Page MenuHomePhabricator
Create Task
Maniphest T422142

EmailAuth: Redact account recovery token in log output
Closed, ResolvedPublic
Actions

Description

SpecialAccountRecovery::sendConfirmationEmail() logs the full 32-character hex confirmation token in plaintext:

$this->logger->info(
  'Account recovery request submitted for {username}',
  [
	  'username' => $ticketData['requester_name'],
	  'email' => $ticketData['requester_email'],
	  'token' => $token,   // full 32-char hex token
  ]
);

This token is the sole secret protecting the account recovery confirmation link (Special:AccountRecovery/confirm/{token}`). If logs are compromised or accessible to a wider audience than intended, an attacker could use the
token to submit Zendesk recovery tickets on behalf of users.

The auth provider already follows the correct pattern for its 6-digit verification code, logging only the first two characters:

'code' => substr( $token, 0, 2 ) . '...',

Recommendation: Apply the same redaction pattern to the recovery token:

'token' => substr( $token, 0, 4 ) . '...',

(4 characters is reasonable for a 32-char hex token ? enough to correlate log entries during debugging without exposing a usable secret.)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Redact account recovery token in log outputmediawiki/extensions/EmailAuthmaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

Arendpieter created this task.Apr 2 2026, 10:52 AM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptApr 2 2026, 10:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Apr 2 2026, 10:55 AM

Change #1266978 had a related patch set uploaded (by Arendpieter; author: Arendpieter):

[mediawiki/extensions/EmailAuth@master] Redact account recovery token in log output

https://gerrit.wikimedia.org/r/1266978

gerritbot added a project: Patch-For-Review.Apr 2 2026, 10:55 AM
Arendpieter added a subscriber: Tgr.May 13 2026, 7:43 AM

@Tgr Could you have a look? This is a really small patch.

Dreamy_Jazz edited projects, added: Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)); removed: Product Safety and Integrity.Fri, May 15, 10:22 AM
Dreamy_Jazz added a project: Essential-Work.
Dreamy_Jazz subscribed.

Adding Product Safety and Integrity sprint to track code review

Dreamy_Jazz closed this task as Resolved.Fri, May 15, 10:22 AM
Dreamy_Jazz moved this task from Backlog to Done on the Product Safety and Integrity (Sprint lily-of-the-valley (May 4 - May 22)) board.

Code review provided

gerritbot added a comment.Fri, May 15, 10:26 AM

Change #1266978 merged by jenkins-bot:

[mediawiki/extensions/EmailAuth@master] Redact account recovery token in log output

https://gerrit.wikimedia.org/r/1266978

jenkins-bot mentioned this in rEEMA22531bc2866d: Redact account recovery token in log output.Fri, May 15, 10:28 AM
Maintenance_bot removed a project: Patch-For-Review.Fri, May 15, 10:30 AM
ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.3; 2026-05-19).Fri, May 15, 11:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits