Last modified: 2014-01-14 07:28:30 UTC
Created attachment 13789 [details] Add and check csrf token in form Special:CreateCategory doesn't add and validate an anti-csrf token in the form. Logged in users can be tricked into creating categories by visiting a site that makes a request on behalf of the user. Basic patch attached, but I don't have a system to test this available. Can someone check this?
Reported by Ravindra Singh Rathore to Mozilla.
Hi Chris, Thanks for this patch! A few questions and comments: - It looks like the method User::getEditToken() was only added in MediaWiki 1.19 - Semantic Forms currently supports MW 1.17 and higher, so there would need to be an "if" statement to only apply this handling if for MW 1.19 and higher. - Would there be a benefit to displaying an error message if the token validation fails, instead of just ignoring the attempt as the current patch seems to do? - Semantic Forms defines four other special pages with similar forms: CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they could all similarly benefit from an anti-CSRF check?
Yaron, Yeah, feel free to update the patch. That was just something quick to address the issue. I wasn't sure how actively the extension is maintained. If you can get a patch today, I'll add a note about it in the upcomming security release. Typically, just add a patch here, and we'll push it into gerrit when we make the announcement. Or, if you need more time, we'll add it to the next one.
(In reply to comment #2) > - Semantic Forms defines four other special pages with similar forms: > CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they > could > all similarly benefit from an anti-CSRF check? And yes, definitely, to this.
Okay, this security vulnerability has now been fixed for those five special pages, for MW 1.19 and higher. Thanks for the patch! I have to say that I was surprised by the comment about announcing this in a security release - I wasn't aware that the WMF ever made announcements about non-WMF extensions, security-related or otherwise.
(In reply to comment #5) > I have to say that I was surprised by the comment about announcing this in a > security release - I wasn't aware that the WMF ever made announcements about > non-WMF extensions, security-related or otherwise. We don't. This is weird to me too :)
Thanks Yaron, can you add links to the gerrit patches that fixed this? (In reply to comment #6) > (In reply to comment #5) > > I have to say that I was surprised by the comment about announcing this in a > > security release - I wasn't aware that the WMF ever made announcements about > > non-WMF extensions, security-related or otherwise. > > We don't. This is weird to me too :) We're using SemanticForms on Wikitech, so I assumed we treated it like a WMF-deployed extension. It's also widely enough deployed that I'll probably mention it when we do the release. Adding Ryan/Coren so they can get wikitech patched.
https://gerrit.wikimedia.org/r/#/c/103885/ was the fix
Yes, you found it. Well, it's nice to hear that SF is considered (by some) to be a WMF extension!