Fo0bar has uploaded a new change for review. https://gerrit.wikimedia.org/r/300761
Change subject: Provide additional protection against key name leaks ...................................................................... Provide additional protection against key name leaks The existence of a key name could be discovered by a timing attack, giving a very large input and seeing if the "invalid hash" comes back quickly or not. Mitigate this by, upon invalid key name, performing a dummy HMAC SHA256 against the input before returning the error. Also, provide extra options in the form of $wgSecureHTMLSpecialDropdown (default True) for Special:SecureHTML. If set to False, the key name input field becomes a text field instead of a dropdown. Thanks to Alyssa Milburn for discovering the potential timing attack. Change-Id: Id46419aa4a3a5dd6bc7fe9f8d5df7555d29c169f --- M SecureHTML.php M SpecialSecureHTML.php 2 files changed, 27 insertions(+), 13 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/SecureHTML refs/changes/61/300761/1 diff --git a/SecureHTML.php b/SecureHTML.php index 90f1fd1..f585974 100644 --- a/SecureHTML.php +++ b/SecureHTML.php @@ -49,6 +49,9 @@ if ( !isset( $wgSecureHTMLSpecialRight ) ) { $wgSecureHTMLSpecialRight = 'edit'; } +if ( !isset( $wgSecureHTMLSpecialDropdown ) ) { + $wgSecureHTMLSpecialDropdown = True; +} if ( !isset( $wgSecureHTMLTag ) ) { $wgSecureHTMLTag = 'shtml'; } @@ -95,9 +98,11 @@ # Key secret configuration. $keyalgorithm = 'sha256'; if ( !array_key_exists( $keyname, $wgSecureHTMLSecrets ) ) { - # Respond with "invalid hash" instead of something like "invalid - # key name", to avoid leaking the existence of a key name due to - # dictionary attack. + # To avoid leaking the existence of a key name by unauthorized users, + # perform a dummy HMAC SHA256 (mitigate timing attacks), then + # respond with "invalid hash", instead of something like "invalid key + # name". + $testhash = hash_hmac( 'sha256', $input, '' ); return( Html::rawElement( 'div', array( 'class' => 'error' ), wfMessage( 'securehtml-invalidhash' ) ) ); } if ( is_array( $wgSecureHTMLSecrets[$keyname] ) ) { diff --git a/SpecialSecureHTML.php b/SpecialSecureHTML.php index 8121725..1915b85 100644 --- a/SpecialSecureHTML.php +++ b/SpecialSecureHTML.php @@ -9,6 +9,7 @@ function execute( $par ) { global $wgSecureHTMLSecrets; global $wgSecureHTMLTag; + global $wgSecureHTMLSpecialDropdown; $request = $this->getRequest(); $output = $this->getOutput(); @@ -62,17 +63,25 @@ $output->addWikiText( wfMessage( 'securehtml-inputinstructions' ) ); $formDescriptor = array(); - $keyname_labels = array( - '' => '', - ); - foreach ( array_keys( $wgSecureHTMLSecrets ) as $skeyname ) { - $keyname_labels[$skeyname] = $skeyname; + + if ( $wgSecureHTMLSpecialDropdown ) { + $keyname_labels = array( + '' => '', + ); + foreach ( array_keys( $wgSecureHTMLSecrets ) as $skeyname ) { + $keyname_labels[$skeyname] = $skeyname; + } + $formDescriptor['securehtmlkeyname'] = array( + 'type' => 'select', + 'label-message' => 'securehtml-form-keyname', + 'options' => $keyname_labels, + ); + } else { + $formDescriptor['securehtmlkeyname'] = array( + 'type' => 'text', + 'label-message' => 'securehtml-form-keyname', + ); } - $formDescriptor['securehtmlkeyname'] = array( - 'type' => 'select', - 'label-message' => 'securehtml-form-keyname', - 'options' => $keyname_labels, - ); $formDescriptor['securehtmlkeysecret'] = array( 'type' => 'password', 'label-message' => 'securehtml-form-keysecret', -- To view, visit https://gerrit.wikimedia.org/r/300761 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Id46419aa4a3a5dd6bc7fe9f8d5df7555d29c169f Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/SecureHTML Gerrit-Branch: master Gerrit-Owner: Fo0bar <r...@finnie.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits