Last modified: 2014-07-30 02:07:22 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T69210, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 67210 - nsToken GET parameter to Special:Search should be a salted version of the edit token instead of just plain edit token
nsToken GET parameter to Special:Search should be a salted version of the edi...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Search (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-06-27 19:21 UTC by Bawolff (Brian Wolff)
Modified: 2014-07-30 02:07 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
patch to salt the token (1.41 KB, patch)
2014-06-27 19:21 UTC, Bawolff (Brian Wolff) 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Bawolff (Brian Wolff) 2014-06-27 19:21:25 UTC 
Created attachment 15766 [details]
patch to salt the token

(Going back and forth if I should file under security. Decided to err on the side of caution, but this really isn't a serious issue, just something that should be done as a precaution)


Special:Search has an nsToken parameter, that's the same as edit token. Its used for saving namespace selection to preferences. The parameter is passed as a GET parameter. Since edit tokens are secret and GET parameters can end up showing up in public places (If people copy paste urls, log files, etc), the token should be salted like we do with "watch this page" tokens.


For reference, change is in commit 5dc4dc099d8799cf98dc
Comment 1 Chris Steipp 2014-06-27 20:23:31 UTC 
Yes, please. Since there's no threat of stealing the token directly, I'm fine if this is made public (we can put the patch in gerrit, etc). But we really should be salting the token as a standard hardening / precaution.

Thanks Bawolff!
Comment 2 Nemo 2014-06-27 21:09:07 UTC 
Sorry. I did think the token was going to make the URL uglier to share but I neglected to think it could be reused.
Comment 3 Gerrit Notification Bot 2014-06-29 16:01:29 UTC 
Change 142900 had a related patch set uploaded by Brian Wolff:
Salt the "nsToken" used for Special:Search namespace remembering

https://gerrit.wikimedia.org/r/142900
Comment 4 Gerrit Notification Bot 2014-06-30 19:28:01 UTC 
Change 142900 merged by jenkins-bot:
Salt the "nsToken" used for Special:Search namespace remembering

https://gerrit.wikimedia.org/r/142900
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links