Reported by Ravindra Singh Rathore to Mozilla.

Hi Chris,

Thanks for this patch! A few questions and comments:

• It looks like the method User::getEditToken() was only added in MediaWiki 1.19 - Semantic Forms currently supports MW 1.17 and higher, so there would need to be an "if" statement to only apply this handling if for MW 1.19 and higher.

• Would there be a benefit to displaying an error message if the token validation fails, instead of just ignoring the attempt as the current patch seems to do?

• Semantic Forms defines four other special pages with similar forms: CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they could all similarly benefit from an anti-CSRF check?

Yaron,

Yeah, feel free to update the patch. That was just something quick to address the issue. I wasn't sure how actively the extension is maintained.

If you can get a patch today, I'll add a note about it in the upcomming security release. Typically, just add a patch here, and we'll push it into gerrit when we make the announcement.

Or, if you need more time, we'll add it to the next one.

(In reply to comment #2)

• Semantic Forms defines four other special pages with similar forms:

CreateProperty, CreateTemplate, CreateForm and CreateClass. I assume they
could
all similarly benefit from an anti-CSRF check?

And yes, definitely, to this.

Okay, this security vulnerability has now been fixed for those five special pages, for MW 1.19 and higher. Thanks for the patch!

I have to say that I was surprised by the comment about announcing this in a security release - I wasn't aware that the WMF ever made announcements about non-WMF extensions, security-related or otherwise.

(In reply to comment #5)

I have to say that I was surprised by the comment about announcing this in a
security release - I wasn't aware that the WMF ever made announcements about
non-WMF extensions, security-related or otherwise.

We don't. This is weird to me too :)

Thanks Yaron, can you add links to the gerrit patches that fixed this?

(In reply to comment #6)

(In reply to comment #5)

I have to say that I was surprised by the comment about announcing this in a
security release - I wasn't aware that the WMF ever made announcements about
non-WMF extensions, security-related or otherwise.

We don't. This is weird to me too :)

We're using SemanticForms on Wikitech, so I assumed we treated it like a WMF-deployed extension. It's also widely enough deployed that I'll probably mention it when we do the release.

Adding Ryan/Coren so they can get wikitech patched.

https://gerrit.wikimedia.org/r/#/c/103885/ was the fix

Yes, you found it. Well, it's nice to hear that SF is considered (by some) to be a WMF extension!