subject:"\[Mediawiki\-api\] \[Mediawiki\-api\-announce\] DEPRECATION\: Passwords and other sensitive fields for authentication must be in the POST body"

Re: [Mediawiki-api] [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

2016-10-31 Thread Brad Jorsch (Anomie)

Over the past 30 days, there has been exactly one hit to action=clientlogin
with sensitive data in the query string, and none to action=createaccount,
action=linkaccount, and action=changeauthenticationdata. Beginning in
1.29.0-wmf.1 (to be deployed this week) these actions will now begin
throwing errors if sensitive fields are included in the query string.

Over the past 30 days, logins have been attempted via action=login for 28
different user names[1] with sensitive data (lgpassword or lgtoken) in the
query string. This will continue to work for now; my current plan is to
turn that warning into an error on February 15, 2017.

[1]: I can't post the list publicly at this time. If you want to know if
you're one of the 28, put your user agent into
https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage and look for
"login-params-in-query-string".

On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie)  wrote:

> For improved safety, passwords and other sensitive fields for
> authentication should not be included in the request URI during a POST.
> Instead, they should be in the POST body where they are less likely to be
> included in log files. With the merge of Gerrit change 305545,[1] the API
> will now produce a warning if such fields are detected in the URI. This
> should be deployed to WMF wikis with 1.28.0-wmf.16, see
> https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.
>
> This affects the following modules and fields:
> * action=login: 'lgpassword'
> * action=clientlogin, action=createaccount, action=linkaccount, and 
> action=changeauthenticationdata:
> Any fields reported as "sensitive" by action=query=authmanagerinfo
> or by UI or REDIRECT responses. Currently, this affects the 'password' and
> 'retype' fields.
>
> The 'lgtoken' field for action=login will now also issue a warning if
> placed in the request URI. The error code for other tokens being in the
> request URI has changed from 'mustposttoken' to 'mustpostparams'.
>
> To check if your client's user agent is detected making such submissions,
> you can also use ApiFeatureUsage[2] and look for 
> '-params-in-query-string'
> once 1.28.0-wmf.16 is rolled out to wikis your client is logging in to.
>
> It is planned that these warnings will be changed to errors during 1.29.
> Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
> waiting until it breaks. Thanks.
>
>  [1]: https://gerrit.wikimedia.org/r/#/c/305545/
>  [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
>  [3]: https://phabricator.wikimedia.org/T142155
>
> --
> Brad Jorsch (Anomie)
> Senior Software Engineer
> Wikimedia Foundation
>

-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
___
Mediawiki-api-announce mailing list
mediawiki-api-annou...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce
___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

[Mediawiki-api] [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

2016-08-19 Thread Brad Jorsch (Anomie)

For improved safety, passwords and other sensitive fields for
authentication should not be included in the request URI during a POST.
Instead, they should be in the POST body where they are less likely to be
included in log files. With the merge of Gerrit change 305545,[1] the API
will now produce a warning if such fields are detected in the URI. This
should be deployed to WMF wikis with 1.28.0-wmf.16, see
https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule.

This affects the following modules and fields:
* action=login: 'lgpassword'
* action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata: Any fields reported as "sensitive" by
action=query=authmanagerinfo or by UI or REDIRECT responses.
Currently, this affects the 'password' and 'retype' fields.

The 'lgtoken' field for action=login will now also issue a warning if
placed in the request URI. The error code for other tokens being in the
request URI has changed from 'mustposttoken' to 'mustpostparams'.

To check if your client's user agent is detected making such submissions,
you can also use ApiFeatureUsage[2] and look for
'-params-in-query-string' once 1.28.0-wmf.16 is rolled out to wikis
your client is logging in to.

It is planned that these warnings will be changed to errors during 1.29.
Let's avoid having a repeat of T142155,[3] update your code ASAP instead of
waiting until it breaks. Thanks.

 [1]: https://gerrit.wikimedia.org/r/#/c/305545/
 [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage
 [3]: https://phabricator.wikimedia.org/T142155

-- 
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation
___
Mediawiki-api-announce mailing list
mediawiki-api-annou...@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce
___
Mediawiki-api mailing list
Mediawiki-api@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api

Re: [Mediawiki-api] [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

[Mediawiki-api] [Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

2 matches

Site Navigation

Mail list logo

Footer information