Last modified: 2012-03-22 19:46:50 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T36212, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 34212 - ApiBlock/ApiUnblock allow action to take place without a token parameter present
ApiBlock/ApiUnblock allow action to take place without a token parameter present
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
unspecified
All All
: High normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 35387
  Show dependency treegraph
 
Reported: 2012-02-05 18:27 UTC by Sam Reed (reedy)
Modified: 2012-03-22 19:46 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Fix! (584 bytes, patch)
2012-02-05 18:27 UTC, Sam Reed (reedy) 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Sam Reed (reedy) 2012-02-05 18:27:01 UTC 
Created attachment 9957 [details]
Fix!

It was noted on IRC by "Krenair" that the block/unblock modules in the API would allow a user to block/unblock another user without passing a token (never mind whether the token was actually valid)

Some poking around and I noticed it was due to the 'gettoken' parameter that both have, whereas the other modules do not have this.

$foo['bar'] = false;
...
!isset( $foo['bar'] ) evaluates to false, and it meant the code to die for a missing token parameter was never met due to the wrong evaluation


if ( $salt !== false && !$moduleParams['gettoken'] ) {
Comment 1 Sam Reed (reedy) 2012-02-05 18:30:37 UTC 
Fixed it on the cluster.

I'm presuming this warrants a security release of some sort?
Comment 2 Sam Reed (reedy) 2012-02-05 18:37:38 UTC 
Both REL1_17 and REL1_18 are vulnerable to this too
Comment 3 Roan Kattouw 2012-02-08 14:03:34 UTC 
Ouch, this was an embarrassing oversight on my part ~3 years ago.

Patch looks good.
Comment 4 Mark A. Hershberger 2012-02-11 18:45:31 UTC 
I'm confused: why isn't this patched on trunk?
Comment 5 Sam Reed (reedy) 2012-02-11 20:14:27 UTC 
Although its a crsf issue, its not a major issue, as its in quite a small use case.

Hence it warrants a security release, but it's not urgent. issue is patched on wmf currently.

It can wait for the next releases, or a more important fix also
Comment 6 MZMcBride 2012-03-22 19:46:50 UTC 
Related revision: r114429.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links