Page MenuHomePhabricator
Create Task
Maniphest T36357

[SEVERE DESIGN PROBLEM] OpenID-created account owners cannot set their e-mail address and/or reset their password when the account lacks an e-mail address or password - race condition
Closed, DeclinedPublic
Actions

Description

Well, the subject say it all.

After fixing bug20185 ( Changing your email address should require entering your password, see https://bugzilla.wikimedia.org/show_bug.cgi?id=20185#c5 ) the following problem exists when using OpenID extension in the mode "OpenID only".

  1. when a user has added an account via OpenID, and no e-mail data was set-up (from OpenID provider to MediaWiki account)
  1. there is already the link "reset password" in Special:Preferences
  2. but user cannot set ("reset password") their password
  3. because they do not have an e-mail address
  4. The cannot set up their e-mail address (with MediaWiki methods), because they do not have a password (required since r92924 .

An ad-hoc solution is:

  • add your e-mail address in your OpenID account,
  • and let this data be updated in your MediaWiki account when logging in with OpenID.

Activate in Special:Preferences#mw-prefsection-openid -->
"Update the following information from OpenID persona every time I log in: E-mail address"

A) Log-out from MediaWiki.
B) Set in your OpenId account that you want to transmit your e-mail address when logging in on the trusted site (your MediaWiki)
C) Log-in to MediaWiki
D) in Special:Preferences you will find your e-mail address set up
E) click "Reset Password" to let the MediaWiki send you a temporary password
F) goto your mail program, get the temporary password
G) return to your MediaWiki,
H) login with the temporary password and change it with a regular one

related to bug29027 (solved) and depending on bug20185 .

I filed this bug for tracking.

Version: unspecified
Severity: normal
URL: https://www.mediawiki.org/wiki/Extension:OpenID
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=35121

Details

Reference
bz34357
TitleReferenceAuthorSource BranchDest Branch
patchforreview_remover: Add support for gitlab MRs in some reposladsgroup/Phabricator-maintenance-bot!6ladsgroupgitlab_mr_supportmaster
Update regex for gerrit change numbersladsgroup/Phabricator-maintenance-bot!5daimonawork/daimona/T363573master
Customize query in GitLab

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:11 AM
bzimport added a project: MediaWiki-extensions-OpenID.
bzimport set Reference to bz34357.
Wikinaut created this task.Feb 12 2012, 7:56 PM
Wikinaut added a comment.Feb 23 2013, 6:40 AM

This is *not* a blocker for wikis with OpenID as long as the standard password-login is not disabled ( $wgOpenIDOnly == false ).

Aklapper added a comment.Apr 15 2013, 11:07 AM

No changes / updates for five weeks here - is this really highest priority (which implies some urgency)?

Wikinaut added a comment.Apr 15 2013, 7:34 PM

this is a * yes- keep alive ping - busy with even more important thing - this is not cookie licking *

Wikinaut added a comment.May 7 2013, 6:49 AM

Downgraded to normal. No user has complained so far.

Wikinaut added a comment.May 7 2013, 6:51 AM

"high" is more appropriate.

Wikinaut added a comment.Oct 3 2013, 1:48 PM

In short, this is the

"I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password" problem.

It came up when MediaWiki core changed and required the account password, when users want to set-up or change their e-mail address (which makes definitely sense for security reasons).

If someone can help to find a solution, pls. let me know a.s.a.p.

csteipp added a comment.Oct 3 2013, 9:59 PM

We may want to allow a hook to update that part of the interface, so we could have OpenID (or similar extensions) remove it, whereas other extensions might want to do a 2nd factor check there.

Aaron might have another idea, since he implemented the check (iirc).

Wikinaut added a comment.Oct 3 2013, 10:07 PM

(In reply to comment #7)

We may want to allow a hook to update that part of the interface, so we could
have OpenID (or similar extensions) remove it, whereas other extensions might
want to do a 2nd factor check there.

Aaron might have another idea, since he implemented the check (iirc).

ok.

Please be reminded, that I already introduced a special way for the special case of $wgOpenIDOnly==true

This was fixed in 2011 in https://bugzilla.wikimedia.org/show_bug.cgi?id=29027 . See https://bugzilla.wikimedia.org/show_bug.cgi?id=29027#c1 for a detailed description (copied to here for convenience):

"fixed in r88848 .

When having the OpenID extension, the preference window basic information is
changed. The section "Password" shows now links to

case i) Change Password and Reset Password:

if a password already exists

case ii) Reset Password only:

if no password has been set for this account yet, because the user opened their
account by OpenID - which setPassword( null )

This is at least one possible way and avoids modification of
Special:PasswordReset (there is no login page when only OpenID logins and
account creations are possible ($wgOpenIDOnly==true) or Special:ChangePassword
pages."

Wikinaut added a comment.Nov 13 2013, 8:43 PM

I will add this hardening ad-hoc fix to prevent problems in the future:

*Disallow* wiki account creation in the case

  • new user wants to create an account (with their OpenID) and
  • $wgOpenIDOnly=true (i.e. logins and account creations are only allowed via OpenID) and
  • no e-mail address present, or e-mail address fails the Sanitizer:validEmail() test.

This avoids any account creation without e-mail address, which makes sense because the user could not change ro setup their password without having a (confirmed) e-mail address in their wiki account.

Kghbln added a comment.Jun 12 2014, 7:47 AM

(In reply to T. Gries from comment #6)

In short, this is the

"I-cannot-set-up-my-e-mail-address-because-I-do-not-know-my-password"
problem.

It came up when MediaWiki core changed and required the account password,
when users want to set-up or change their e-mail address (which makes
definitely sense for security reasons).

If someone can help to find a solution, pls. let me know a.s.a.p.

Since MW 1.20.0 there is the $wgRequirePasswordforEmailChange parameter. Shouldn't this solve the issue. However, when talking about MW 1.19 we are still out of luck. However there are only 11 months of support left with the succeeding LTS already released.

[1] https://www.mediawiki.org/wiki/Manual:$wgRequirePasswordforEmailChange

Wikinaut added a comment.Jun 12 2014, 8:00 AM

@kgh thx for pointing me to this

Kghbln added a comment.Jun 12 2014, 8:34 AM

You are welcome. I wish I had seen this bug before. However the big Kudos go to Reedy who made this parameter reality. This one was a life-saver on several of my wikis.

Aklapper removed Wikinaut as the assignee of this task.Jun 18 2015, 2:08 PM
Aklapper subscribed.

[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]

Kizule closed this task as Declined.Oct 25 2023, 2:34 PM
Kizule subscribed.

Per T322820: Archive the OpenID extension.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL