Page MenuHomePhabricator

User's password in response html
Closed, ResolvedPublic

Description

Sherif reported that the mobile link seems to be appending POST fields when generating the url, so after submitting a username/password, the password is in the text of the resulting page.

curl -i -s -k -X 'POST' \

-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0' -H 'Referer: http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&returnto=Main+Page' -H 'Content-Type: application/x-www-form-urlencoded' \
-b 'GeoIP=GB::51.5000:-0.1300:v4; centralnotice_bucket=1-4.2; uls-previous-languages=%5B%22en%22%5D; mediaWiki.user.sessionId=YI03bpxPjata58Fp5ZwwvIEB1r9p3PZs; enwikiSession=414940d3638c0d8c1bc3899d56b23f1a' \
--data-binary $'wpName=%27%27&wpPassword=%27%27&wpLoginAttempt=Log+in&wpLoginToken=3037b08023402e508455f7340476341c' \
'http://en.wikipedia.beta.wmflabs.org/w/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=Main+Page'

Version: unspecified
Severity: normal

Details

Reference
bz70009

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:42 AM
bzimport set Reference to bz70009.
bzimport added a subscriber: Unknown Object (MLST).
csteipp created this task.Aug 25 2014, 10:58 PM

Is any further action required on this? Is this Zero-related, or is it something for MobileFrontend? If it's MobileFrontend, could we get Max and Kaldari on this bug?

cherifmansour wrote:

I'll defer to Chris as he knows the code base way better than I do as to where the issue resides

For some reason I thought this was zero, but yeah, it looks more like mobile frontend. Max, can you take a look at this?

MaxSem added a comment.Oct 6 2014, 8:20 PM

Created attachment 16681
Proposed fix

Proposed fix. Will commit tests separately because they would require FauxRequest changes in core to test reasonably.

Attached:

The proposed fix looks good to me.

Good catch. That's nasty.