Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SECURITY: Do not treat autocreation as login for reauthentication

Browse source 
CVE-2025-6597

Auotcreation doesn't necessarily involve real-time user
identification, it can be based on some provider identifying the
user based on a session cookie or similar low-fidelity information.
Do not restart the reauthentication timer.

Bug: T389009
Change-Id: Icfb4d0ffe71a92421e8630a92ae302cc459aa9d6
This commit is contained in:
Gergő Tisza 2025-03-23 20:33:17 +01:00 committed by Reedy
parent 35edc6c2b1
commit 3340302f40
1 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
includes/auth/AuthManager.php
View file

@ -1961,7 +1961,7 @@ class AuthManager implements LoggerAwareInterface {
$user->loadFromId( IDBAccessObject::READ_LATEST ); $user->loadFromId( IDBAccessObject::READ_LATEST );
if ( $login ) { if ( $login ) {
$remember = $source === self::AUTOCREATE_SOURCE_TEMP; $remember = $source === self::AUTOCREATE_SOURCE_TEMP;
$this->setSessionDataForUser( $user, $remember ); $this->setSessionDataForUser( $user, $remember, false );
} }
return Status::newGood()->warning( 'userexists' ); return Status::newGood()->warning( 'userexists' );
} }
@ -2104,7 +2104,7 @@ class AuthManager implements LoggerAwareInterface {
] ); ] );
if ( $login ) { if ( $login ) {
$remember = $source === self::AUTOCREATE_SOURCE_TEMP; $remember = $source === self::AUTOCREATE_SOURCE_TEMP;
$this->setSessionDataForUser( $user, $remember ); $this->setSessionDataForUser( $user, $remember, false );
} }
$status = Status::newGood()->warning( 'userexists' ); $status = Status::newGood()->warning( 'userexists' );
} else { } else {
@ -2163,7 +2163,7 @@ class AuthManager implements LoggerAwareInterface {
if ( $login ) { if ( $login ) {
$remember = $source === self::AUTOCREATE_SOURCE_TEMP; $remember = $source === self::AUTOCREATE_SOURCE_TEMP;
$this->setSessionDataForUser( $user, $remember ); $this->setSessionDataForUser( $user, $remember, false );
} }
return Status::newGood(); return Status::newGood();
@ -2846,9 +2846,11 @@ class AuthManager implements LoggerAwareInterface {
/** /**
* Log the user in * Log the user in
* @param User $user * @param User $user
* @param bool|null $remember * @param bool|null $remember The "remember me" flag.
* @param bool $isReauthentication Whether creating this session should count as a recent
* authentication for $wgReauthenticateTime checks.
*/ */
private function setSessionDataForUser( $user, $remember = null ) { private function setSessionDataForUser( $user, $remember = null, $isReauthentication = true ) {
$session = $this->request->getSession(); $session = $this->request->getSession();
$delay = $session->delaySave(); $delay = $session->delaySave();
@ -2860,8 +2862,10 @@ class AuthManager implements LoggerAwareInterface {
if ( $remember !== null ) { if ( $remember !== null ) {
$session->setRememberUser( $remember ); $session->setRememberUser( $remember );
} }
$session->set( 'AuthManager:lastAuthId', $user->getId() ); if ( $isReauthentication ) {
$session->set( 'AuthManager:lastAuthTimestamp', time() ); $session->set( 'AuthManager:lastAuthId', $user->getId() );
$session->set( 'AuthManager:lastAuthTimestamp', time() );
}
$session->persist(); $session->persist();
\Wikimedia\ScopedCallback::consume( $delay ); \Wikimedia\ScopedCallback::consume( $delay );