Re: [Mediawiki-api] [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body
Over the past 30 days, there has been exactly one hit to action=clientlogin with sensitive data in the query string, and none to action=createaccount, action=linkaccount, and action=changeauthenticationdata. Beginning in 1.29.0-wmf.1 (to be deployed this week) these actions will now begin throwing errors if sensitive fields are included in the query string. Over the past 30 days, logins have been attempted via action=login for 28 different user names[1] with sensitive data (lgpassword or lgtoken) in the query string. This will continue to work for now; my current plan is to turn that warning into an error on February 15, 2017. [1]: I can't post the list publicly at this time. If you want to know if you're one of the 28, put your user agent into https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage and look for "login-params-in-query-string". On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie)wrote: > For improved safety, passwords and other sensitive fields for > authentication should not be included in the request URI during a POST. > Instead, they should be in the POST body where they are less likely to be > included in log files. With the merge of Gerrit change 305545,[1] the API > will now produce a warning if such fields are detected in the URI. This > should be deployed to WMF wikis with 1.28.0-wmf.16, see > https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule. > > This affects the following modules and fields: > * action=login: 'lgpassword' > * action=clientlogin, action=createaccount, action=linkaccount, and > action=changeauthenticationdata: > Any fields reported as "sensitive" by action=query=authmanagerinfo > or by UI or REDIRECT responses. Currently, this affects the 'password' and > 'retype' fields. > > The 'lgtoken' field for action=login will now also issue a warning if > placed in the request URI. The error code for other tokens being in the > request URI has changed from 'mustposttoken' to 'mustpostparams'. > > To check if your client's user agent is detected making such submissions, > you can also use ApiFeatureUsage[2] and look for > '-params-in-query-string' > once 1.28.0-wmf.16 is rolled out to wikis your client is logging in to. > > It is planned that these warnings will be changed to errors during 1.29. > Let's avoid having a repeat of T142155,[3] update your code ASAP instead of > waiting until it breaks. Thanks. > > [1]: https://gerrit.wikimedia.org/r/#/c/305545/ > [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage > [3]: https://phabricator.wikimedia.org/T142155 > > -- > Brad Jorsch (Anomie) > Senior Software Engineer > Wikimedia Foundation > -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation ___ Mediawiki-api-announce mailing list mediawiki-api-annou...@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce ___ Mediawiki-api mailing list Mediawiki-api@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Re: [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body
Over the past 30 days, there has been exactly one hit to action=clientlogin with sensitive data in the query string, and none to action=createaccount, action=linkaccount, and action=changeauthenticationdata. Beginning in 1.29.0-wmf.1 (to be deployed this week) these actions will now begin throwing errors if sensitive fields are included in the query string. Over the past 30 days, logins have been attempted via action=login for 28 different user names[1] with sensitive data (lgpassword or lgtoken) in the query string. This will continue to work for now; my current plan is to turn that warning into an error on February 15, 2017. [1]: I can't post the list publicly at this time. If you want to know if you're one of the 28, put your user agent into https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage and look for "login-params-in-query-string". On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie)wrote: > For improved safety, passwords and other sensitive fields for > authentication should not be included in the request URI during a POST. > Instead, they should be in the POST body where they are less likely to be > included in log files. With the merge of Gerrit change 305545,[1] the API > will now produce a warning if such fields are detected in the URI. This > should be deployed to WMF wikis with 1.28.0-wmf.16, see > https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule. > > This affects the following modules and fields: > * action=login: 'lgpassword' > * action=clientlogin, action=createaccount, action=linkaccount, and > action=changeauthenticationdata: > Any fields reported as "sensitive" by action=query=authmanagerinfo > or by UI or REDIRECT responses. Currently, this affects the 'password' and > 'retype' fields. > > The 'lgtoken' field for action=login will now also issue a warning if > placed in the request URI. The error code for other tokens being in the > request URI has changed from 'mustposttoken' to 'mustpostparams'. > > To check if your client's user agent is detected making such submissions, > you can also use ApiFeatureUsage[2] and look for > '-params-in-query-string' > once 1.28.0-wmf.16 is rolled out to wikis your client is logging in to. > > It is planned that these warnings will be changed to errors during 1.29. > Let's avoid having a repeat of T142155,[3] update your code ASAP instead of > waiting until it breaks. Thanks. > > [1]: https://gerrit.wikimedia.org/r/#/c/305545/ > [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage > [3]: https://phabricator.wikimedia.org/T142155 > > -- > Brad Jorsch (Anomie) > Senior Software Engineer > Wikimedia Foundation > -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation ___ Mediawiki-api-announce mailing list Mediawiki-api-announce@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce