Page MenuHomePhabricator
Create Task
Maniphest T103022

OAuth IP restrictions only apply to Special:OAuth/initiate, not to general API requests
Closed, ResolvedPublic
Actions

Description

OAuth consumers are able to set IP restrictions, for example consumer 571d07e4e3a8209ee5e83f603e8c4f61 has the WMF IPs {"IPAddresses":["208.80.152.0/22","198.35.26.0/23","10.0.0.0/8"]} as usage restriction.

These IP restrictions only seem to work when negotiating a new client token over Special:OAuth/initiate. When I locally make an API request with an already existing client/access token I get a valid response and no error.

I stumbled upon this due to the tools outage.

Details

SubjectRepoBranchLines +/-
Check IP when communicating with Consumermediawiki/extensions/OAuthREL1_25+11 -0
Check IP when communicating with Consumermediawiki/extensions/OAuthREL1_24+11 -0
Check IP when communicating with Consumermediawiki/extensions/OAuthREL1_23+11 -0
Check IP when communicating with Consumermediawiki/extensions/OAuthREL1_26+11 -0
Check IP when communicating with Consumermediawiki/extensions/OAuthmaster+11 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Jun 18 2015, 10:04 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 18 2015, 10:04 PM
Sitic created this task.Jun 18 2015, 10:04 PM
Sitic updated the task description. (Show Details)
Sitic added projects: MediaWiki-extensions-OAuth, MediaWiki-Action-API, acl*security.
Sitic changed Security from None to Software security bug.
Sitic edited subscribers, added: Sitic; removed: Aklapper.
Sitic mentioned this in T103023: API requests don't get validated if signed by the correct OAuth consumer.Jun 18 2015, 10:08 PM
csteipp claimed this task.Jun 18 2015, 11:00 PM
csteipp added subscribers: Anomie, csteipp.

Confirmed

T103022.patch1 KBDownload

@Anomie, I think that will cover the API calls and the call to /identify, but it would be great if you could sanity check it.

csteipp triaged this task as High priority.Jun 18 2015, 11:01 PM
csteipp added a project: Security-Team.
csteipp moved this task from Incoming to In Progress on the Security-Team board.
Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Jun 19 2015, 4:05 PM
Anomie added a comment.Jun 19 2015, 4:13 PM
In T103022#1380816, @csteipp wrote:

Confirmed

T103022.patch1 KBDownload

@Anomie, I think that will cover the API calls and the call to /identify, but it would be great if you could sanity check it.

Looks sane, and I confirm that it looks like both the API code path and /identify call verify_request(). This also seems like the sensible place to put the check.

Haven't tested though.

csteipp added a comment.Jun 19 2015, 11:32 PM

@Sitic, do you have a local OAuth instance that you can test this patch and verify that it fixes the issue?

Sitic added a comment.Jun 21 2015, 12:15 PM
In T103022#1384375, @csteipp wrote:

@Sitic, do you have a local OAuth instance that you can test this patch and verify that it fixes the issue?

Tested locally, fixes the issue (getting The authorization headers in your request are not valid: <bad-source-ip> error now).

csteipp added a subscriber: mmodell.Jun 22 2015, 8:30 PM

@mmodell, can you deploy

T103022.patch1 KBDownload
and confirm when it's on production?

csteipp closed this task as Resolved.Jul 8 2015, 8:58 PM

20:56 csteipp: deployed patches for T103022 & T103023

csteipp moved this task from In Progress to Our Part Is Done on the Security-Team board.Oct 13 2015, 11:56 PM
csteipp added a parent task: T108064: MediaWiki Security release 1.25.3.Oct 16 2015, 4:57 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 16 2015, 10:34 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2015-10-27_(1.27.0-wmf.4)).Oct 16 2015, 11:00 PM
csteipp added a comment.Nov 3 2015, 9:26 PM

Assigned CVE-2015-8008

Tgr mentioned this in T224919: Code Stewardship Review: OAuth extension.Jun 10 2019, 10:05 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits