Page MenuHomePhabricator

E:OpenID as consumer: ChangePassword page is shown twice when attaching an OpenID to an existing account using the _temporary_ password
Open, MediumPublic

Description


Version: master
Severity: normal

Details

Reference
bz57579

Related Objects

StatusAssignedTask
OpenNone
OpenNone
OpenNone
DeclinedWikinaut
DeclinedNone
OpenNone
OpenNone
OpenNone
ResolvedTgr
ResolvedAnomie
ResolvedJoe
ResolvedJoe
Resolvedhashar
Resolved bd808
ResolvedAnomie
ResolvedKrinkle
OpenNone
ResolvedJanZerebecki
ResolvedKrinkle
ResolvedTgr

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 2:18 AM
bzimport set Reference to bz57579.
Wikinaut created this task.Nov 26 2013, 8:56 AM

This problem happens only when using the temporary password (password sent in PasswordReset mail).

E:OpenID as consumer: ChangePassword page is shown twice when attaching an OpenID to an existing account using the _temporary_ password.

The data filled in the first ChangePassword page is totally ignored (for example, the new password values are not checked for equality).

The second ChangePassword is treated correctly and action ends successful when entering the temporary password and 2x the new passord, as it should be.

I added you, because I need your help to find the "last" bug in E:OpenID.

Look for function attachUser() in SpecialOpenIDLogin.body.php .

For example look to https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FOpenID/a4471ef088c5f3b7627126470ae2debc511f4865/SpecialOpenIDLogin.body.php#L909

Can someone spot what's wrong there.

You also need the patch of core SpecialChangePassword https://gerrit.wikimedia.org/r/#/c/96651/ , otherwise SpecialChangePassword does not know that you were using the Temporary password, and want that dialog (text: 'Temporary password' instead of text 'Old password' on the Change Password page).

I found (and fixed locally in my test installations) this bug.

Solution was:

adding an additional check of the pre-login csrf token (which is injected in SpecialOpenIDLogin/ChooseName in SpecialChangePassword::execute().

So my patch changes that SpecialChangePassword (now) requires either the valid $wgUser( editToken) _or_ a valid preLogin-Token.

(Chris: you were correct! I could not find back the tip you've sent me, otherwsie I would have added a pointer here.)

A formal patch will follow.

Aklapper removed Wikinaut as the assignee of this task.Jun 18 2015, 2:08 PM
Aklapper added a subscriber: Aklapper.

[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]