[Pkg-mediawiki-commits] r230 - in mediawiki/lenny/debian: . patches

Jonathan Wiltshire jmw at alioth.debian.org
Fri Dec 17 21:53:40 UTC 2010 

Author: jmw
Date: 2010-12-17 21:53:40 +0000 (Fri, 17 Dec 2010)
New Revision: 230

Added:
   mediawiki/lenny/debian/patches/1.15.4-userlogin-security.patch
Modified:
   mediawiki/lenny/debian/changelog
   mediawiki/lenny/debian/patches/series
Log:
Backport fix for CSRF vulnerability in "e-mail me my password", "create account" and "create by e-mail" features of [[Special:Userlogin]]

Modified: mediawiki/lenny/debian/changelog
===================================================================
--- mediawiki/lenny/debian/changelog	2010-09-24 13:17:45 UTC (rev 229)
+++ mediawiki/lenny/debian/changelog	2010-12-17 21:53:40 UTC (rev 230)
@@ -1,3 +1,12 @@
+mediawiki (1:1.12.0-2lenny6) stable; urgency=low
+
+  * Stable upload.
+  * Fixed CSRF vulnerability in "e-mail me my password",
+    "create account" and "create by e-mail" features of
+    [[Special:Userlogin]]
+
+ -- Jonathan Wiltshire <jmw at debian.org>  Fri, 17 Dec 2010 21:51:07 +0000
+
 mediawiki (1:1.12.0-2lenny5) stable-security; urgency=high
 
   * Security upload. Fixes the following issue (CVE-2010-1150):

Added: mediawiki/lenny/debian/patches/1.15.4-userlogin-security.patch
===================================================================
--- mediawiki/lenny/debian/patches/1.15.4-userlogin-security.patch	                        (rev 0)
+++ mediawiki/lenny/debian/patches/1.15.4-userlogin-security.patch	2010-12-17 21:53:40 UTC (rev 230)
@@ -0,0 +1,193 @@
+Description: Fixed CSRF vulnerability in "e-mail me my password",
+ "create account" and "create by e-mail" features of [[Special:Userlogin]]
+Origin: http://www.mediawiki.org/wiki/Special:Code/MediaWiki/66991
+Author: Tim Starling
+Bug: https://bugzilla.wikimedia.org/show_bug.cgi?id=23371
+Last-Update: 2010-12-17
+
+
+--- mediawiki-1.12.0.orig/includes/SpecialUserlogin.php
++++ mediawiki-1.12.0/includes/SpecialUserlogin.php
+@@ -66,7 +66,7 @@
+ 		$this->mAction = $request->getVal( 'action' );
+ 		$this->mRemember = $request->getCheck( 'wpRemember' );
+ 		$this->mLanguage = $request->getText( 'uselang' );
+-		$this->mToken = $request->getVal( 'wpLoginToken' );
++		$this->mToken = ($this->mType == 'signup' ) ? $request->getVal( 'wpCreateaccountToken' ) : $request->getVal( 'wpLoginToken' );
+ 
+ 		if( $wgEnableEmail ) {
+ 			$this->mEmail = $request->getText( 'wpEmail' );
+@@ -234,6 +234,25 @@
+ 			return false;
+ 		}
+ 
++		# Request forgery checks.
++		if ( !self::getCreateaccountToken() ) {
++			self::setCreateaccountToken();
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return false;
++		}
++		
++		# The user didn't pass a createaccount token
++		if ( !$this->mToken ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return false;
++		}
++		
++		# Validate the createaccount token
++		if ( $this->mToken !== self::getCreateaccountToken() ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return false;
++		}
++
+ 		# Check permissions
+ 		if ( !$wgUser->isAllowed( 'createaccount' ) ) {
+ 			$this->userNotPrivilegedMessage();
+@@ -248,7 +267,7 @@
+ 		  $wgUser->inSorbsBlacklist( $ip ) )
+ 		{
+ 			$this->mainLoginForm( wfMsg( 'sorbs_create_account_reason' ) . ' (' . htmlspecialchars( $ip ) . ')' );
+-			return;
++			return false;
+ 		}
+ 
+ 		# Now create a dummy user ($u) and check if it is valid
+@@ -322,6 +341,7 @@
+ 			return false;
+ 		}
+ 
++		self::clearCreateaccountToken();		
+ 		return $this->initUser( $u, false );
+ 	}
+ 
+@@ -540,13 +560,26 @@
+ 			return;
+ 		}
+ 
+-		# Check against blocked IPs
+-		# fixme -- should we not?
++		# Check against blocked IPs so blocked users can't flood admins 
++		# with password resets
+ 		if( $wgUser->isBlocked() ) {
+ 			$this->mainLoginForm( wfMsg( 'blocked-mailpassword' ) );
+ 			return;
+ 		}
+ 
++		# If the user doesn't have a login token yet, set one.
++		if ( !self::getLoginToken() ) {
++			self::setLoginToken();
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return;
++		}
++
++		# If the user didn't pass a login token, tell them we need one
++		if ( !$this->mToken ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return;
++		}
++		
+ 		# Check against the rate limiter
+ 		if( $wgUser->pingLimiter( 'mailpassword' ) ) {
+ 			$wgOut->rateLimited();
+@@ -567,6 +600,12 @@
+ 			return;
+ 		}
+ 
++		# Validate the login token
++		if ( $this->mToken !== self::getLoginToken() ) {
++			$this->mainLoginForm( wfMsg( 'sessionfailure' ) );
++			return;
++		}
++
+ 		# Check against password throttle
+ 		if ( $u->isPasswordReminderThrottled() ) {
+ 			global $wgPasswordReminderResendTime;
+@@ -581,6 +620,7 @@
+ 			$this->mainLoginForm( wfMsg( 'mailerror', $result->getMessage() ) );
+ 		} else {
+ 			$this->mainLoginForm( wfMsg( 'passwordsent', $u->getName() ), 'success' );
++			self::clearLoginToken();
+ 		}
+ 	}
+ 
+@@ -757,11 +797,18 @@
+ 		$template->set( 'canreset', $wgAuth->allowPasswordChange() );
+ 		$template->set( 'remember', $wgUser->getOption( 'rememberpassword' ) or $this->mRemember  );
+ 
+-		if ( !self::getLoginToken() ) {
+-			self::setLoginToken();
++		if ( $this->mType == 'signup' ) {
++			if ( !self::getCreateaccountToken() ) {
++				self::setCreateaccountToken();
++			}
++			$template->set( 'token', self::getCreateaccountToken() );
++		} else {
++			if ( !self::getLoginToken() ) {
++				self::setLoginToken();
++			}
++			$template->set( 'token', self::getLoginToken() );
+ 		}
+-		$template->set( 'token', self::getLoginToken() );
+-
++		
+ 		# Prepare language selection links as needed
+ 		if( $wgLoginLanguageSelector ) {
+ 			$template->set( 'languages', $this->makeLanguageSelector() );
+@@ -820,7 +867,7 @@
+ 	}
+ 	
+ 	/**
+-	 * Generate a new login token and attach it to the current session
++	 * Randomly generate a new login token and attach it to the current session
+ 	 */
+ 	public static function setLoginToken() {
+ 		global $wgRequest;
+@@ -832,12 +879,36 @@
+ 	/**
+ 	 * Remove any login token attached to the current session
+ 	 */
+-	public static  function clearLoginToken() {
++	public static function clearLoginToken() {
+ 		global $wgRequest;
+ 		$wgRequest->setSessionData( 'wsLoginToken', null );
+ 	}
+ 
+ 	/**
++	 * Get the createaccount token from the current session
++	 */
++	public static function getCreateaccountToken() {
++		global $wgRequest;
++		return $wgRequest->getSessionData( 'wsCreateaccountToken' );
++	}
++	
++	/**
++	 * Randomly generate a new createaccount token and attach it to the current session
++	 */
++	public static function setCreateaccountToken() {
++		global $wgRequest;
++		$wgRequest->setSessionData( 'wsCreateaccountToken', User::generateToken() );
++	}
++	
++	/**
++	 * Remove any createaccount token attached to the current session
++	 */
++	public static function clearCreateaccountToken() {
++		global $wgRequest;
++		$wgRequest->setSessionData( 'wsCreateaccountToken', null );
++	}
++
++	/**
+ 	 * @private
+ 	 */
+ 	function cookieRedirectCheck( $type ) {
+--- mediawiki-1.12.0.orig/includes/templates/Userlogin.php
++++ mediawiki-1.12.0/includes/templates/Userlogin.php
+@@ -214,6 +214,7 @@
+ 		</tr>
+ 	</table>
+ <?php if( @$this->haveData( 'uselang' ) ) { ?><input type="hidden" name="uselang" value="<?php $this->text( 'uselang' ); ?>" /><?php } ?>
++<?php if( @$this->haveData( 'token' ) ) { ?><input type="hidden" name="wpCreateaccountToken" value="<?php $this->text( 'token' ); ?>" /><?php } ?>
+ </form>
+ </div>
+ <div id="signupend"><?php $this->msgWiki( 'signupend' ); ?></div>
+ 

Modified: mediawiki/lenny/debian/patches/series
===================================================================
--- mediawiki/lenny/debian/patches/series	2010-09-24 13:17:45 UTC (rev 229)
+++ mediawiki/lenny/debian/patches/series	2010-12-17 21:53:40 UTC (rev 230)
@@ -8,3 +8,4 @@
 CSS-no-CVE_rev-63429.patch
 DataLeakage-no-CVE_rev-63436.patch
 1.15.3-security.patch
+1.15.4-userlogin-security.patch

More information about the Pkg-mediawiki-commits mailing list