Page MenuHomePhabricator
Create Task
Maniphest T56677

Do account creation checks when creating users
Closed, DeclinedPublic
Actions

Description

It doesn't look like SpecialOpenIDLogin.body.php is doing the same checks that MediaWiki core is doing on account creation. I'm not sure if vandals could abuse this, but it would be good to check.

Specific checks that need to happen (apologies if I've missed these somewhere else):

  • Username needs to valid against the 'creatable' checks, so some thing like

$u = User::newFromName( $name, 'creatable' );
if ( !is_object( $u ) ) {

		return null;
  • The AbortNewAccount hook should be run
  • IP throttle needs to be checked
  • Make sure the email passes Sanitizer::validateEmail()

Thanks!

Version: master
Severity: normal
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=56660
https://bugzilla.wikimedia.org/show_bug.cgi?id=46617

Details

Reference
bz54677

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 2:20 AM
bzimport added a project: MediaWiki-extensions-OpenID.
bzimport set Reference to bz54677.
csteipp created this task.Sep 27 2013, 3:05 AM
Wikinaut added a comment.Sep 27 2013, 6:33 AM

Thanks for reporting and giving starting points. I will try to fix this as soon as possible.

gerritbot added a comment.Nov 12 2013, 11:59 PM

Change 95076 had a related patch set (by Wikinaut) published:
Bug 54677: Do account creation checks when creating users

https://gerrit.wikimedia.org/r/95076

gerritbot added a comment.Nov 15 2013, 8:37 PM

Change 95076 merged by Wikinaut:
Bug 54677: (partial) check email addresses Sanitizer::validateEmail()

https://gerrit.wikimedia.org/r/95076

Aklapper removed Wikinaut as the assignee of this task.Jun 18 2015, 2:08 PM
Aklapper subscribed.

[Resetting task assignee to avoid cookie-licking. Please reclaim the task when you plan to actively work on this task. Thanks!]

Kizule closed this task as Declined.Oct 25 2023, 2:36 PM
Kizule subscribed.

Per T322820: Archive the OpenID extension.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL