No rate limits on uploading files
Closed, ResolvedPublic

Description

We don't rate limit uploading files. We should.


patch:

  • 1.25 - same as master ()
  • 1.24 - same as master ()
  • 1.23 -

affected versions:
type: dos
CVE: CVE-2015-8003

csteipp created this task.Mar 7 2015, 1:06 AM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Normal.
csteipp added a project: Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added a subscriber: csteipp.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 7 2015, 1:06 AM
Restricted Application added a project: Multimedia. · View Herald TranscriptMar 7 2015, 8:13 AM
csteipp added a parent task: Restricted Task.Mar 19 2015, 9:28 PM

Ran into my first stab at this while working on something else, so figured I should just finish it.

I don't like checking all the entrypoints, but that's where we do the rights and block checks, so seemed like a logical place. Not sure if there are other ways to upload files? Maybe extensions?

csteipp moved this task from Backlog to In Progress on the Security-Team board.Jul 1 2015, 8:55 PM
csteipp added a subscriber: Anomie.Jul 2 2015, 4:27 PM

@dpatrick / @Anomie, could you take a look at the patch and see if it seems sane to you?

To test, I'm using

and

$wgRateLimits = array(
	'upload' => array(
		'user' => array( 1, 60 ),
		'newbie' => array( 1, 60 ),
		'ip' => array( 1, 60 ),
	)
);

@csteipp, I observed that the upload was appropriately throttled, from both the API and the web form. However, I also noticed that simply viewing the web form is also throttled. If I navigate to http://localhost:8080/wiki/Special:Upload, then hit refresh without selecting a file or submitting the form, I receive the action-throttled message in the browser.

Anomie added a comment.Jul 6 2015, 4:54 PM

In the API bit, a chunked upload would be applying the throttle to each chunk of the file.

It also throttles the polling for status if the client is waiting for an async upload or an upload-from-url. Even if the former is intended, this probably isn't.

Moved the throttling later in both the special page and api, so chunks and warnings are correctly handled. This allows a user to upload to the stash unthrottled. Otherwise in UploadWizard, the upload to the stash was one count against the throttle, then finalizing the upload was a second. I'm not sure if that's the right behavior or not. As a side effect, you can add more files to the initial step of UploadWizard than the throttle allows, and UploadWizard just fails to move the file from the stash. Except for missing an api-error-ratelimited message, the failure is fairly graceful.

@MarkTraceur, is there someone on the multimedia team who can comment on this?

My two cents: This sounds fine, James_F might want to comment, but UploadWizard already throttles to 3 uploads to stash or 3 stash upload finalizations at once (per window, I guess), so this doesn't look like a huge issue from that end.

@dpatrick / @Anomie, could you take a look at the new patch?

API bit looks ok. Haven't tested.

When uploading at http://localhost:8080/wiki/Special:Upload, I now get throttled message after the final form submission, after the file has been uploaded and compared to existing files, and I've entered a description. This might be frustrating for users. Other than this, the patch looks good.

Made Special:Upload use a RecoverableUploadError instead of throwing an exception. So error message is a little nicer.

csteipp removed a parent task: Restricted Task.
Jdforrester-WMF moved this task from Untriaged to Next up on the Multimedia board.Sep 4 2015, 6:25 PM
csteipp closed this task as Resolved.Sep 9 2015, 10:13 PM

Deployed yesterday

(2015-09-08) 21:02 csteipp: deployed patches for T108616 T91850 T91205 to wmf21 & 22

csteipp moved this task from In Progress to Done on the Security-Team board.Oct 13 2015, 11:56 PM
demon added a subscriber: demon.Oct 15 2015, 7:36 PM

Patch applies to all branches cleanly except REL1_23. Will work on alternate patch.

demon added a comment.Oct 15 2015, 7:53 PM
This comment was removed by demon.
demon added a comment.Oct 15 2015, 8:24 PM

demon awarded a token.Oct 15 2015, 8:43 PM
csteipp updated the task description. (Show Details)Oct 16 2015, 12:57 AM
csteipp added a subscriber: Grunny.Oct 16 2015, 3:03 PM
csteipp added a subscriber: Ejegg.Oct 16 2015, 4:39 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2015, 6:13 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added subscribers: Steinsplitter, Matanya. · View Herald TranscriptOct 16 2015, 6:13 PM

Change 246868 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246868

Change 246873 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246873

Change 246879 had a related patch set uploaded (by Chad):
Add throttle check in ApiUpload and SpecialUpload.

https://gerrit.wikimedia.org/r/246879

Change 246884 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246884

Change 246868 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246868

Change 246879 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246879

Change 246873 merged by Chad:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246873

Change 246973 had a related patch set uploaded (by Chad):
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246973

Change 246884 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246884

Change 246973 merged by jenkins-bot:
SECURITY: Throttle uploads

https://gerrit.wikimedia.org/r/246973

This was assigned CVE-2015-8003, with the caveat:

Use CVE-2015-8003. An important note here is that the MITRE CVE team
accepted this CVE request only because it came from the organization
that wrote the code. In the general case, adding completely new
functionality such as an upload rate limit is a security enhancement
and not eligible for a CVE ID.

Since MediaWiki generally considers uploads as an edit, and edits are throttled, I think the CVE here was appropriate.

csteipp updated the task description. (Show Details)Nov 3 2015, 9:12 PM