Bugs like T45518 where raw User objects are accidentally exposed would be much less frightening if things like the password hashes weren't included in the live object.
Ideally we should only look up a hash when comparing against it, and shouldn't keep it in memory the rest of the time.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Tgr | T47716 Password hashes should not be stored in live User objects | |||
| Resolved | Anomie | T91699 Create AuthManager framework and core classes | |||
| Resolved | Joe | T97675 Custom session handler corrupted by session_destroy, "Failed to initialize storage module" | |||
| Resolved | Joe | T106483 Create new HHVM package for HHVM 3.6.5 + patches | |||
| Resolved | hashar | T106699 Upgrade HHVM related packages on Trusty Jenkins slaves | |||
| Resolved | bd808 | T95864 Mocking abstract objects fails on HHVM | |||
| Resolved | Anomie | T110274 Fix PHPUnit version incompatibility between AuthManager and Jenkins | |||
| Resolved | Krinkle | T99982 Upgrade PHPUnit to 4.0+ | |||
| Resolved | None | T90303 Fetch dependencies using composer instead of cloning mediawiki/vendor for non-wmf branches | |||
| Resolved | JanZerebecki | T106433 replace inline perl in builder wd-mw-composer-merged-install with a proper script | |||
| Resolved | Krinkle | T112895 Support installing composer require-dev packages together with mediawiki/vendor | |||
| Resolved | Tgr | T110628 Improve AuthManager documentation |
Change 236044 had a related patch set uploaded (by Anomie):
WIP: User: Mostly remove password handling
Almost completely removed in 236044, except for the case when User::setPassword() is called when there is no DB record for the user yet. In that case, the password (in cleartext - it would probably make sense to hash it immediately) is temporarily stored in the object until the next User::addToDatabase() call. Apart from the cleartext part, I don't think you can get better than that.
Change 246445 had a related patch set uploaded (by Gergő Tisza):
Hash the password early
Change 250020 had a related patch set uploaded (by Anomie):
Disallow User::setPassword() on users not in database
Change 246445 abandoned by Gergő Tisza:
Hash the password early
Reason:
That's a lot cleaner indeed, thanks!
Change 250020 merged by jenkins-bot:
Disallow User::setPassword() on users not in database
Change 250025 had a related patch set uploaded (by Gergő Tisza):
Avoid calling User::setPassword() on users not in database
Change 250025 merged by Gergő Tisza:
Avoid calling User::setPassword() on users not in database