Last modified: 2014-10-08 21:14:03 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T72468, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 70468 - CentralAuth MergeAccount doesn't recheck ownership of homewiki on wpMergeAction=initial
CentralAuth MergeAccount doesn't recheck ownership of homewiki on wpMergeActi...
Status: RESOLVED FIXED
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
master
All All
: Normal normal (vote)
: ---
Assigned To: Chris Steipp
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-09-05 22:02 UTC by Chris Steipp
Modified: 2014-10-08 21:14 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Check home wiki password before merge (2.89 KB, patch)
2014-09-17 00:08 UTC, Chris Steipp 		Details
Check home wiki password before merge - 1.24 wmf22 (3.38 KB, patch)
2014-09-17 00:47 UTC, Chris Steipp 		Details
Check home wiki password before merge - 1.24wmf3 (after file reorg) (3.45 KB, patch)
2014-10-08 21:02 UTC, Chris Steipp 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Chris Steipp 2014-09-05 22:02:03 UTC 
This allows non-home owners to take over the homewiki account without knowing the password.
Comment 1 Chris Steipp 2014-09-05 23:10:07 UTC 
I was wrong... Just lets you attach your account to the homewiki global account, but the global account still gets the homewiki's password. So the attacker still doesn't have access to the global account.

Combined with bug 70469, this lets the owner of the homewiki take over an account they don't own, but that's less serious.
Comment 2 Chris Steipp 2014-09-17 00:08:49 UTC 
Created attachment 16495 [details]
Check home wiki password before merge

Just like we do in the dry run, check the home wiki's password before doing the actual merge.
Comment 3 Chris Steipp 2014-09-17 00:47:37 UTC 
Created attachment 16497 [details]
Check home wiki password before merge - 1.24 wmf22

Rebased on top of Gerrit change #158578.

After this is public, I'll make all those bool flags an options array.
Comment 4 Kunal Mehta (Legoktm) 2014-09-26 18:39:14 UTC 
+2, patch looks good. Only thing is we reverted the commit out of 1.24wmf22, so attachment 16495 [details] should go with 1.24wmf22, and attachment 16497 [details] should go with 1.25wmf1 and master.
Comment 5 Kunal Mehta (Legoktm) 2014-09-26 19:37:11 UTC 
From SAL: 19:15 AaronS: Deployed security patches to CentralAuth
Comment 6 Aaron Schulz 2014-09-26 19:54:28 UTC 
I put up https://gerrit.wikimedia.org/r/#/c/163225/ as a draft. Apparently there is some wiki farm that uses CA too...so they will have to be notified first before that is merged.
Comment 7 Chris Steipp 2014-10-08 21:02:37 UTC 
Created attachment 16725 [details]
Check home wiki password before merge - 1.24wmf3 (after file reorg)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links