⚓ T192134 Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset

⚓ T192134 Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset
Page Menu
Phabricator
Create Task
Maniphest
T192134
Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset
Closed, Resolved
Public
Actions
Edit Task
Edit Related Tasks...
Create Subtask
Edit Parent Tasks
Edit Subtasks
Merge Duplicates In
Close As Duplicate
Edit Related Objects...
Edit Commits
Edit Mocks
Mute Notifications
Protect as security issue
Assigned To
Ladsgroup
Authored By
Nirmos
Apr 13 2018, 5:56 AM
2018-04-13 05:56:06 (UTC+0)
Tags
MediaWiki-Special-pages
(To triage)
Security-Team
(Our Part Is Done)
User-Ladsgroup
(Done)
MW-1.31-release-notes
MW-1.33-notes
MW-1.34-notes
MW-1.35-notes (1.35.0-wmf.10; 2019-12-10)
MW-1.32-notes
(Backlog)
Security
Referenced Files
F31462082: 0001-Security-Do-not-allow-user-scripts-on-Special-Passwo.patch
Dec 7 2019, 10:39 PM
2019-12-07 22:39:04 (UTC+0)
F22263525: 0001-Do-not-allow-user-scripts-on-Special-PasswordReset.patch
Jun 15 2018, 5:22 PM
2018-06-15 17:22:45 (UTC+0)
Subscribers
Aklapper
Bawolff
Ladsgroup
Nirmos
Reedy
sbassett
Description
Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset. Is this not a security issue?
Details
Related Changes in Gerrit:
Subject
Repo
Branch
Lines +/-
SECURITY: Do not allow user scripts on Special:PasswordReset
mediawiki/core
master
+9
-0
SECURITY: Do not allow user scripts on Special:PasswordReset
mediawiki/core
REL1_34
+9
-0
SECURITY: Do not allow user scripts on Special:PasswordReset
mediawiki/core
REL1_33
+9
-0
SECURITY: Do not allow user scripts on Special:PasswordReset
mediawiki/core
REL1_32
+9
-0
SECURITY: Do not allow user scripts on Special:PasswordReset
mediawiki/core
REL1_31
+9
-0
Customize query in gerrit
Related Objects
Search...
Task Graph
Mentions
Status
Subtype
Assigned
Task
Resolved
Reedy
T233494
Release MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0
Resolved
Reedy
T233495
Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release
Resolved
Ladsgroup
T192134
Personal and site-wide CSS and JavaScript is loaded on Special:PasswordReset
Mentioned In
T243608: User scripts shouldn't run on Special:Manage_Two-factor_authentication
T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release
Event Timeline
Nirmos
created this task.
Apr 13 2018, 5:56 AM
2018-04-13 05:56:06 (UTC+0)
Restricted Application
added a subscriber:
Aklapper
View Herald Transcript
Apr 13 2018, 5:56 AM
2018-04-13 05:56:06 (UTC+0)
Aklapper
added a project:
MediaWiki-Special-pages
Apr 13 2018, 8:38 AM
2018-04-13 08:38:32 (UTC+0)
Reedy
subscribed.
Apr 13 2018, 8:56 AM
2018-04-13 08:56:20 (UTC+0)
Comment Actions
SpecialUserLogin extends LoginSignupSpecialPage... SpecialPasswordReset extends FormSpecialPage
LoginSignupSpecialPage calls
OutputPage::disallowUserJs
... SpecialPasswordReset and FormSpecialPage don't.
Ladsgroup
moved this task from
Backlog / Other
to
Patch pending review
on the
acl*security
board.
Jun 15 2018, 5:22 PM
2018-06-15 17:22:45 (UTC+0)
Ladsgroup
subscribed.
Comment Actions
Is this good for now?
0001-Do-not-allow-user-scripts-on-Special-PasswordReset.patch
877 B
Ladsgroup
added a comment.
Jun 28 2018, 12:38 PM
2018-06-28 12:38:26 (UTC+0)
Comment Actions
In
T192134#4293721
@Ladsgroup
wrote:
Is this good for now?
0001-Do-not-allow-user-scripts-on-Special-PasswordReset.patch
877 B
Maybe I should call that method in alterForm instead of construct. Can't say for sure tbh.
Ladsgroup
added a subscriber:
Bawolff
Nov 26 2018, 1:18 PM
2018-11-26 13:18:46 (UTC+0)
Comment Actions
ping
@Bawolff
sbassett
subscribed.
Nov 26 2018, 4:12 PM
2018-11-26 16:12:19 (UTC+0)
Urbanecm
triaged this task as
Low
priority.
Nov 12 2019, 8:52 AM
2019-11-12 08:52:40 (UTC+0)
sbassett
added a comment.
Nov 21 2019, 10:42 PM
2019-11-21 22:42:04 (UTC+0)
Comment Actions
@Ladsgroup
- patch above still applies to MW 1.35. I'm personally fine with this as a stop-gap measure or even if it becomes more of a permanent mitigation. Though I'm not really sure there's a demonstrated security issue here. Yes, certain user css/js can do unintentional or bad things on wiki pages where it's run, but that's a fundamental part of such functionality existing in the first place. Anyhow, I'm happy to deploy this as a core security patch and backport it to supported release branches, though IMO, it might barely meet the security patch threshold.
sbassett
added a project:
Security-Team
Nov 21 2019, 10:42 PM
2019-11-21 22:42:19 (UTC+0)
sbassett
moved this task from
Patch pending review
to
Pending deployment / release
on the
acl*security
board.
sbassett
moved this task from
Incoming
to
Watching
on the
Security-Team
board.
Ladsgroup
added a comment.
Nov 23 2019, 1:50 PM
2019-11-23 13:50:25 (UTC+0)
Comment Actions
In
T192134#5682990
@sbassett
wrote:
@Ladsgroup
- patch above still applies to MW 1.35. I'm personally fine with this as a stop-gap measure or even if it becomes more of a permanent mitigation. Though I'm not really sure there's a demonstrated security issue here. Yes, certain user css/js can do unintentional or bad things on wiki pages where it's run, but that's a fundamental part of such functionality existing in the first place. Anyhow, I'm happy to deploy this as a core security patch and backport it to supported release branches, though IMO, it might barely meet the security patch threshold.
So the biggest part of the problem is that people can steal others' email addresses that is considered private data. It's not as bad as stealing their passwords (that's what I initially thought, it's PasswordReset) but I realized it's email address only. I tested it locally and it works.
sbassett
added a comment.
Dec 6 2019, 9:16 PM
2019-12-06 21:16:50 (UTC+0)
Comment Actions
In
T192134#4321709
@Ladsgroup
wrote:
Maybe I should call that method in alterForm instead of construct. Can't say for sure tbh.
[[
| Most other specials seem to call it in
execute()
]] though SpecialPasswordReset.php doesn't call
execute()
right now. I'm not sure there's anything
wrong
with calling
disallowUserJs()
within the constructor, though I'm sure that could be modified to look more like what is done in
SpecialChangeEmail
for consistency's sake. Anyhow, whatever you want to do, I'd like to try to deploy this during
the security deployment window this Monday
, if possible.
sbassett
added a project:
user-sbassett
Dec 6 2019, 9:17 PM
2019-12-06 21:17:52 (UTC+0)
sbassett
moved this task from
Backlog
to
Waiting
on the
user-sbassett
board.
Ladsgroup
added a comment.
Dec 7 2019, 10:39 PM
2019-12-07 22:39:04 (UTC+0)
Comment Actions
In
T192134#5719482
@sbassett
wrote:
In
T192134#4321709
@Ladsgroup
wrote:
Maybe I should call that method in alterForm instead of construct. Can't say for sure tbh.
[[
| Most other specials seem to call it in
execute()
]] though SpecialPasswordReset.php doesn't call
execute()
right now. I'm not sure there's anything
wrong
with calling
disallowUserJs()
within the constructor, though I'm sure that could be modified to look more like what is done in
SpecialChangeEmail
for consistency's sake. Anyhow, whatever you want to do, I'd like to try to deploy this during
the security deployment window this Monday
, if possible.
Okay, I made another patch that makes me feel better (I was worried that construct would have been ran in other contexts like in Special:SpecialPages)
0001-Security-Do-not-allow-user-scripts-on-Special-Passwo.patch
1 KB
sbassett
added a comment.
Dec 9 2019, 10:25 PM
2019-12-09 22:25:25 (UTC+0)
Comment Actions
Thanks,
@Ladsgroup
. Patch applies and tests fine locally on MW master. Will deploy shortly.
sbassett
closed this task as
Resolved
Dec 9 2019, 10:45 PM
2019-12-09 22:45:41 (UTC+0)
sbassett
assigned this task to
Ladsgroup
sbassett
moved this task from
Pending deployment / release
to
Done
on the
acl*security
board.
Comment Actions
Deployed to
wmf.5
and
wmf.8
. Tested on enwiki and all looks good to me and nothing bad happening in logstash:FatalMonitor. I'm going to resolve for now and make public. I don't think this merits a CVE (it's really more code-hardening IMO) but backports to supported release branches could certainly happen.
Restricted Application
added a project:
User-Ladsgroup
View Herald Transcript
Dec 9 2019, 10:45 PM
2019-12-09 22:45:43 (UTC+0)
sbassett
moved this task from
Watching
to
Our Part Is Done
on the
Security-Team
board.
Dec 9 2019, 10:45 PM
2019-12-09 22:45:55 (UTC+0)
sbassett
changed the visibility from "
Custom Policy
" to "Public (No Login Required)".
gerritbot
added a comment.
Dec 9 2019, 10:47 PM
2019-12-09 22:47:52 (UTC+0)
Comment Actions
Change 556073 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@master] Do not allow user scripts on Special:PasswordReset
gerritbot
added a project:
Patch-For-Review
Dec 9 2019, 10:47 PM
2019-12-09 22:47:53 (UTC+0)
gerritbot
added a comment.
Dec 9 2019, 10:50 PM
2019-12-09 22:50:09 (UTC+0)
Comment Actions
Change 556074 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_34] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 10:50 PM
2019-12-09 22:50:29 (UTC+0)
Comment Actions
Change 556075 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_33] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 10:51 PM
2019-12-09 22:51:00 (UTC+0)
Comment Actions
Change 556076 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_32] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 10:51 PM
2019-12-09 22:51:40 (UTC+0)
Comment Actions
Change 556077 had a related patch set uploaded (by SBassett; owner: Ladsgroup):
[mediawiki/core@REL1_31] SECURITY: Do not allow user scripts on Special:PasswordReset
sbassett
removed a project:
user-sbassett
Dec 9 2019, 10:52 PM
2019-12-09 22:52:54 (UTC+0)
gerritbot
added a comment.
Dec 9 2019, 11:06 PM
2019-12-09 23:06:01 (UTC+0)
Comment Actions
Change 556077
merged
by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 11:09 PM
2019-12-09 23:09:24 (UTC+0)
Comment Actions
Change 556076
merged
by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 11:10 PM
2019-12-09 23:10:23 (UTC+0)
Comment Actions
Change 556075
merged
by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 11:10 PM
2019-12-09 23:10:49 (UTC+0)
Comment Actions
Change 556074
merged
by jenkins-bot:
[mediawiki/core@REL1_34] SECURITY: Do not allow user scripts on Special:PasswordReset
gerritbot
added a comment.
Dec 9 2019, 11:13 PM
2019-12-09 23:13:12 (UTC+0)
Comment Actions
Change 556073
merged
by jenkins-bot:
[mediawiki/core@master] SECURITY: Do not allow user scripts on Special:PasswordReset
Maintenance_bot
moved this task from
Incoming
to
Done
on the
User-Ladsgroup
board.
Dec 9 2019, 11:15 PM
2019-12-09 23:15:25 (UTC+0)
ReleaseTaggerBot
added projects:
MW-1.31-release-notes
MW-1.33-notes
MW-1.34-notes
MW-1.35-notes (1.35.0-wmf.10; 2019-12-10)
MW-1.32-notes
Dec 10 2019, 12:00 AM
2019-12-10 00:00:35 (UTC+0)
Maintenance_bot
removed a project:
Patch-For-Review
Dec 10 2019, 12:10 AM
2019-12-10 00:10:56 (UTC+0)
Reedy
added a parent task:
T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release
Dec 12 2019, 12:07 PM
2019-12-12 12:07:54 (UTC+0)
Legoktm
mentioned this in
T233495: Tracking bug for MediaWiki 1.31.6/1.32.6/1.33.2/1.34.0 security release
Dec 12 2019, 7:12 PM
2019-12-12 19:12:23 (UTC+0)
sbassett
mentioned this in
T243608: User scripts shouldn't run on Special:Manage_Two-factor_authentication
Jan 24 2020, 9:03 PM
2020-01-24 21:03:48 (UTC+0)
chasemp
added a project:
Security
Feb 10 2020, 11:00 PM
2020-02-10 23:00:15 (UTC+0)
chasemp
removed a project:
acl*security
Feb 20 2020, 8:18 PM
2020-02-20 20:18:24 (UTC+0)
Log In to Comment
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct.
Wikimedia Foundation
Code of Conduct
Disclaimer
CC-BY-SA
GPL
Credits