Page MenuHomePhabricator
Create Task
Maniphest T93365

wbmergeitems doesn't need a token to merge items
Closed, ResolvedPublic
Actions

Description

When you click on the example links in the api you would automatically merge the Items in Wikidata. You don't need a edit token or anything. We probably don't want that.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Make the merge item API require an edit tokenmediawiki/extensions/Wikibasewmf/1.25wmf22+9 -1
Make the merge item API require an edit tokenmediawiki/extensions/Wikibasemaster+9 -1
Customize query in gerrit

Related Objects

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Mar 20 2015, 3:00 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 20 2015, 3:00 PM
Lucie created this task.Mar 20 2015, 3:00 PM
Lucie updated the task description. (Show Details)
Lucie added projects: Wikidata, acl*security.
Lucie changed Security from None to Software security bug.
Lucie edited subscribers, added: Lucie, aude, daniel; removed: Aklapper.
hoo subscribed.Mar 20 2015, 3:02 PM

Fix:

Add the following to MergeItems.php

	public function needsToken() {
		return true;
	}
Legoktm subscribed.Mar 20 2015, 3:04 PM

The module should also require a POST request

hoo added a comment.Mar 20 2015, 3:06 PM
In T93365#1135464, @Legoktm wrote:

The module should also require a POST request

Oh, indeed, yes.

Legoktm added a comment.Mar 20 2015, 3:11 PM

0001-SECURITY-action-wbmergeitems-needs-a-csrf-token.patch979 BDownload

I guess we also need a patch for the Wikidata repository for deployment?

hoo added a comment.Mar 20 2015, 3:15 PM
In T93365#1135490, @Legoktm wrote:

0001-SECURITY-action-wbmergeitems-needs-a-csrf-token.patch979 BDownload

I guess we also need a patch for the Wikidata repository for deployment?

Yes... we'll take care of everything.

aude added a comment.Mar 20 2015, 3:26 PM

tried the patch locally, doing a get request with token parameter and get "The 'token' parameter was found in the query string, but must be in the POST body"

thus, I think the patch is good and sufficient.

thanks legoktm!

hoo added a subscriber: Lydia_Pintscher.Mar 20 2015, 3:29 PM
hoo added a comment.Mar 20 2015, 3:42 PM

0001-SECURITY-Make-action-wbmergeitems-need-a-csrf-token.patch1 KBDownload

Applies cleanly to both 1.25wmf19 and 1.25wmf22 of Wikidata (the deployed branches).

greg subscribed.Mar 20 2015, 3:47 PM
hoo added a comment.Mar 20 2015, 3:53 PM

Patch applied, verified and deployed. I will close/ publish this bug once we fix this on master.

csteipp added a project: Vuln-CSRF.Mar 20 2015, 7:24 PM
hoo changed Security from Software security bug to None.Mar 23 2015, 2:37 PM
hoo changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 23 2015, 3:34 PM
hoo changed the edit policy from "Custom Policy" to "All Users".
gerritbot subscribed.Mar 23 2015, 3:35 PM

Change 198736 had a related patch set uploaded (by Hoo man):
Make the merge item API require an edit token

https://gerrit.wikimedia.org/r/198736

gerritbot added a project: Patch-For-Review.Mar 23 2015, 3:35 PM
Lydia_Pintscher added subscribers: Magnus, Multichill, Sjoerddebruin, Ladsgroup.Mar 23 2015, 3:37 PM

@Magnus: I think your tools are fine but just in case you run into trouble...
@Ladsgroup, @Multichill, @Sjoerddebruin: for your info as well in case you see any bot user having issues

hoo closed this task as Resolved.Mar 23 2015, 3:39 PM
hoo claimed this task.
gerritbot added a comment.Mar 23 2015, 3:40 PM

Change 198736 merged by jenkins-bot:
Make the merge item API require an edit token

https://gerrit.wikimedia.org/r/198736

Multichill added a comment.Mar 23 2015, 3:44 PM

Looks like Pywikibot already uses a token and posts it, see https://git.wikimedia.org/blob/pywikibot%2Fcore.git/3c097590364c81d35502ab99baaa742493db70c6/pywikibot%2Fsite.py#L5821

aude added a comment.Mar 23 2015, 3:46 PM

As far as I could tell, the merge gadget and Magnus' tools all do the right thing and use post + token, which means they shouldn't be affected by this change.

Diffusion mentioned this in rMEXTe9f1c3dd9a8b: Updated mediawiki/extensions Project: mediawiki/extensions/Wikibase….Mar 23 2015, 3:56 PM
hoo mentioned this in rEWBAdf074f0db0d7: Make the merge item API require an edit token.Mar 23 2015, 3:57 PM
Ladsgroup added a comment.Mar 23 2015, 4:05 PM

I checked my scripts and all of them use token

gerritbot added a comment.Mar 23 2015, 4:45 PM

Change 198747 had a related patch set uploaded (by Hoo man):
Make the merge item API require an edit token

https://gerrit.wikimedia.org/r/198747

gerritbot added a comment.Mar 24 2015, 2:33 PM

Change 198747 merged by jenkins-bot:
Make the merge item API require an edit token

https://gerrit.wikimedia.org/r/198747

hoo mentioned this in rEWBAa5a40763e729: Make the merge item API require an edit token.Mar 24 2015, 5:38 PM
Ricordisamoa removed a project: Patch-For-Review.Mar 30 2015, 5:28 PM
Ricordisamoa subscribed.
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits