Change Details

In the recent pentest, it was pointed out as a low severity issue that the action api can suffer from "verb tampering" Verb tampering ( https://web.archive.org/web/20170517030540/http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf ) is when you restrict access to an endpoint via a WAF rule or other access control means, but only restrict a specific blacklist of http methods. The attacker evades the access control by using an HTTP method like `DELETE`, which our api would treat like a GET. I don't really think this is in our threat model. But I think the fact that DELETE and PUT act like GET is potentially confusing to users. To that end, I would like to propose the action api responds with a 405 status code for any http method other then GET, HEAD, POST or OPTIONS Instructions on how to complete task (for gci students) --------- The goal of this task is to respond with a 405 status code, when people use unsupported HTTP methods with the ActionAPI. For example, the following command: ```lang="sh" curl -X DELETE 'https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Main_Page&format=json' ``` responds as if the user specified GET instead of DELETE. This is confusing. To change this: * Open up includes/api/ApiMain.php Locate the `setupExternalResponse` method * Near where the check is for POST, add another check. This check should check if the method is one of GET, HEAD, POST or OPTIONS (perhaps using an `if ( !in_array(...` check). See also https://doc.wikimedia.org/mediawiki-core/master/php/classWebRequest.html#a62d0b77ab586b36143f8f2af38b6e101 * In the event the method is one other than the allowed method, you should call [[ https://doc.wikimedia.org/mediawiki-core/master/php/classApiBase.html#a1cfc6cf9a16ada2827a13724e44090f6 | $this->dieWithError(...) ]]. The fourth argument should be 405 to return a 405 HTTP status code * Add the message (starting with `apierror-`) you used in the call to dieWithError() to i18n/en.json and i18n/qqq.json Do not worry about other translations, they are handled by translatewiki) * Test your change to make sure it works properly.

In the recent pentest, it was pointed out as a low severity issue that the action api can suffer from "verb tampering" Verb tampering ( https://web.archive.org/web/20170517030540/http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf ) is when you restrict access to an endpoint via a WAF rule or other access control means, but only restrict a specific blacklist of http methods. The attacker evades the access control by using an HTTP method like `DELETE`, which our api would treat like a GET. I don't really think this is in our threat model. But I think the fact that DELETE and PUT act like GET is potentially confusing to users. To that end, I would like to propose the action api responds with a 405 status code for any http method other then GET, HEAD, POST or OPTIONS Instructions on how to complete task (for gci students) --------- The goal of this task is to respond with a [405 status code](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors), when people use unsupported HTTP methods with the ActionAPI. For example, the following command: ```lang="sh" curl -X DELETE 'https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Main_Page&format=json' ``` responds as if the user specified GET instead of DELETE. This is confusing. To change this: * Open up `includes/api/ApiMain.php` in the MediaWiki core code repository. Locate the `setupExternalResponse` method. * Near where the check is for POST, add another check. This check should check if the method is one of GET, HEAD, POST or OPTIONS (perhaps using an `if ( !in_array(...` check). See also [the documentation](https://doc.wikimedia.org/mediawiki-core/master/php/classWebRequest.html#a62d0b77ab586b36143f8f2af38b6e101). * In the event the method is one other than the allowed method, you should call [$this->dieWithError(...)](https://doc.wikimedia.org/mediawiki-core/master/php/classApiBase.html#a1cfc6cf9a16ada2827a13724e44090f6). The fourth argument should be 405 to return a 405 HTTP status code * Add the message (starting with `apierror-`) you used in the call to `dieWithError()` to `i18n/en.json` and `i18n/qqq.json`. Do not worry about other translations, they are handled by translatewiki. * Test your change to make sure it works properly.

In the recent pentest, it was pointed out as a low severity issue that the action api can suffer from "verb tampering" Verb tampering ( https://web.archive.org/web/20170517030540/http://cdn2.hubspot.net/hub/315719/file-1344244110-pdf/download-files/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf ) is when you restrict access to an endpoint via a WAF rule or other access control means, but only restrict a specific blacklist of http methods. The attacker evades the access control by using an HTTP method like `DELETE`, which our api would treat like a GET. I don't really think this is in our threat model. But I think the fact that DELETE and PUT act like GET is potentially confusing to users. To that end, I would like to propose the action api responds with a 405 status code for any http method other then GET, HEAD, POST or OPTIONS Instructions on how to complete task (for gci students) --------- The goal of this task is to respond with a [405 status codecode](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_errors), when people use unsupported HTTP methods with the ActionAPI. For example, the following command: ```lang="sh" curl -X DELETE 'https://en.wikipedia.org/w/api.php?action=query&prop=info&titles=Main_Page&format=json' ``` responds as if the user specified GET instead of DELETE. This is confusing. To change this: * Open up `includes/api/ApiMain.phpphp` in the MediaWiki core code repository. Locate the `setupExternalResponse` method. * Near where the check is for POST, add another check. This check should check if the method is one of GET, HEAD, POST or OPTIONS (perhaps using an `if ( !in_array(...` check). See also [the documentation](https://doc.wikimedia.org/mediawiki-core/master/php/classWebRequest.html#a62d0b77ab586b36143f8f2af38b6e101). * In the event the method is one other than the allowed method, you should call [[ $this->dieWithError(...)](https://doc.wikimedia.org/mediawiki-core/master/php/classApiBase.html#a1cfc6cf9a16ada2827a13724e44090f6 | $this->dieWithError(...) ]]). The fourth argument should be 405 to return a 405 HTTP status code * Add the message (starting with `apierror-`) you used in the call to `dieWithError()` to `i18n/en.json` and `i18n/qqq.json`. Do not worry about other translations, they are handled by translatewiki). * Test your change to make sure it works properly.