CVE-2021-35197: Blocked users should not be able to issue purges (action=purge)
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Legoktm
	Apr 15 2021, 8:37 AM

Description

I blocked a misbehaving bot on-wiki and it was still able to send purges via the API until its IP range was blocked through varnish. I expect that an account that is sitewide blocked is unable to issue purges via the API or index.php.

Details

Subject	Repo	Branch	Lines +/-
SECURITY: Prevent blocked users from purging pages	mediawiki/core	master	+8 -5
SECURITY: Prevent blocked users from purging pages	mediawiki/core	REL1_36	+9 -5
SECURITY: Prevent blocked users from purging pages	mediawiki/core	REL1_35	+10 -5
SECURITY: Prevent blocked users from purging pages	mediawiki/core	REL1_31	+10 -5

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved		Reedy	T279725 Release MediaWiki 1.31.15/1.35.3/1.36.1
Resolved		Reedy	T279726 Tracking bug for MediaWiki 1.31.15/1.35.3/1.36.1
Resolved	Security	Reedy	T280226 CVE-2021-35197: Blocked users should not be able to issue purges (action=purge)

Event Timeline

Legoktm created this task.Apr 15 2021, 8:37 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 15 2021, 8:37 AM

Legoktm added projects: Vuln-DoS, MediaWiki-Blocks, MediaWiki-Action-API.Apr 15 2021, 8:39 AM

• jcrespo awarded a token.Apr 15 2021, 8:55 AM

Public incident ticket: T280232

Fix to PurgeAction is very trivial... Just remove the requiresUnblock override.

Api is similarly easy, just re-use the code from ApiTag

		// Fail early if the user is sitewide blocked.
		$block = $user->getBlock();
		if ( $block && $block->isSitewide() ) {
			$this->dieBlocked( $block );
		}

Patch incoming.

T280226.patch1 KBDownload

Reedy added a project: SecTeam-Processed.Apr 15 2021, 2:23 PM

Reedy moved this task from Incoming to In Progress on the Security-Team board.

Krinkle removed a project: Wikimedia-production-error.Apr 15 2021, 7:37 PM

In T280226#7002478, @Reedy wrote:

T280226.patch1 KBDownload

Code-Review +2

sbassett moved this task from In Progress to Security Patch To Deploy on the Security-Team board.Apr 16 2021, 4:06 PM

Deployed to wmf.1. Also updated on T276237.

sbassett triaged this task as Low priority.Apr 19 2021, 9:06 PM

sbassett moved this task from Security Patch To Deploy to Our Part Is Done on the Security-Team board.

sbassett added a project: Vuln-MissingAuthz.

sbassett added a parent task: T279726: Tracking bug for MediaWiki 1.31.15/1.35.3/1.36.1.

sbassett moved this task from Our Part Is Done to Watching on the Security-Team board.May 17 2021, 6:34 PM

Plan is to get this out this week (well, tomorrow). So this patch will apply fine to 1.35 and 1.36 straight off.

For 1.31, the isSitewide wasn't added till 1.33... The change to PurgeAction is fine and can be applied as is.

Anyone got any preferred solution to this?

We could just use any block... Which seems probably the simplest way forward, as 1.31 has no concept of these other "types" of blocks, and is due to become EOL this month... But is being extended for one more quarter to meet our LTS overlap requirements.

		// Fail early if the user is blocked.
		$block = $user->getBlock();
		if ( $block ) {
			$this->dieBlocked( $block );
		}

Reedy mentioned this in T279732: Obtain CVEs for 1.31.15/1.35.3/1.36.1 security releases.Jun 22 2021, 12:50 PM

Reedy claimed this task.Jun 22 2021, 12:53 PM

Reedy renamed this task from Blocked users should not be able to issue purges (action=purge) to CVE-2021-35197: Blocked users should not be able to issue purges (action=purge).Jun 22 2021, 1:00 PM

Reedy added a subscriber: gerritbot.Jun 22 2021, 1:04 PM

+1 for if (any block exists)