No rate limits on uploading files
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	• csteipp
	Mar 7 2015, 1:06 AM

Referenced Files

	F2724581: T91850c-REL1_23.patch
	Oct 15 2015, 8:24 PM

	F2724543: T91850c-REL1_23.patch
	Oct 15 2015, 7:53 PM

	F361708: T91850c.patch
	Aug 4 2015, 1:27 AM

	F191194: T91850b.patch
	Jul 10 2015, 11:05 PM

	F188249: T91850-exploit.php
	Jul 2 2015, 4:27 PM

	F188047: T91850.patch
	Jul 1 2015, 6:00 PM

Subscribers

View All 11 Subscribers

Tokens

"Pterodactyl" token, awarded by demon.

Description

We don't rate limit uploading files. We should.

patch:

T91850c.patch2 KBDownload

1.25 - same as master (
T91850c.patch2 KBDownload
)
1.24 - same as master (
T91850c.patch2 KBDownload
)
1.23 -
T91850c-REL1_23.patch2 KBDownload

affected versions:
type: dos
CVE: CVE-2015-8003

Details

Subject	Repo	Branch	Lines +/-
SECURITY: Throttle uploads	mediawiki/core	REL1_26	+30 -0
SECURITY: Throttle uploads	mediawiki/core	master	+30 -0
SECURITY: Throttle uploads	mediawiki/core	REL1_24	+30 -0
SECURITY: Throttle uploads	mediawiki/core	REL1_23	+30 -0
SECURITY: Throttle uploads	mediawiki/core	REL1_25	+30 -0

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	None	T108064 MediaWiki Security release 1.25.3
Resolved	• csteipp	T91850 No rate limits on uploading files
Resolved	Anomie	T91205 ApiUpload needs sanity check on chunk size

Event Timeline

• csteipp created this task.Mar 7 2015, 1:06 AM

• csteipp raised the priority of this task from to Medium.

• csteipp updated the task description. (Show Details)

• csteipp added a project: acl*security.

• csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".

• csteipp changed the edit policy from "All Users" to "Custom Policy".

• csteipp changed Security from None to Software security bug.

• csteipp subscribed.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 7 2015, 1:06 AM

Aklapper added a project: MediaWiki-Uploading.Mar 7 2015, 8:13 AM

Restricted Application added a project: Multimedia. · View Herald TranscriptMar 7 2015, 8:13 AM

• csteipp added a subtask: T91205: ApiUpload needs sanity check on chunk size.Mar 9 2015, 11:25 PM

• csteipp added a parent task: Restricted Task.Mar 19 2015, 9:28 PM

• dpatrick claimed this task.Jun 9 2015, 9:26 PM

• dpatrick added a project: Security-Team.Jun 9 2015, 9:30 PM

Ran into my first stab at this while working on something else, so figured I should just finish it.

T91850.patch2 KBDownload

I don't like checking all the entrypoints, but that's where we do the rights and block checks, so seemed like a logical place. Not sure if there are other ways to upload files? Maybe extensions?

• csteipp moved this task from Incoming to In Progress on the Security-Team board.Jul 1 2015, 8:55 PM

@dpatrick / @Anomie, could you take a look at the patch and see if it seems sane to you?

To test, I'm using

T91850-exploit.php3 KBDownload

and

$wgRateLimits = array(
	'upload' => array(
		'user' => array( 1, 60 ),
		'newbie' => array( 1, 60 ),
		'ip' => array( 1, 60 ),
	)
);

@csteipp, I observed that the upload was appropriately throttled, from both the API and the web form. However, I also noticed that simply viewing the web form is also throttled. If I navigate to http://localhost:8080/wiki/Special:Upload, then hit refresh without selecting a file or submitting the form, I receive the action-throttled message in the browser.

In the API bit, a chunked upload would be applying the throttle to each chunk of the file.

It also throttles the polling for status if the client is waiting for an async upload or an upload-from-url. Even if the former is intended, this probably isn't.

• dpatrick reassigned this task from • dpatrick to • csteipp.Jul 7 2015, 7:00 PM

Moved the throttling later in both the special page and api, so chunks and warnings are correctly handled. This allows a user to upload to the stash unthrottled. Otherwise in UploadWizard, the upload to the stash was one count against the throttle, then finalizing the upload was a second. I'm not sure if that's the right behavior or not. As a side effect, you can add more files to the initial step of UploadWizard than the throttle allows, and UploadWizard just fails to move the file from the stash. Except for missing an api-error-ratelimited message, the failure is fairly graceful.

@MarkTraceur, is there someone on the multimedia team who can comment on this?

T91850b.patch2 KBDownload

My two cents: This sounds fine, James_F might want to comment, but UploadWizard already throttles to 3 uploads to stash or 3 stash upload finalizations at once (per window, I guess), so this doesn't look like a huge issue from that end.

Seems fine to me.

@dpatrick / @Anomie, could you take a look at the new patch?

T91850b.patch2 KBDownload

API bit looks ok. Haven't tested.

When uploading at http://localhost:8080/wiki/Special:Upload, I now get throttled message after the final form submission, after the file has been uploaded and compared to existing files, and I've entered a description. This might be frustrating for users. Other than this, the patch looks good.

T91850c.patch2 KBDownload

Made Special:Upload use a RecoverableUploadError instead of throwing an exception. So error message is a little nicer.

• csteipp added a parent task: T108064: MediaWiki Security release 1.25.3.Aug 5 2015, 5:17 PM

• csteipp removed a parent task: Restricted Task.

• csteipp added projects: Security-Core, Vuln-DoS.Aug 20 2015, 9:35 PM

Jdforrester-WMF moved this task from Untriaged to Next up on the Multimedia board.Sep 4 2015, 6:25 PM

Deployed yesterday

(2015-09-08) 21:02 csteipp: deployed patches for T108616 T91850 T91205 to wmf21 & 22

• csteipp mentioned this in T108616: Local path disclosure when using ImageMagick as a scaler.Sep 9 2015, 10:14 PM

• csteipp mentioned this in T91205: ApiUpload needs sanity check on chunk size.

• csteipp closed subtask T91205: ApiUpload needs sanity check on chunk size as Resolved.

matmarex reopened subtask T91205: ApiUpload needs sanity check on chunk size as Open.Sep 12 2015, 9:21 PM

Anomie closed subtask T91205: ApiUpload needs sanity check on chunk size as Resolved.Sep 14 2015, 5:09 PM

• csteipp moved this task from In Progress to Our Part Is Done on the Security-Team board.Oct 13 2015, 11:56 PM

Patch applies to all branches cleanly except REL1_23. Will work on alternate patch.

• demon added a comment.Oct 15 2015, 7:53 PM

This comment was removed by • demon.

T91850c-REL1_23.patch2 KBDownload

• demon awarded a token.Oct 15 2015, 8:43 PM

• csteipp updated the task description. (Show Details)Oct 16 2015, 12:57 AM

• csteipp added a subscriber: Grunny.Oct 16 2015, 3:03 PM

• csteipp added a subscriber: ProgramCeltic.Oct 16 2015, 4:10 PM

• csteipp added a subscriber: Ejegg.Oct 16 2015, 4:39 PM

• demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2015, 6:13 PM

• demon changed the edit policy from "Custom Policy" to "All Users".

• demon changed Security from Software security bug to None.

Restricted Application added subscribers: Steinsplitter, Matanya. · View Herald TranscriptOct 16 2015, 6:13 PM

Change 246868 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246868

Change 246873 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246873

Change 246879 had a related patch set uploaded (by Chad):
Add throttle check in ApiUpload and SpecialUpload.

https://gerrit.wikimedia.org/r/246879

Change 246884 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246884

Change 246868 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246868

Change 246879 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246879

Change 246873 merged by Chad:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246873

ReleaseTaggerBot added projects: MW-1.25-release, MW-1.24-release, MW-1.23-release.Oct 16 2015, 8:00 PM

Change 246973 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246973

Change 246884 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246884

Change 246973 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246973

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.27-release (WMF-deploy-2015-10-27_(1.27.0-wmf.4)), MW-1.26-release.Oct 16 2015, 10:00 PM

This was assigned CVE-2015-8003, with the caveat:

Use CVE-2015-8003. An important note here is that the MITRE CVE team
accepted this CVE request only because it came from the organization
that wrote the code. In the general case, adding completely new
functionality such as an upload rate limit is a security enhancement
and not eligible for a CVE ID.

Since MediaWiki generally considers uploads as an edit, and edits are throttled, I think the CVE here was appropriate.

• csteipp updated the task description. (Show Details)Nov 3 2015, 9:12 PM

• chasemp added a project: Security.Feb 10 2020, 10:59 PM

• chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM

Aklapper removed subscribers: • dpatrick, Anomie.Oct 16 2020, 5:42 PM