Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/includes/auth
History
Gergő Tisza b1adf3c728 SECURITY: Allow extensions to supress the reauth flag on login 
CVE-2025-6926

This is a workaround for extensions with some sort of "autologin"
implemented via the login page to indicate that the login flow
didn't involve the user actually logging in, it merely copied
some central login state, and so isn't appropriate for the
reauthentication flag.

This isn't the best way to provide an interface to extensions
(if we keep it, a more explicit interface, such as a
SessionPropertiesAuthenticationRequest object that's part of
the initial request set and can be modified by providers,
and can also be used for the "remember me" flag, would be
nicer), and maybe the whole approach of letting extensions
suppress the reauthentication flag is not the best way of
handling the problem in the first place, but it's simple
which is important for a security patch.

Bug: T389010
Change-Id: Ifce73837b25b0caad2d3d3cba000cceb0184c29d
2025-06-30 19:58:42 +01:00
..
Hook auth: Fix documentation of AuthManagerVerifyAuthentication hook 2024-08-27 11:45:25 +02:00
AbstractAuthenticationProvider.php Namespace Config-related classes under \MediaWiki\Config 2023-09-21 05:41:58 +00:00
AbstractPasswordPrimaryAuthenticationProvider.php auth: Add missing documentation to class properties 2024-09-01 11:27:45 +02:00
AbstractPreAuthenticationProvider.php
AbstractPrimaryAuthenticationProvider.php Using @return never documentation on always-throw-function 2021-09-07 17:29:03 +02:00
AbstractSecondaryAuthenticationProvider.php
AbstractTemporaryPasswordPrimaryAuthenticationProvider.php Add namespace to IDBAccessObject and DBAccessObjectUtils 2024-09-27 16:19:10 -04:00
AuthenticationProvider.php Don't set AuthenticationRequest::$username on login 2023-09-05 10:59:04 +10:00
AuthenticationRequest.php Add explicit parentheses around mixed boolean operator 2024-03-23 01:58:59 +01:00
AuthenticationResponse.php Namespace Message, move to appropriate directory 2024-02-14 15:10:36 -05:00
AuthManager.php SECURITY: Allow extensions to supress the reauth flag on login 2025-06-30 19:58:42 +01:00
ButtonAuthenticationRequest.php ButtonAuthenticationRequest: Add AllowDynamicProperties directive 2024-12-12 21:45:31 +00:00
CheckBlocksSecondaryAuthenticationProvider.php Use namespaced classes (2) 2024-06-16 20:23:55 +02:00
ConfirmLinkAuthenticationRequest.php Import InvalidArgumentException at top of the source 2024-05-19 23:57:44 +03:30
ConfirmLinkSecondaryAuthenticationProvider.php Namespace User under \MediaWiki\User 2023-09-19 19:18:16 +00:00
CreatedAccountAuthenticationRequest.php auth: Add missing documentation to class properties 2024-09-01 11:27:45 +02:00
CreateFromLoginAuthenticationRequest.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
CreationReasonAuthenticationRequest.php auth: Add missing documentation to class properties 2024-09-01 11:27:45 +02:00
EmailNotificationSecondaryAuthenticationProvider.php auth: Use IConnectionProvider instead of LoadBalancer 2023-05-03 13:23:43 +02:00
LocalPasswordPrimaryAuthenticationProvider.php Add namespace to IDBAccessObject and DBAccessObjectUtils 2024-09-27 16:19:10 -04:00
PasswordAuthenticationRequest.php auth: Replace FQNs with imports 2022-12-16 11:30:32 +01:00
PasswordDomainAuthenticationRequest.php auth: Replace FQNs with imports 2022-12-16 11:30:32 +01:00
PreAuthenticationProvider.php auth: Pass canAlwaysAutocreate from session to pre-auth providers 2024-09-06 12:01:58 -07:00
PrimaryAuthenticationProvider.php Add namespace to IDBAccessObject and DBAccessObjectUtils 2024-09-27 16:19:10 -04:00
RememberMeAuthenticationRequest.php Fix many typos in comments 2022-05-10 12:46:11 +00:00
ResetPasswordSecondaryAuthenticationProvider.php Use namespaced classes (2) 2024-06-16 20:23:55 +02:00
SecondaryAuthenticationProvider.php auth: Pass canAlwaysAutocreate from session to pre-auth providers 2024-09-06 12:01:58 -07:00
TemporaryPasswordAuthenticationRequest.php Namespace includes/password 2024-05-18 16:17:38 +01:00
TemporaryPasswordPrimaryAuthenticationProvider.php Add namespace to IDBAccessObject and DBAccessObjectUtils 2024-09-27 16:19:10 -04:00
ThrottlePreAuthenticationProvider.php Add namespace to the root classes of ObjectCache 2024-07-10 00:14:54 +03:30
Throttler.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
UserDataAuthenticationRequest.php Namespace Sanitizer under \MediaWiki\Parser 2023-09-21 05:39:23 +00:00
UsernameAuthenticationRequest.php