Last modified: 2013-04-22 16:16:44 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T44334, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 42334 - Disabling two-factor authentication does not verify OATH token
Disabling two-factor authentication does not verify OATH token
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
OATHAuth (Other open bugs)
unspecified
All All
: Unprioritized major (vote)
: ---
Assigned To: Ryan Lane
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-21 20:10 UTC by Mormegil
Modified: 2013-04-22 16:16 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Mormegil 2012-11-21 20:10:23 UTC 
When a user wants to disable the two-factor authentication, he/she needs to supply a valid token to verify the request. However, OATH does not verify the token value provided by the user – the token is just passed from SpecialOATH::tryDisableSubmit to OATHUser::disable, probably assuming the latter verifies it. Which it does not, OATHUser::disable just disables the two-factor authentication, without paying any attention to the passed token.
Comment 1 Mormegil 2012-11-21 20:42:09 UTC 
Patch committed to Gerrit as If5f6bc33.
Comment 2 Ryan Lane 2012-11-21 20:55:51 UTC 
Thanks for the bug report and fix. It's merged in!
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links