Page MenuHomePhabricator
Create Task
Maniphest T425800

AccountRecovery description field should be delimited in Zendesk ticket
Closed, ResolvedPublicSecurity
Actions

Description

A user submitting an account recovery request can put arbitrary text into the "description" field, which they could use to forge additional fields below the description and attempt to trick the person reading the ticket.

We should delimit the description field in the ticket body, putting it in between a banner, something like this:

=== Begin user-supplied description (untrusted) ===
{description}
=== End user-supplied description ===

(This task is based on a security review of Special:AccountRecovery that @kostajh did using Claude Code.)

Details

Risk Rating
Medium
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add delimiter to AccountRecovery description fieldmediawiki/extensions/EmailAuthmaster+6 -1
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurityMstylesT425800 AccountRecovery description field should be delimited in Zendesk ticket

Event Timeline

Catrope created this task.May 8 2026, 5:06 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMay 8 2026, 5:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett changed the task status from Open to In Progress.May 11 2026, 4:32 PM
sbassett assigned this task to Mstyles.
sbassett triaged this task as Medium priority.
sbassett moved this task from Incoming to In Progress on the Security-Team board.
sbassett added a project: SecTeam-Processed.
sbassett moved this task from Inbox to Triaged (backlog) on the Product Safety and Integrity board.
Mstyles added a comment.May 12 2026, 4:32 PM

Any objections to posting this on Gerrit?

Mstyles added a subscriber: gerritbot.May 12 2026, 6:35 PM

Posted on gerrit - https://gerrit.wikimedia.org/r/c/mediawiki/extensions/EmailAuth/+/1286455

gerritbot added a comment.Thu, May 14, 3:05 PM

Change #1286455 merged by jenkins-bot:

[mediawiki/extensions/EmailAuth@master] Add delimiter to AccountRecovery description field

https://gerrit.wikimedia.org/r/1286455

jenkins-bot mentioned this in rEEMAab62372e35f6: Add delimiter to AccountRecovery description field.Thu, May 14, 3:05 PM
sbassett closed this task as Resolved.Thu, May 14, 3:06 PM
sbassett moved this task from Triaged (backlog) to Done (waiting deployment) on the Product Safety and Integrity board.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
ReleaseTaggerBot added a project: MW-1.47-notes (1.47.0-wmf.3; 2026-05-19).Thu, May 14, 4:00 PM
A_smart_kitten added a project: MediaWiki-extensions-EmailAuth.Thu, May 14, 4:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits