Page MenuHomePhabricator
Create Task
Maniphest T97897

Incorrect parsing of IPs for global block
Closed, ResolvedPublic
Actions

Assigned To
dpatrick
Authored By
Vituzzu
May 2 2015, 2:35 PM
Tags
Referenced Files
F3105795: T97897-REL1_23.patch
Dec 15 2015, 7:39 PM
F2961639: T97897_03.patch
Nov 14 2015, 4:22 AM
F191969: T97897_02.patch
Jul 14 2015, 5:01 AM
F191828: T97897_01.patch
Jul 13 2015, 6:06 PM
F176994: T97897_w_Anomie.patch
Jun 9 2015, 6:12 PM
F176995: T97897_dpatrick_refactor.patch
Jun 9 2015, 6:12 PM
F159702: T97897.patch
May 2 2015, 4:53 PM
Subscribers
Bsadowski1
csteipp
demon
Grunny
hoo
Jalexander
JEumerus
View All 15 Subscribers

Description

Today I mistakenly gave an IP in the form X.000.X.X to my steward bot and this apparently blocked all newly registered users (it was showed on the top of newbies' contribs). I was afk and Melos tried unblocking it via unblock form but it wasn't listed as being blocked, then he eventually managed to unblock it via api.
Here's the "IP" https://meta.wikimedia.org/w/index.php?title=Special%3ALog&type=&user=&page=User%3A141.000.11.253&year=&month=-1&tagfilter=&hide_patrol_log=1&hide_tag_log=1&hide_thanks_log=1

patches:

  • 1.24 - master:
    T97897_03.patch4 KBDownload
  • 1.23:
    T97897-REL1_23.patch4 KBDownload

CVE: CVE-2015-8627

Details

SubjectRepoBranchLines +/-
Fix IP::toHex for IPv4 addresses with a double/triple 0 blockmediawiki/coremaster+44 -11
Fix IP::toHex for IPv4 addresses with a double/triple 0 blockmediawiki/coreREL1_26+44 -11
Fix IP::toHex for IPv4 addresses with a double/triple 0 blockmediawiki/coreREL1_25+44 -11
Fix IP::toHex for IPv4 addresses with a double/triple 0 blockmediawiki/coreREL1_23+44 -11
Fix IP::toHex for IPv4 addresses with a double/triple 0 blockmediawiki/coreREL1_24+44 -11
Customize query in gerrit

Related Objects
Search...

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".May 2 2015, 2:35 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 2 2015, 2:35 PM
Vituzzu created this task.May 2 2015, 2:35 PM
Vituzzu updated the task description. (Show Details)
Vituzzu added a project: acl*security.
Vituzzu changed Security from None to Software security bug.
Vituzzu edited subscribers, added: Vituzzu, Melos, hoo, Krenair; removed: Aklapper.
Krenair merged a task: Restricted Task.May 2 2015, 4:27 PM
hoo added a comment.May 2 2015, 4:53 PM

T97897.patch1 KBDownload

The root cause for this is that MediaWiki's IP class considers these IP addresses valid, but is not able to convert them to hex. I fixed the conversion to hex. See also T62035.

Anomie subscribed.May 4 2015, 2:08 PM

'/(?<=\.)0+(?=([1-9]|0\.))/'

Unnecessary parens inside the (?=).

Also, consider this address: 00192.0.2.000, the extraneous zeros won't be stripped. I'd recommend using '/(?:^|(?<=\.))0+(?=[1-9]|0\.|0$)/' instead.

Vituzzu added a subscriber: saper.May 5 2015, 8:19 PM
dpatrick claimed this task.May 21 2015, 9:49 PM
dpatrick triaged this task as Medium priority.
dpatrick added a project: Security-Team.May 21 2015, 10:02 PM
dpatrick moved this task from Incoming to In Progress on the Security-Team board.
dpatrick added a comment.Jun 3 2015, 6:37 PM

I concur with @Anomie's regex correction. However, can we refactor out the preg_replace() into a separate function so that we can unit test that more effectively? Or, toward the same aim, can that preg_replace() be moved to the IPv4 handling portion of sanitizeIP()?

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Jun 4 2015, 10:12 PM
dpatrick moved this task from Waiting to In Progress on the Security-Team board.
dpatrick added a comment.Jun 9 2015, 6:12 PM

Attached for review/comments are two patches:

T97897_w_Anomie.patch1 KBDownload
which is just the original patch, but with @Anomie's regex correction;

T97897_dpatrick_refactor.patch3 KBDownload
is a refactor which pulls out the preg_match() and adds additional test cases.

I think the latter is preferable for maintenance and code review reasons. What say others?

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Jun 9 2015, 6:13 PM
Anomie added a comment.Jun 10 2015, 5:22 PM
In T97897#1350038, @dpatrick wrote:

T97897_w_Anomie.patch1 KBDownload
which is just the original patch, but with @Anomie's regex correction;

Looks ok. Haven't tested.

T97897_dpatrick_refactor.patch3 KBDownload
is a refactor which pulls out the preg_match() and adds additional test cases.

I'm not liking that we would now have IP::sanitizeIP()/IP::prettifyIP() that mostly ignores IPv4 and IP::standardizeIPv4() that does real cleanup for v4 but returns false for v6. I'd rather see the public behavior of your IP::standardizeIPv4() integrated into IP::sanitizeIP(). Then just use IP::sanitizeIP() inside the IP::toHex() case for IPv4 like it already does for IPv6. Or is there some sort of BC concern that prevents that?

Code-wise I don't care whether you put the logic from IP::standardizeIPv4() directly into IP::sanitizeIP() or split both the IPv4 and IPv6 logic into private functions with IP::sanitizeIP() just checking the type and calling the appropriate one. As for IP::toHex(), since we're touching it to this extent IMO either IP::IPv6ToRawHex() should be merged in or the IPv4 logic should be split out to a private IP::IPv4ToRawHex(), as it is now it's just weird.

dpatrick moved this task from Waiting to In Progress on the Security-Team board.Jun 10 2015, 5:34 PM
dpatrick added a comment.Jun 10 2015, 11:42 PM
In T97897#1353830, @Anomie wrote:
In T97897#1350038, @dpatrick wrote:

T97897_dpatrick_refactor.patch3 KBDownload
is a refactor which pulls out the preg_match() and adds additional test cases.

I'm not liking that we would now have IP::sanitizeIP()/IP::prettifyIP() that mostly ignores IPv4 and IP::standardizeIPv4() that does real cleanup for v4 but returns false for v6. I'd rather see the public behavior of your IP::standardizeIPv4() integrated into IP::sanitizeIP(). Then just use IP::sanitizeIP() inside the IP::toHex() case for IPv4 like it already does for IPv6. Or is there some sort of BC concern that prevents that?

I do have backwards compatibility concerns, yes. That's why i didn't add the code to sanitizeIP() in this patch. Here are some examples:

I stopped examining grep results there, but there were other calls to IP::sanitizeIP() from the CheckUser, GlobalBlocking, ProofreadPage, and TorBlock extensions. In short, I hated to add another method, but I was concerned about breaking stuff by changing the behavior of IP::sanitizeIP().

Code-wise I don't care whether you put the logic from IP::standardizeIPv4() directly into IP::sanitizeIP() or split both the IPv4 and IPv6 logic into private functions with IP::sanitizeIP() just checking the type and calling the appropriate one. As for IP::toHex(), since we're touching it to this extent IMO either IP::IPv6ToRawHex() should be merged in or the IPv4 logic should be split out to a private IP::IPv4ToRawHex(), as it is now it's just weird.

We can't merge IP::IPv6ToRawHex() into IP::toHex() because it's called from IP::parseCIDR6(). I suppose it makes sense to pull the IPv4 functionality out into a separate IP::IPv4ToRawHex() function, but that function would still need to invoke a separate IP::standardizeIPv4()/IP::removeLeadingIPv4OctetZeros()/whatever in order to meet me original goal of improving testability of the preg_replace().

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Jun 12 2015, 11:39 PM
Anomie added a comment.Jun 15 2015, 5:53 PM

I'd rather actually look into those calls to see if anything really would break. XFF header parsing, for example, really should be normalizing the zeros to prevent spurious non-matches if some upstream is injecting IPs with the abnormal zeros.

dpatrick moved this task from Waiting to In Progress on the Security-Team board.Jul 7 2015, 6:59 PM
dpatrick added a comment.Jul 13 2015, 6:06 PM

This patch integrates zero trimming into sanitizeIP:

T97897_01.patch3 KBDownload

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Jul 13 2015, 6:07 PM
csteipp subscribed.Jul 13 2015, 10:19 PM
In T97897#1450079, @dpatrick wrote:

This patch integrates zero trimming into sanitizeIP:

T97897_01.patch3 KBDownload

Comment for sanitizeIP should be updated to reflect the change for ipv4. Otherwise I think that addresses @Anomie's comments.

dpatrick added a comment.Jul 14 2015, 5:01 AM

@csteipp, thanks. Updated and rebased:

T97897_02.patch3 KBDownload

dpatrick added a comment.Aug 4 2015, 10:36 PM

@Anomie, any more comments?

Platonides subscribed.Sep 10 2015, 12:20 AM
dpatrick added a comment.Sep 25 2015, 7:23 PM

@Anomie?

Anomie added a comment.Sep 25 2015, 8:29 PM

T97897_02.patch3 KBDownload
seems ok to me. Haven't tested.

csteipp added a comment.Oct 13 2015, 11:46 PM

I wasn't able to duplicate Vituzzu original issue in my testing, where all newbies were blocked. But I can confirm that after this patch, adding a block with 000 in it is normalized correctly to a 0, and the IP is actually blocked, where before the IP wasn't. Both via the Special page and API. Setting a local block exemption seems to work correctly with the patch as well.

Also, if a trusted proxy adds an IP with a 00 in it, the user is still correctly blocked, although there's a php warning,

Warning: inet_pton(): Unrecognized address 141.00.11.253 in <b>/var/www/wiki/en/vendor/wikimedia/ip-set/src/IPSet.php

I'll go ahead and deploy this in the next day or two.

dpatrick added a comment.Oct 14 2015, 12:03 AM

Swell. Thanks Chris. Is that warning worth mentioning to the IPSet maintainer?

csteipp closed this task as Resolved.Nov 2 2015, 7:07 PM
csteipp added a parent task: T115722: MediaWiki Security release 1.25.4.

18:53 csteipp: deployed patches for T97897 & T115522

csteipp mentioned this in T115522: Passwords generated by User::randomPassword() may be shorter than $wgMinimalPasswordLength.Nov 2 2015, 7:08 PM
csteipp mentioned this in T117471: Special:Contribs cuts last "0" in the username.Nov 2 2015, 8:39 PM
Legoktm reopened this task as Open.Nov 2 2015, 8:40 PM
Legoktm subscribed.

Patch caused T117471: Special:Contribs cuts last "0" in the username and was reverted.

dpatrick moved this task from Waiting to In Progress on the Security-Team board.Nov 9 2015, 9:17 PM
dpatrick added a comment.Nov 14 2015, 4:22 AM

Here is an updated patch

T97897_03.patch4 KBDownload
which addresses T117471 and T117476. These were both caused by sanitizeIP() being invoked on login via User -> Title -> MediaWikiTitleCodec. The patch limits 0 removal to only strings which appear as valid IPv4 addresses.

dpatrick moved this task from In Progress to Waiting on the Security-Team board.Nov 14 2015, 4:22 AM
csteipp added a comment.Nov 19 2015, 8:39 PM

T97897_03.patch4 KBDownload

LGTM

csteipp closed this task as Resolved.Nov 19 2015, 10:27 PM

22:11 csteipp: deployed patch for T97897

Jalexander added subscribers: Bsadowski1, Jalexander.Dec 3 2015, 9:06 PM
Jalexander added a subscriber: Matanya.Dec 3 2015, 9:13 PM
Vituzzu added a project: Stewards-and-global-tools.Dec 3 2015, 9:14 PM
demon subscribed.Dec 15 2015, 7:39 PM
In T97897#1818516, @csteipp wrote:

T97897_03.patch4 KBDownload

LGTM

Patch applies cleanly to 1.24 and beyond.

Patch for 1.23:

T97897-REL1_23.patch4 KBDownload

demon added a subscriber: Grunny.Dec 17 2015, 1:19 AM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2015, 12:40 AM
demon changed the edit policy from "Custom Policy" to "All Users".
Restricted Application changed the visibility from "Public (No Login Required)" to "Custom Policy". · View Herald TranscriptDec 18 2015, 12:40 AM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 18 2015, 6:41 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
Reedy changed Security from Software security bug to None.
Reedy added a project: MediaWiki-User-management.
csteipp updated the task description. (Show Details)Dec 24 2015, 12:12 AM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptDec 24 2015, 12:12 AM
MarcoAurelio moved this task from Untriaged to Closed on the Stewards-and-global-tools board.Jan 24 2016, 2:41 PM
Restricted Application added a subscriber: JEumerus. · View Herald TranscriptJan 24 2016, 2:41 PM
sbassett moved this task from Waiting to Our Part Is Done on the Security-Team board.Jun 11 2019, 6:03 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits