Page MenuHomePhabricator
Create Task
Maniphest T69210

nsToken GET parameter to Special:Search should be a salted version of the edit token instead of just plain edit token
Closed, ResolvedPublic
Actions

Description

patch to salt the token

(Going back and forth if I should file under security. Decided to err on the side of caution, but this really isn't a serious issue, just something that should be done as a precaution)

Special:Search has an nsToken parameter, that's the same as edit token. Its used for saving namespace selection to preferences. The parameter is passed as a GET parameter. Since edit tokens are secret and GET parameters can end up showing up in public places (If people copy paste urls, log files, etc), the token should be salted like we do with "watch this page" tokens.

For reference, change is in commit 5dc4dc099d8799cf98dc

Version: unspecified
Severity: normal

Attached:

nstoken.patch1 KBDownload

Details

Reference
bz67210

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:30 AM
bzimport added a project: MediaWiki-Search.
bzimport set Reference to bz67210.
bzimport added a subscriber: Unknown Object (MLST).
Bawolff created this task.Jun 27 2014, 7:21 PM
csteipp added a comment.Jun 27 2014, 8:23 PM

Yes, please. Since there's no threat of stealing the token directly, I'm fine if this is made public (we can put the patch in gerrit, etc). But we really should be salting the token as a standard hardening / precaution.

Thanks Bawolff!

Nemo_bis added a comment.Jun 27 2014, 9:09 PM

Sorry. I did think the token was going to make the URL uglier to share but I neglected to think it could be reused.

gerritbot added a comment.Jun 29 2014, 4:01 PM

Change 142900 had a related patch set uploaded by Brian Wolff:
Salt the "nsToken" used for Special:Search namespace remembering

https://gerrit.wikimedia.org/r/142900

gerritbot added a comment.Jun 30 2014, 7:28 PM

Change 142900 merged by jenkins-bot:
Salt the "nsToken" used for Special:Search namespace remembering

https://gerrit.wikimedia.org/r/142900

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
Restricted Application added a project: Discovery-Search. · View Herald TranscriptFeb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL