Page MenuHomePhabricator
Create Task
Maniphest T70843

MassMessage::getMessengerUser() takeover broken due to Password API changes
Closed, ResolvedPublic
Actions

Description

In MassMessage::getMessengerUser(), we do some evil things to create a system account that cannot be logged into:

$user = User::newFromName( $wgMassMessageAccountUsername );
$user->load();
if ( $user->getId() && $user->mPassword == '' && $user->mNewpassword == '' ) {
// We've already stolen the account
return $user;
}

Problems here are:

a) User::load() no longer loads the password members, so we can't check if they are equal to empty string.
b) null == '', should have been using triple equals.

Also, AbuseFilter has a very similar function (I got the idea from it), so we'll need to patch this there too.

Version: unspecified
Severity: major

Details

Reference
bz68843

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 22 2014, 3:35 AM
bzimport added a project: MassMessage.
bzimport set Reference to bz68843.
bzimport added a subscriber: Unknown Object (MLST).
Legoktm created this task.Jul 30 2014, 5:01 AM
Legoktm added a comment.Jul 30 2014, 5:09 AM

From my reading of User::setInternalPassword(), an InvalidPassword-type password is saved for the user. But I don't see any non-hacky way for me to check whether a user has that password type. Am I missing something?

Parent5446 added a comment.Jul 30 2014, 10:29 AM

:/ is there a reason an actual account is being created and registered (as opposed to just adding the username to $wgReservedUsernames)?

Legoktm added a comment.Jul 30 2014, 5:12 PM

(In reply to Tyler Romeo from comment #2)

:/ is there a reason an actual account is being created and registered (as
opposed to just adding the username to $wgReservedUsernames)?

Yes. We do this so local wikis can adjust the accounts' user groups if they wish to (some remove it from the "bot" group it auto-adds itself to), or if they want to block the account for whatever reason.

wctaiwan added a comment.Jul 31 2014, 7:15 AM

The password API changes in question were https://gerrit.wikimedia.org/r/#/c/77645/

The breaking test has been temporarily commented out in https://gerrit.wikimedia.org/r/#/c/150770/

Legoktm added a comment.Aug 3 2014, 7:51 PM

Ideas on how to fix...

  • Have User::load() call loadPasswords() - fixes all back-compat issues
  • Make loadPasswords() public
  • Add getPassword()/getTemporaryPassword() accessors and make the member variables private
  • Have MM call checkPassword() with a dummy value and then check ->mPassword directly (ewwww)
Parent5446 added a comment.Aug 3 2014, 11:45 PM

(In reply to Kunal Mehta (Legoktm) from comment #5)

Ideas on how to fix...

  • Have User::load() call loadPasswords() - fixes all back-compat issues

Would rather not, for the same reason load() does not call loadOptions()

  • Make loadPasswords() public

This makes sense, and I'm not even sure why I didn't make it public in the first place.

  • Add getPassword()/getTemporaryPassword() accessors and make the member

variables private

This also makes sense. And while we're at it, also make $mId, $mName, $mRealName, etc. private since you shouldn't be accessing those directly either.

  • Have MM call checkPassword() with a dummy value and then check ->mPassword

directly (ewwww)

ewwww

Agreed. Stick with above.

Legoktm added a comment.Aug 4 2014, 1:48 AM

(In reply to Tyler Romeo from comment #6)

(In reply to Kunal Mehta (Legoktm) from comment #5)

  • Make loadPasswords() public

This makes sense, and I'm not even sure why I didn't make it public in the
first place.

If we add the accessors, there should be no reason to do this I think.

  • Add getPassword()/getTemporaryPassword() accessors and make the member

variables private

This also makes sense. And while we're at it, also make $mId, $mName,
$mRealName, etc. private since you shouldn't be accessing those directly
either.

Ib79ce01a47f90af681e376ce918eda559b4b94a6. Will do a second patch once extensions accessing directly are fixed (MassMessage, AbuseFilter, OpenID).

gerritbot added a comment.Aug 4 2014, 3:18 AM

Change 151570 had a related patch set uploaded by Legoktm:
Fix MassMessage::getMessengerUser() after Password API changes

https://gerrit.wikimedia.org/r/151570

gerritbot added a comment.Aug 9 2014, 11:22 AM

Change 151570 merged by jenkins-bot:
Fix MassMessage::getMessengerUser() after Password API changes

https://gerrit.wikimedia.org/r/151570

gerritbot added a comment.Aug 9 2014, 11:30 AM

Change 153042 had a related patch set uploaded by Legoktm:
Fix MassMessage::getMessengerUser() after Password API changes

https://gerrit.wikimedia.org/r/153042

gerritbot added a comment.Aug 10 2014, 11:24 PM

Change 153042 merged by jenkins-bot:
Fix MassMessage::getMessengerUser() after Password API changes

https://gerrit.wikimedia.org/r/153042

Legoktm added a comment.Aug 10 2014, 11:40 PM

Deployed by Ori, thanks!

gerritbot added a comment.Aug 17 2014, 6:59 AM

Change 154449 had a related patch set uploaded by Wctaiwan:
Fix MassMessage::getMessengerUser() after Password API changes

https://gerrit.wikimedia.org/r/154449

gerritbot added a comment.Aug 17 2014, 7:01 AM

Change 154449 merged by jenkins-bot:
Fix MassMessage::getMessengerUser() after Password API changes

https://gerrit.wikimedia.org/r/154449

Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 5:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits