Re: [Mediawiki-api] [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

2016-10-31 Thread Brad Jorsch (Anomie) 
Over the past 30 days, there has been exactly one hit to action=clientlogin
with sensitive data in the query string, and none to action=createaccount,
action=linkaccount, and action=changeauthenticationdata. Beginning in
1.29.0-wmf.1 (to be deployed this week) these actions will now begin
throwing errors if sensitive fields are included in the query string.

Over the past 30 days, logins have been attempted via action=login for 28
different user names[1] with sensitive data (lgpassword or lgtoken) in the
query string. This will continue to work for now; my current plan is to
turn that warning into an error on February 15, 2017.


[1]: I can't post the list publicly at this time. If you want to know if
you're one of the 28, put your user agent into
https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage and look for
"login-params-in-query-string".


On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie)  wrote:

> For improved safety, passwords and other sensitive fields for
> authentication should not be included in the request URI during a POST.
> Instead, they should be in the POST body where they are less likely to be
> included in log files. With the merge of Gerrit change 305545,[1] the API
> will now produce a warning if such fields are detected in the URI. This
> should be deployed to WMF wikis with 1.28.0-wmf.16, see
> https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.
>
> This affects the following modules and fields:
> * action=login: 'lgpassword'
> * action=clientlogin, action=createaccount, action=linkaccount, and 
> action=changeauthenticationdata:
> Any fields reported as "sensitive" by action=query=authmanagerinfo
> or by UI or REDIRECT responses. Currently, this affects the 'password' and
> 'retype' fields.
>
> The 'lgtoken' field for action=login will now also issue a warning if
> placed in the request URI. The error code for other tokens being in the
> request URI has changed from 'mustposttoken' to 'mustpostparams'.
>
> To check if your client's user agent is detected making such submissions,
> you can also use ApiFeatureUsage[2] and look for 
> '-params-in-query-string'
> once 1.28.0-wmf.16 is rolled out to wikis your client is logging in to.
>
> It is planned that these warnings will be changed to errors during 1.29.
> Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
> waiting until it breaks. Thanks.
>
>  [1]: https://gerrit.wikimedia.org/r/#/c/305545/
>  [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
>  [3]: https://phabricator.wikimedia.org/T142155
>
> --
> Brad Jorsch (Anomie)
> Senior Software Engineer
> Wikimedia Foundation
>



-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
___
Mediawiki-api-announce mailing list
mediawiki-api-annou...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce
___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Re: [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

2016-10-31 Thread Brad Jorsch (Anomie) 
Over the past 30 days, there has been exactly one hit to action=clientlogin
with sensitive data in the query string, and none to action=createaccount,
action=linkaccount, and action=changeauthenticationdata. Beginning in
1.29.0-wmf.1 (to be deployed this week) these actions will now begin
throwing errors if sensitive fields are included in the query string.

Over the past 30 days, logins have been attempted via action=login for 28
different user names[1] with sensitive data (lgpassword or lgtoken) in the
query string. This will continue to work for now; my current plan is to
turn that warning into an error on February 15, 2017.


[1]: I can't post the list publicly at this time. If you want to know if
you're one of the 28, put your user agent into
https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage and look for
"login-params-in-query-string".


On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie)  wrote:

> For improved safety, passwords and other sensitive fields for
> authentication should not be included in the request URI during a POST.
> Instead, they should be in the POST body where they are less likely to be
> included in log files. With the merge of Gerrit change 305545,[1] the API
> will now produce a warning if such fields are detected in the URI. This
> should be deployed to WMF wikis with 1.28.0-wmf.16, see
> https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.
>
> This affects the following modules and fields:
> * action=login: 'lgpassword'
> * action=clientlogin, action=createaccount, action=linkaccount, and 
> action=changeauthenticationdata:
> Any fields reported as "sensitive" by action=query=authmanagerinfo
> or by UI or REDIRECT responses. Currently, this affects the 'password' and
> 'retype' fields.
>
> The 'lgtoken' field for action=login will now also issue a warning if
> placed in the request URI. The error code for other tokens being in the
> request URI has changed from 'mustposttoken' to 'mustpostparams'.
>
> To check if your client's user agent is detected making such submissions,
> you can also use ApiFeatureUsage[2] and look for 
> '-params-in-query-string'
> once 1.28.0-wmf.16 is rolled out to wikis your client is logging in to.
>
> It is planned that these warnings will be changed to errors during 1.29.
> Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
> waiting until it breaks. Thanks.
>
>  [1]: https://gerrit.wikimedia.org/r/#/c/305545/
>  [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
>  [3]: https://phabricator.wikimedia.org/T142155
>
> --
> Brad Jorsch (Anomie)
> Senior Software Engineer
> Wikimedia Foundation
>



-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
___
Mediawiki-api-announce mailing list
Mediawiki-api-announce@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce