https://bugzilla.wikimedia.org/show_bug.cgi?id=17879
Summary: AuthPlugin allows the creation of locally forbidden
names.
Product: MediaWiki
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: Normal
Component: User login/settings
AssignedTo: [email protected]
ReportedBy: [email protected]
User::isValidUserName prevents the local creation of usernames that are
prefixed with namespace keys, i.e. User:Wikipedia:Bob is forbidden when
Wikipedia: is a local namespace.
However, the vandal mentioned in bug 17877 demonstrated that CentralAuth (and
AuthPlugins in general) can allow one to bypass this.
For example, create an account such as User:WP:ANI in a wiki that does not have
a WP: namespace and then use single user login to create the same account on
enwiki, where it would normally be forbidden.
I'm filing this separately from 17877 because strictly speaking one could
address that issue without addressing this one (or vice versa), but I believe
that if the AuthPlugin functionality is fixed to prevent the creation of
accounts whose names are locally forbidden due to naming conflicts then that
would eliminate the most likely and accessible path that leads to the bug
described in 17877. (Other paths to a 17877 scenario include the post-facto
creation of a conflicting namespace, or the use of RenameUser to intentionally
move an account to a conflicting name.)
Also, I think the best approach is to patch Mediawiki to prevent AuthPlugins
from creating new accounts for locally forbidden names, but I suppose one might
also consider patching just CentralAuth to accomplish the same thing for just
Wikimedia.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
