Last modified: 2013-09-05 17:00:17 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T51090, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 49090 - Login API doesn't prevent getting csrf tokens via jsonp
Login API doesn't prevent getting csrf tokens via jsonp
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
unspecified
All All
: High normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-03 20:10 UTC by Chris Steipp
Modified: 2013-09-05 17:00 UTC (History)
9 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Patch against master (7.63 KB, patch)
2013-06-04 15:37 UTC, Brad Jorsch 		Details
Patch against REL1_21 (7.72 KB, patch)
2013-06-04 15:37 UTC, Brad Jorsch 		Details
Patch against REL1_20 (4.07 KB, patch)
2013-06-04 15:37 UTC, Brad Jorsch 		Details
Patch against REL1_19 (3.64 KB, patch)
2013-06-04 15:38 UTC, Brad Jorsch 		Details
Patch against master (8.12 KB, patch)
2013-06-04 17:01 UTC, Brad Jorsch 		Details
Patch against REL1_21 (8.21 KB, patch)
2013-06-04 17:01 UTC, Brad Jorsch 		Details
Patch against REL1_20 (4.43 KB, patch)
2013-06-04 17:01 UTC, Brad Jorsch 		Details
Patch against REL1_19 (3.95 KB, patch)
2013-06-04 17:02 UTC, Brad Jorsch 		Details
Show Obsolete (4) Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2013-06-03 20:10:57 UTC 
curl --data "action=login&lgname=User1&lgpassword=xxx&format=json&callback=foo" 'http://localhost/wiki/api.php'
foo({"login":{"result":"NeedToken","token":"317d0a5134f80898af6c619115293e1f","cookieprefix":"wiki_test1","sessionid":"p7sgh8o7h2ltsi5635mh19h6c2pg7me2pekaee84kdq3k68gr1l0"}})
Comment 1 Chris Steipp 2013-06-04 02:01:21 UTC 
I audited the api modules in core, and a few others will give back login or anonymous edit tokens too. These need to be fixed before we can effectively fix bug 38417.


* ApiTokens
** curl -i 'http://localhost/wiki/api.php?action=tokens&type=edit&format=json&callback=foo'

* ApiUnblock
** curl -i --data 'action=unblock&user=User1&gettoken=true&format=json&callback=bar' 'http://localhost/wiki/api.php'

* ApiLogin.php
** curl -i --data 'action=login&format=json&lgname=foo&callback=bar' 'http://localhost/wiki/api.php'

* ApiCreateAccount.php
** curl -i --data 'action=createaccount&format=json&name=foo&callback=bar' 'http://localhost/wiki/api.php'

* ApiBlock.php
** curl -i --data 'action=block&user=User1&gettoken=true&format=json&callback=bar' 'http://localhost/wiki/api.php'
Comment 2 Brad Jorsch 2013-06-04 02:27:07 UTC 
I'm planning to look at this tomorrow morning. Current thoughts are that the block and unblock 'gettoken' parameters have been deprecated since 1.20, so they are ripe for removal. The others will get a check similar to that currently used for prop=info.

I also grepped through the WMF-deployed extensions. They all seem to use the generic edit token from action=tokens or prop=info, or use the hook to add to action=tokens, so that part of it looks ok.

I also note that ApiQueryDeletedrevs could give a token, but since anons don't typically have 'deletedhistory' it's not likely to actually be gettable via jsonp.
Comment 3 Chris Steipp 2013-06-04 03:03:09 UTC 
(In reply to comment #2)
> I'm planning to look at this tomorrow morning. Current thoughts are that the
> block and unblock 'gettoken' parameters have been deprecated since 1.20, so
> they are ripe for removal. The others will get a check similar to that
> currently used for prop=info.

If we want to fix 38417 for REL1_19/REL1_20, then we'll probably need a patch that either checks for the callback param, or moves the gettoken handling after the permission checks. Either way is a pretty simple patch. But yes, we should remove the code altogether for 1.22 I think.
Comment 4 Brad Jorsch 2013-06-04 15:37:03 UTC 
Created attachment 12450 [details]
Patch against master
Comment 5 Brad Jorsch 2013-06-04 15:37:33 UTC 
Created attachment 12451 [details]
Patch against REL1_21
Comment 6 Brad Jorsch 2013-06-04 15:37:47 UTC 
Created attachment 12452 [details]
Patch against REL1_20
Comment 7 Brad Jorsch 2013-06-04 15:38:03 UTC 
Created attachment 12453 [details]
Patch against REL1_19
Comment 8 Brad Jorsch 2013-06-04 17:01:04 UTC 
Created attachment 12456 [details]
Patch against master
Comment 9 Brad Jorsch 2013-06-04 17:01:36 UTC 
Created attachment 12457 [details]
Patch against REL1_21
Comment 10 Brad Jorsch 2013-06-04 17:01:57 UTC 
Created attachment 12458 [details]
Patch against REL1_20
Comment 11 Brad Jorsch 2013-06-04 17:02:17 UTC 
Created attachment 12459 [details]
Patch against REL1_19
Comment 12 Chris Steipp 2013-06-04 17:21:15 UTC 
Thanks Brad! I've tested the patch against master, and it seems to be working well and prevents the leak. As mentioned on irc, the action=tokens api returns the error "Unrecognized value for parameter 'type'" when the callback is added, instead of an explicit message about the callback parameter. But since this is the same way ApiQueryInfo currently works, it seems like api users should be able to figure it out.

Roan, can you take a look at the patches, and verify they look sane to you, or if there is anything we're missing by doing it this way?
Comment 13 Chris Steipp 2013-09-03 20:39:39 UTC 
Roan approved on irc. Deployed into production on Aug 29.
Comment 14 Gerrit Notification Bot 2013-09-03 22:11:08 UTC 
Change 82527 merged by jenkins-bot:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82527
Comment 15 Gerrit Notification Bot 2013-09-03 22:34:47 UTC 
Change 82537 had a related patch set uploaded by CSteipp:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82537
Comment 16 Gerrit Notification Bot 2013-09-03 22:39:24 UTC 
Change 82541 had a related patch set uploaded by CSteipp:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82541
Comment 17 Gerrit Notification Bot 2013-09-03 22:42:45 UTC 
Change 82545 had a related patch set uploaded by CSteipp:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82545
Comment 18 Gerrit Notification Bot 2013-09-03 22:57:38 UTC 
Change 82537 merged by CSteipp:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82537
Comment 19 Gerrit Notification Bot 2013-09-04 00:27:12 UTC 
Change 82545 merged by jenkins-bot:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82545
Comment 20 Gerrit Notification Bot 2013-09-04 03:49:46 UTC 
Change 82541 merged by jenkins-bot:
SECURITY: Prevent tokens in jsonp mode

https://gerrit.wikimedia.org/r/82541
Comment 21 Andre Klapper 2013-09-04 09:30:25 UTC 
[restoring RESOLVED FIXED state which was set before the Gerrit Notification Bot inserted links to the Gerrit patchsets]
Comment 22 Chris Steipp 2013-09-05 17:00:17 UTC 
This issue was assigned CVE-2013-4302
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links