Page MenuHomePhabricator
Create Task
Maniphest T424520

Add validation to length of oathauth_devices.oad_data
Closed, ResolvedPublic
Actions

Description

Similar to T260636: OAuth doesn't validate length of grants fields/T277379: OAuth doesn't validate length of oarc_grants and oarc_oauth2_allowed_grants JSON, and T260633: BotPasswords doesn't validate length of resultant bp_grants JSON before it, we should add validation that the length of oathauth_devices.oad_data doesn't end up larger than the maximum length:

			{
				"name": "oad_data",
				"comment": "Data",
				"type": "blob",
				"options": { "length": 65530, "notnull": false }
			}

Useful for T108255: Enable MariaDB/MySQL's Strict Mode down the line for WMF wikis, but also prevents issues in dev wikis etc.

As it is possible to also set OATHMaxRecoveryCodesCount and OATHRecoveryCodesCount to large values, it is possible for this overflow the length of the DB field.

While this is mostly theoretical, 10 encrypted recovery codes takes up 664 characters.

A recovery code when encrypted takes 59 characters, so (65530-664)/59 would be ~1100 more (encrypted) recovery codes to be somewhere near the limit.

This is without other changes to the schema or similar in the future, which may increase the data size in other ways.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
OATHUserRepository: Add oad_data length validationmediawiki/extensions/OATHAuthmaster+20 -2
Customize query in gerrit

Related Objects

Event Timeline

Reedy created this task.Apr 27 2026, 1:39 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptApr 27 2026, 1:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy updated the task description. (Show Details)Apr 27 2026, 1:44 PM
Reedy updated the task description. (Show Details)
Reedy moved this task from Backlog to Features/Improvements on the MediaWiki-extensions-OATHAuth board.Apr 27 2026, 3:20 PM
gerritbot added a comment.May 6 2026, 7:21 PM

Change #1283899 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] OATHUserRepository: Add oad_data length validation

https://gerrit.wikimedia.org/r/1283899

gerritbot added a project: Patch-For-Review.May 6 2026, 7:21 PM
gerritbot added a comment.Tue, May 26, 11:41 PM

Change #1283899 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] OATHUserRepository: Add oad_data length validation

https://gerrit.wikimedia.org/r/1283899

Reedy closed this task as Resolved.Tue, May 26, 11:42 PM
Reedy claimed this task.
Maintenance_bot removed a project: Patch-For-Review.Wed, May 27, 12:31 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits