wasn't sure how actively the extension is maintained.

If you can get a patch today, I'll add a note about it in the upcomming security release. Typically, just add a patch here, and we'll push it into gerrit when we make the announcement.

Or, if you need more time, we'll add it to the next one.

csteipp added a comment.Via ConduitNov 13 2013, 8:28 PM

(In reply to comment #2)

  • Semantic Forms defines four other special pages with similar forms: CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they could all similarly benefit from an anti-CSRF check?

And yes, definitely, to this.

Yaron_Koren added a comment.Via ConduitDec 27 2013, 1:20 AM

Okay, this security vulnerability has now been fixed for those five special pages, for MW 1.19 and higher. Thanks for the patch!

I have to say that I was surprised by the comment about announcing this in a security release - I wasn't aware that the WMF ever made announcements about non-WMF extensions, security-related or otherwise.

demon added a comment.Via ConduitDec 27 2013, 1:24 AM

(In reply to comment #5)

I have to say that I was surprised by the comment about announcing this in a
security release - I wasn't aware that the WMF ever made announcements about
non-WMF extensions, security-related or otherwise.

We don't. This is weird to me too :)

csteipp added a comment.Via ConduitDec 30 2013, 5:43 PM

Thanks Yaron, can you add links to the gerrit patches that fixed this?

(In reply to comment #6)

(In reply to comment #5)
> I have to say that I was surprised by the comment about announcing this in a
> security release - I wasn't aware that the WMF ever made announcements about
> non-WMF extensions, security-related or otherwise.

We don't. This is weird to me too :)

We're using SemanticForms on Wikitech, so I assumed we treated it like a WMF-deployed extension. It's also widely enough deployed that I'll probably mention it when we do the release.

Adding Ryan/Coren so they can get wikitech patched.

Yaron_Koren added a comment.Via ConduitDec 30 2013, 6:19 PM

Yes, you found it. Well, it's nice to hear that SF is considered (by some) to be a WMF extension!

csteipp added a project: Security.Via WebMar 26 2015, 8:39 PM

Add Comment