[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not reveal if user exists during login failure
Reedy has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/391377 ) Change subject: SECURITY: Do not reveal if user exists during login failure .. SECURITY: Do not reveal if user exists during login failure This is meant for private wikis where the list of users may be secret. It is only meant to prevent trivial enumeration of usernames. It is not designed to prevent enumeration via timing attacks. Bug: T134100 Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71 --- M RELEASE-NOTES-1.27 M includes/auth/LocalPasswordPrimaryAuthenticationProvider.php M languages/i18n/en.json 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 753c7a8..1936d73 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -22,6 +22,7 @@ sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. * (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php index 5f5ef79..3f96cba 100644 --- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php +++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php @@ -96,7 +96,10 @@ __METHOD__ ); if ( !$row ) { - return AuthenticationResponse::newAbstain(); + // Do not reveal whether its bad username or + // bad password to prevent username enumeration + // on private wikis. (T134100) + return $this->failResponse( $req ); } // Check for *really* old password hashes that don't even have a type diff --git a/languages/i18n/en.json b/languages/i18n/en.json index 1f5c9ed..0d72330 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -482,7 +482,7 @@ "nosuchusershort": "There is no user by the name \"$1\".\nCheck your spelling.", "nouserspecified": "You have to specify a username.", "login-userblocked": "This user is blocked. Login not allowed.", - "wrongpassword": "Incorrect password entered.\nPlease try again.", + "wrongpassword": "Incorrect username or password entered.\nPlease try again.", "wrongpasswordempty": "Password entered was blank.\nPlease try again.", "passwordtooshort": "Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.", "passwordtoolong": "Passwords cannot be longer than {{PLURAL:$1|1 character|$1 characters}}.", -- To view, visit https://gerrit.wikimedia.org/r/391377 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_27 Gerrit-Owner: ReedyGerrit-Reviewer: Brian Wolff Gerrit-Reviewer: Reedy ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] mediawiki/core[REL1_27]: SECURITY: Do not reveal if user exists during login failure
Reedy has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/391377 ) Change subject: SECURITY: Do not reveal if user exists during login failure .. SECURITY: Do not reveal if user exists during login failure This is meant for private wikis where the list of users may be secret. It is only meant to prevent trivial enumeration of usernames. It is not designed to prevent enumeration via timing attacks. Bug: T134100 Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71 --- M RELEASE-NOTES-1.27 M includes/auth/LocalPasswordPrimaryAuthenticationProvider.php M languages/i18n/en.json 3 files changed, 6 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core refs/changes/77/391377/1 diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27 index 753c7a8..1936d73 100644 --- a/RELEASE-NOTES-1.27 +++ b/RELEASE-NOTES-1.27 @@ -22,6 +22,7 @@ sends non-standard url escaping. * (T165846) SECURITY: BotPassword login attempts weren't throttled. * (T128209) SECURITY: Reflected File Download from api.php. +* (T134100) SECURITY: Do not reveal if user exists during login failure. == MediaWiki 1.27.3 == Due to a packaging error, the wrong version of the SyntaxHighlight extension was diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php index 5f5ef79..3f96cba 100644 --- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php +++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php @@ -96,7 +96,10 @@ __METHOD__ ); if ( !$row ) { - return AuthenticationResponse::newAbstain(); + // Do not reveal whether its bad username or + // bad password to prevent username enumeration + // on private wikis. (T134100) + return $this->failResponse( $req ); } // Check for *really* old password hashes that don't even have a type diff --git a/languages/i18n/en.json b/languages/i18n/en.json index 1f5c9ed..0d72330 100644 --- a/languages/i18n/en.json +++ b/languages/i18n/en.json @@ -482,7 +482,7 @@ "nosuchusershort": "There is no user by the name \"$1\".\nCheck your spelling.", "nouserspecified": "You have to specify a username.", "login-userblocked": "This user is blocked. Login not allowed.", - "wrongpassword": "Incorrect password entered.\nPlease try again.", + "wrongpassword": "Incorrect username or password entered.\nPlease try again.", "wrongpasswordempty": "Password entered was blank.\nPlease try again.", "passwordtooshort": "Passwords must be at least {{PLURAL:$1|1 character|$1 characters}}.", "passwordtoolong": "Passwords cannot be longer than {{PLURAL:$1|1 character|$1 characters}}.", -- To view, visit https://gerrit.wikimedia.org/r/391377 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I7afaa955a4b393ef00b11e420709bd62b84fbc71 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/core Gerrit-Branch: REL1_27 Gerrit-Owner: ReedyGerrit-Reviewer: Brian Wolff ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits