Last modified: 2014-06-12 09:35:10 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T36357, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 34357 - [SEVERE DESIGN PROBLEM] OpenID-created account owners cannot set their e-mail address and/or reset their password when the account lacks an e-mail address or password - race condition
[SEVERE DESIGN PROBLEM] OpenID-created account owners cannot set their e-mail...
Status: ASSIGNED
Product: MediaWiki extensions
Classification: Unclassified
OpenID (Other open bugs)
unspecified
All All
: High normal with 1 vote (vote)
: ---
Assigned To: T. Gries
https://www.mediawiki.org/wiki/Extens...
:
Depends on: 20185
Blocks: 9604
  Show dependency treegraph
 
Reported: 2012-02-12 19:56 UTC by T. Gries
Modified: 2014-06-12 09:35 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description T. Gries 2012-02-12 19:56:25 UTC
Well, the subject say it all.

After fixing bug20185 ( Changing your email address should require entering your password, see https://bugzilla.wikimedia.org/show_bug.cgi?id=20185#c5 ) the following problem exists when using OpenID extension in the mode "OpenID only".

1.  when a user has added an account via OpenID, and no e-mail data was set-up (from OpenID provider to MediaWiki account)

2. there is already the link "reset password" in Special:Preferences
3. but user cannot set ("reset password") their password 
4. because they do not have an e-mail address
5. The cannot set up their e-mail address (with MediaWiki methods), because they do not have a password (required since r92924 .

An ad-hoc solution is:

- add your e-mail address in your OpenID account,
- and let this data be updated in your MediaWiki account when logging in with OpenID. 

Activate in Special:Preferences#mw-prefsection-openid -->
"Update the following information from OpenID persona every time I log in:  E-mail address"

A) Log-out from MediaWiki.
B) Set in your OpenId account that you want to transmit your e-mail address when logging in on the trusted site (your MediaWiki)
C) Log-in to MediaWiki
D) in Special:Preferences you will find your e-mail address set up
E) click "Reset Password" to let the MediaWiki send you a temporary password
F) goto your mail program, get the temporary password
G) return to your MediaWiki,
H) login with the temporary password and change it with a regular one

related to bug29027 (solved) and depending on bug20185 .

I filed this bug for tracking.
Comment 1 T. Gries 2013-02-23 06:40:34 UTC
This is *not* a blocker for wikis with OpenID as long as the standard password-login is not disabled ( $wgOpenIDOnly == false ).
Comment 2 Andre Klapper 2013-04-15 11:07:34 UTC
No changes / updates for five weeks here - is this really highest priority (which implies some urgency)?
Comment 3 T. Gries 2013-04-15 19:34:20 UTC
this is a * yes- keep alive ping - busy with even more important thing - this is not cookie licking *
Comment 4 T. Gries 2013-05-07 06:49:22 UTC
Downgraded to normal. No user has complained so far.
Comment 5 T. Gries 2013-05-07 06:51:08 UTC
"high" is more appropriate.
Comment 6 T. Gries 2013-10-03 13:48:28 UTC
In short, this is the 

"I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password" problem.

It came up when MediaWiki core changed and required the account password, when users want to set-up or change their e-mail address (which makes definitely sense for security reasons).

If someone can help to find a solution, pls. let me know a.s.a.p.
Comment 7 Chris Steipp 2013-10-03 21:59:36 UTC
We may want to allow a hook to update that part of the interface, so we could have OpenID (or similar extensions) remove it, whereas other extensions might want to do a 2nd factor check there.

Aaron might have another idea, since he implemented the check (iirc).
Comment 8 T. Gries 2013-10-03 22:07:00 UTC
(In reply to comment #7)
> We may want to allow a hook to update that part of the interface, so we could
> have OpenID (or similar extensions) remove it, whereas other extensions might
> want to do a 2nd factor check there.
> 
> Aaron might have another idea, since he implemented the check (iirc).

ok. 


Please be reminded, that I already introduced a special way for the special case of $wgOpenIDOnly==true

This was fixed in 2011 in https://bugzilla.wikimedia.org/show_bug.cgi?id=29027 . See https://bugzilla.wikimedia.org/show_bug.cgi?id=29027#c1 for a detailed description (copied to here for convenience):

"fixed in r88848 . 

When having the OpenID extension, the preference window basic information is
changed. The section "Password" shows now links to

case i)  Change Password and Reset Password:

if a password already exists

case ii) Reset Password only:

if no password has been set for this account yet, because the user opened their
account by OpenID - which setPassword( null )

This is at least one possible way and avoids modification of
Special:PasswordReset (there is no login page when only OpenID logins and
account creations are possible ($wgOpenIDOnly==true) or Special:ChangePassword
pages."
Comment 9 T. Gries 2013-11-13 20:43:13 UTC
I will add this hardening ad-hoc fix to prevent problems in the future:

*Disallow* wiki account creation in the case 

- new user wants to create an account (with their OpenID) and
- $wgOpenIDOnly=true (i.e. logins and account creations are only allowed via OpenID) and
- no e-mail address present, or e-mail address fails the Sanitizer:validEmail() test.

This avoids any account creation without e-mail address, which makes sense because the user could not change ro setup their password without having a (confirmed) e-mail address in their wiki account.
Comment 10 [[kgh]] 2014-06-12 07:47:29 UTC
(In reply to T. Gries from comment #6)
> In short, this is the 
> 
> "I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password"
> problem.
> 
> It came up when MediaWiki core changed and required the account password,
> when users want to set-up or change their e-mail address (which makes
> definitely sense for security reasons).
> 
> If someone can help to find a solution, pls. let me know a.s.a.p.

Since MW 1.20.0 there is the $wgRequirePasswordforEmailChange parameter. Shouldn't this solve the issue. However, when talking about MW 1.19 we are still out of luck. However there are only 11 months of support left with the succeeding LTS already released.

[1] https://www.mediawiki.org/wiki/Manual:$wgRequirePasswordforEmailChange
Comment 11 T. Gries 2014-06-12 08:00:44 UTC
@kgh thx for pointing me to this
Comment 12 [[kgh]] 2014-06-12 08:34:19 UTC
You are welcome. I wish I had seen this bug before. However the big Kudos go to Reedy who made this parameter reality. This one was a life-saver on several of my wikis.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links