Fo0bar has uploaded a new change for review.
https://gerrit.wikimedia.org/r/300761
Change subject: Provide additional protection against key name leaks
......................................................................
Provide additional protection against key name leaks
The existence of a key name could be discovered by a timing attack, giving a
very large input and seeing if the "invalid hash" comes back quickly or not.
Mitigate this by, upon invalid key name, performing a dummy HMAC SHA256
against the input before returning the error.
Also, provide extra options in the form of $wgSecureHTMLSpecialDropdown
(default True) for Special:SecureHTML. If set to False, the key name input
field becomes a text field instead of a dropdown.
Thanks to Alyssa Milburn for discovering the potential timing attack.
Change-Id: Id46419aa4a3a5dd6bc7fe9f8d5df7555d29c169f
---
M SecureHTML.php
M SpecialSecureHTML.php
2 files changed, 27 insertions(+), 13 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/SecureHTML
refs/changes/61/300761/1
diff --git a/SecureHTML.php b/SecureHTML.php
index 90f1fd1..f585974 100644
--- a/SecureHTML.php
+++ b/SecureHTML.php
@@ -49,6 +49,9 @@
if ( !isset( $wgSecureHTMLSpecialRight ) ) {
$wgSecureHTMLSpecialRight = 'edit';
}
+if ( !isset( $wgSecureHTMLSpecialDropdown ) ) {
+ $wgSecureHTMLSpecialDropdown = True;
+}
if ( !isset( $wgSecureHTMLTag ) ) {
$wgSecureHTMLTag = 'shtml';
}
@@ -95,9 +98,11 @@
# Key secret configuration.
$keyalgorithm = 'sha256';
if ( !array_key_exists( $keyname, $wgSecureHTMLSecrets ) ) {
- # Respond with "invalid hash" instead of something like "invalid
- # key name", to avoid leaking the existence of a key name due to
- # dictionary attack.
+ # To avoid leaking the existence of a key name by unauthorized
users,
+ # perform a dummy HMAC SHA256 (mitigate timing attacks), then
+ # respond with "invalid hash", instead of something like
"invalid key
+ # name".
+ $testhash = hash_hmac( 'sha256', $input, '' );
return( Html::rawElement( 'div', array( 'class' => 'error' ),
wfMessage( 'securehtml-invalidhash' ) ) );
}
if ( is_array( $wgSecureHTMLSecrets[$keyname] ) ) {
diff --git a/SpecialSecureHTML.php b/SpecialSecureHTML.php
index 8121725..1915b85 100644
--- a/SpecialSecureHTML.php
+++ b/SpecialSecureHTML.php
@@ -9,6 +9,7 @@
function execute( $par ) {
global $wgSecureHTMLSecrets;
global $wgSecureHTMLTag;
+ global $wgSecureHTMLSpecialDropdown;
$request = $this->getRequest();
$output = $this->getOutput();
@@ -62,17 +63,25 @@
$output->addWikiText( wfMessage( 'securehtml-inputinstructions'
) );
$formDescriptor = array();
- $keyname_labels = array(
- '' => '',
- );
- foreach ( array_keys( $wgSecureHTMLSecrets ) as $skeyname ) {
- $keyname_labels[$skeyname] = $skeyname;
+
+ if ( $wgSecureHTMLSpecialDropdown ) {
+ $keyname_labels = array(
+ '' => '',
+ );
+ foreach ( array_keys( $wgSecureHTMLSecrets ) as
$skeyname ) {
+ $keyname_labels[$skeyname] = $skeyname;
+ }
+ $formDescriptor['securehtmlkeyname'] = array(
+ 'type' => 'select',
+ 'label-message' => 'securehtml-form-keyname',
+ 'options' => $keyname_labels,
+ );
+ } else {
+ $formDescriptor['securehtmlkeyname'] = array(
+ 'type' => 'text',
+ 'label-message' => 'securehtml-form-keyname',
+ );
}
- $formDescriptor['securehtmlkeyname'] = array(
- 'type' => 'select',
- 'label-message' => 'securehtml-form-keyname',
- 'options' => $keyname_labels,
- );
$formDescriptor['securehtmlkeysecret'] = array(
'type' => 'password',
'label-message' => 'securehtml-form-keysecret',
--
To view, visit https://gerrit.wikimedia.org/r/300761
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Id46419aa4a3a5dd6bc7fe9f8d5df7555d29c169f
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/SecureHTML
Gerrit-Branch: master
Gerrit-Owner: Fo0bar <r...@finnie.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
