Page MenuHomePhabricator
Create Task
Maniphest T426787

Editing raw HTML messages does not require reauthentication
Closed, ResolvedPublicSecurity
Actions

Description

Filing this as a security task for now out of precaution, but I'm also fine if it is made public, as reauthentication is a preventive measure and does not directly fix/prevent any vulnerabilities.

Based on the code at https://github.com/wikimedia/mediawiki-extensions-WikimediaCustomizations/blob/fff55eff4102a868f66bc2265d09b9e2ab082add/src/ForceReauth/ForceReauthHookHandler.php, it is currently not required to reauthenticate when editing a raw HTML message (e.g. MediaWiki:Mobile-frontend-editor-editing-page). However, JS can also be executed through raw HTML messages, so it doesn't make a lot of sense that editing JS requires reauthentication but editing raw HTML doesn't.

(I don't have editinterface on any WMF wiki, so I can't verify whether that's actually the case or if there is some other code somewhere that fixes this)

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ForceReauth: Also require reauth for editing raw HTML messagesmediawiki/extensions/WikimediaCustomizationsmaster+2 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

SomeRandomDeveloper created this task.Tue, May 19, 8:11 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptTue, May 19, 8:11 PM
Restricted Application added subscribers: jhsoby, Aklapper. · View Herald Transcript
SomeRandomDeveloper added a project: 2026-user-javascript-incident.Tue, May 19, 8:11 PM
Catrope added a parent task: T197160: All security-sensitive MediaWiki functionality should require elevated security.Wed, May 20, 12:00 AM
Lucas_Werkmeister_WMDE subscribed.Wed, May 20, 9:34 AM

(I don't have editinterface on any WMF wiki, so I can't verify whether that's actually the case or if there is some other code somewhere that fixes this)

@LucasWerkmeister is an interface admin on Commons and can confirm that editing MediaWiki:Mobile-frontend-editor-editing-page, unlike editing MediaWiki:Gadget-ACDC.js, does not prompt for reconfirmation. (That said, they haven’t tried actually making an edit, so it’s still possible that there’s a reauthentication in the submit flow – though that seems unlikely.)

SomeRandomDeveloper added a comment.Wed, May 20, 11:08 PM
In T426787#11939703, @Lucas_Werkmeister_WMDE wrote:

(I don't have editinterface on any WMF wiki, so I can't verify whether that's actually the case or if there is some other code somewhere that fixes this)

@LucasWerkmeister is an interface admin on Commons and can confirm that editing MediaWiki:Mobile-frontend-editor-editing-page, unlike editing MediaWiki:Gadget-ACDC.js, does not prompt for reconfirmation. (That said, they haven’t tried actually making an edit, so it’s still possible that there’s a reauthentication in the submit flow – though that seems unlikely.)

Thanks for confirming!

SomeRandomDeveloper renamed this task from Editing raw HTML messages does (presumably) not require reauthentication to Editing raw HTML messages does not require reauthentication.Wed, May 20, 11:08 PM
SomeRandomDeveloper added a project: User-SomeRandomDeveloper.
Catrope subscribed.Tue, May 26, 3:58 PM

That's right, reauthentication is currently only required for editing .js pages in the MW namespace. We'll consider whether to expand reauth to the entire MW namespace in the near future. I don't think it would be feasible to require it only for raw HTML messages, because MW doesn't really track those as such.

sbassett moved this task from Incoming to Back Orders on the Security-Team board.Tue, May 26, 4:03 PM
sbassett edited projects, added: SecTeam-Processed, Vuln-MissingAuthz; removed: Product Safety and Integrity.
SomeRandomDeveloper added a comment.Tue, May 26, 4:03 PM
In T426787#11955997, @Catrope wrote:

[...] I don't think it would be feasible to require it only for raw HTML messages, because MW doesn't really track those as such.

Wouldn't it be possible to just check $title->isRawHtmlMessage() (which checks if the title is in the MediaWiki namespace and listed in $wgRawHtmlMessages) in the hook handler, and treat the page as a site JS page if isRawHtmlMessage returns true?

Catrope claimed this task.Tue, May 26, 4:04 PM

Whoops, you're right, I forgot that that existed. And it looks like editing these does indeed require the editsitejs right. I'll write a patch for this today then.

sbassett changed the task status from Open to In Progress.Tue, May 26, 4:05 PM
sbassett triaged this task as Medium priority.
sbassett moved this task from Back Orders to In Progress on the Security-Team board.
Catrope added a comment.Tue, May 26, 4:37 PM

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/WikimediaCustomizations/+/1293764

SomeRandomDeveloper added a subscriber: gerritbot.Tue, May 26, 4:37 PM
gerritbot added a comment.Tue, May 26, 5:24 PM

Change #1293764 merged by jenkins-bot:

[mediawiki/extensions/WikimediaCustomizations@master] ForceReauth: Also require reauth for editing raw HTML messages

https://gerrit.wikimedia.org/r/1293764

Catrope closed this task as Resolved.Thu, May 28, 7:03 PM
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.Tue, Jun 9, 4:26 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits