Reedy has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/336833 )
Change subject: API: Insist authn parameters be in the POST body
......................................................................
API: Insist authn parameters be in the POST body
Passwords should always be submitted in the POST body, not in the query
string. Thus, a warning will now be returned if the password for
action=login or any sensitive authentication request parameters for
AuthManager actions are found in the query string.
These warnings should be upgraded to errors in 1.29.
Change-Id: Ifb2c684bb28c9acc004be2b0c2fef839eb7624aa
---
M RELEASE-NOTES-1.27
M includes/api/ApiAuthManagerHelper.php
M includes/api/ApiBase.php
M includes/api/ApiLogin.php
M includes/api/ApiMain.php
5 files changed, 66 insertions(+), 14 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/33/336833/1
diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 94b7142..962cf49 100644
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -8,6 +8,13 @@
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* (T152717) Better escaping for PHP mail() command
+* Submitting the lgtoken and lgpassword parameters in the query string to
+ action=login is now deprecated and outputs a warning. They should be
submitted
+ in the POST body instead.
+* Submitting sensitive authentication request parameters to action=clientlogin,
+ action=createaccount, action=linkaccount, and action=changeauthenticationdata
+ in the query string is now deprecated and outputs a warning. They should be
+ submitted in the POST body instead.
== MediaWiki 1.27.1 ==
diff --git a/includes/api/ApiAuthManagerHelper.php
b/includes/api/ApiAuthManagerHelper.php
index e30f22b..da7c623 100644
--- a/includes/api/ApiAuthManagerHelper.php
+++ b/includes/api/ApiAuthManagerHelper.php
@@ -156,8 +156,13 @@
// Collect the fields for all the requests
$fields = [];
+ $sensitive = [];
foreach ( $reqs as $req ) {
- $fields += (array)$req->getFieldInfo();
+ $info = (array)$req->getFieldInfo();
+ $fields += $info;
+ $sensitive += array_filter( $info, function ( $opts ) {
+ return !empty( $opts['sensitive'] );
+ } );
}
// Extract the request data for the fields and mark those
request
@@ -165,6 +170,16 @@
$data = array_intersect_key(
$this->module->getRequest()->getValues(), $fields );
$this->module->getMain()->markParamsUsed( array_keys( $data ) );
+ if ( $sensitive ) {
+ try {
+ $this->module->requirePostedParameters(
array_keys( $sensitive ), 'noprefix' );
+ } catch ( UsageException $ex ) {
+ // Make this a warning for now, upgrade to an
error in 1.29.
+ $this->module->setWarning( $ex->getMessage() );
+ $this->module->logFeatureUsage(
$this->module->getModuleName() . '-params-in-query-string' );
+ }
+ }
+
return AuthenticationRequest::loadRequestsFromSubmission(
$reqs, $data );
}
diff --git a/includes/api/ApiBase.php b/includes/api/ApiBase.php
index 639f6be..40cc90a 100644
--- a/includes/api/ApiBase.php
+++ b/includes/api/ApiBase.php
@@ -777,6 +777,39 @@
}
/**
+ * Die if any of the specified parameters were found in the query part
of
+ * the URL rather than the post body.
+ * @since 1.28
+ * @param string[] $params Parameters to check
+ * @param string $prefix Set to 'noprefix' to skip calling
$this->encodeParamName()
+ */
+ public function requirePostedParameters( $params, $prefix = 'prefix' ) {
+ // Skip if $wgDebugAPI is set or we're in internal mode
+ if ( $this->getConfig()->get( 'DebugAPI' ) ||
$this->getMain()->isInternalMode() ) {
+ return;
+ }
+
+ $queryValues = $this->getRequest()->getQueryValues();
+ $badParams = [];
+ foreach ( $params as $param ) {
+ if ( $prefix !== 'noprefix' ) {
+ $param = $this->encodeParamName( $param );
+ }
+ if ( array_key_exists( $param, $queryValues ) ) {
+ $badParams[] = $param;
+ }
+ }
+
+ if ( $badParams ) {
+ $this->dieUsage(
+ 'The following parameters were found in the
query string, but must be in the POST body: '
+ . join( ', ', $badParams ),
+ 'mustpostparams'
+ );
+ }
+ }
+
+ /**
* Callback function used in requireOnlyOneParameter to check whether
required parameters are set
*
* @param object $x Parameter to check is not null/false
@@ -2191,7 +2224,7 @@
* analysis.
* @param string $feature Feature being used.
*/
- protected function logFeatureUsage( $feature ) {
+ public function logFeatureUsage( $feature ) {
$request = $this->getRequest();
$s = '"' . addslashes( $feature ) . '"' .
' "' . wfUrlencode( str_replace( ' ', '_',
$this->getUser()->getName() ) ) . '"' .
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index c63c4772..1798776 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -70,6 +70,14 @@
return;
}
+ try {
+ $this->requirePostedParameters( [ 'password', 'token' ]
);
+ } catch ( UsageException $ex ) {
+ // Make this a warning for now, upgrade to an error in
1.29.
+ $this->setWarning( $ex->getMessage() );
+ $this->logFeatureUsage( 'login-params-in-query-string'
);
+ }
+
$params = $this->extractRequestParams();
$result = [];
diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index 5b523f4..7c0fef6 100644
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -1038,18 +1038,7 @@
$this->dieUsageMsg( [ 'missingparam', 'token' ]
);
}
- if ( !$this->getConfig()->get( 'DebugAPI' ) &&
- array_key_exists(
- $module->encodeParamName( 'token' ),
- $this->getRequest()->getQueryValues()
- )
- ) {
- $this->dieUsage(
- "The '{$module->encodeParamName(
'token' )}' parameter was " .
- 'found in the query string, but
must be in the POST body',
- 'mustposttoken'
- );
- }
+ $module->requirePostedParameters( [ 'token' ] );
if ( !$module->validateToken( $moduleParams['token'],
$moduleParams ) ) {
$this->dieUsageMsg( 'sessionfailure' );
--
To view, visit https://gerrit.wikimedia.org/r/336833
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ifb2c684bb28c9acc004be2b0c2fef839eb7624aa
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: REL1_27
Gerrit-Owner: Reedy <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
