Description
steps to reproduce:
- Have a page with a non-resolvable (interwiki) redirect (to a namespace different from 0): https://de.wikipedia.beta.wmflabs.org/wiki/Benutzer:Hgzh/a
- try to edit this page using the API and the redirect=1 parameter https://de.wikipedia.beta.wmflabs.org/w/api.php?action=edit&format=json&title=Benutzer%3AHgzh%2Fa&appendtext=Test&redirect=1&token=
expected behaviour:
- some kind of error message
observed behaviour:
- a new page is created
- it is in the main namespace (0); page.page_namespace = 0
- the page title contains the namespace prefix; page.page_title = 'User talk:Hgzh' (normally, no namespace prefix is added in this field)
- the interwiki prefix is stripped somewhere
- example: https://de.wikipedia.beta.wmflabs.org/wiki/Special:Redirect/page/4809
- as this new page contains the namespace prefix in its title, it is only accessable via curid
- every ui action refers to the actual talk page (links, protect/delete etc.) instead of the previously created page as they seem to rely on the page_title
- the new page can only be deleted using the API with curid
API query:
API response:
{
"redirects": [
{
"from": "Benutzer:Hgzh/a",
"to": "meta:User talk:Hgzh"
}
],
"edit": {
"new": "",
"result": "Success",
"pageid": 4809,
"title": "meta:User talk:Hgzh",
"contentmodel": "wikitext",
"oldrevid": 0,
"newrevid": 25355,
"newtimestamp": "2019-11-28T15:43:19Z"
}
}Details
Related Objects
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T95277 Erroneous Category:Category:Pages_with_script_errors | |||
| Resolved | Steinsplitter | T111594 Commons file stuck in category | |||
| Resolved | None | T87645 Existing pages without ability to reach and obviously wrong namespace | |||
| Resolved | Anomie | T239428 API edit on page with non-resolvable redirect and redirect=1 creates page with invalid title |
Event Timeline
This results in security issue (T239466: Possible to circumvent title-blacklist (CVE-2019-19709)).
After resolving the redirect in ApiEditPage there is no check for Title::isExternal or Title::canExist (to check for Special or Media namespace redirect targets)
Needs some new apierror texts where I am unsure how to name it
In T239428#5701358, @Bugreporter wrote:This results in security issue (T239466: Possible to circumvent title-blacklist (CVE-2019-19709)).
You probably shouldn't proclaim that on a public task.
Change 554084 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] ApiEditPage: Test for bad redirect targets
Change 554084 merged by jenkins-bot:
[mediawiki/core@master] ApiEditPage: Test for bad redirect targets
Change 554885 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@wmf/1.35.0-wmf.5] ApiEditPage: Test for bad redirect targets
Change 554886 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@wmf/1.35.0-wmf.8] ApiEditPage: Test for bad redirect targets
Change 554885 merged by jenkins-bot:
[mediawiki/core@wmf/1.35.0-wmf.5] ApiEditPage: Test for bad redirect targets
Change 554886 merged by jenkins-bot:
[mediawiki/core@wmf/1.35.0-wmf.8] ApiEditPage: Test for bad redirect targets
Mentioned in SAL (#wikimedia-operations) [2019-12-05T15:17:31Z] <anomie@deploy1001> Started scap: Backporting fix for T239428
Mentioned in SAL (#wikimedia-operations) [2019-12-05T15:50:51Z] <anomie@deploy1001> Finished scap: Backporting fix for T239428 (duration: 33m 20s)
Change 554900 had a related patch set uploaded (by SBassett; owner: Anomie):
[mediawiki/core@REL1_34] ApiEditPage: Test for bad redirect targets
Change 554900 merged by jenkins-bot:
[mediawiki/core@REL1_34] ApiEditPage: Test for bad redirect targets
Change 556284 had a related patch set uploaded (by SBassett; owner: Anomie):
[mediawiki/core@REL1_33] ApiEditPage: Test for bad redirect targets
Change 556286 had a related patch set uploaded (by SBassett; owner: Anomie):
[mediawiki/core@REL1_32] ApiEditPage: Test for bad redirect targets
Change 556287 had a related patch set uploaded (by SBassett; owner: Anomie):
[mediawiki/core@REL1_31] ApiEditPage: Test for bad redirect targets
Change 556287 merged by jenkins-bot:
[mediawiki/core@REL1_31] ApiEditPage: Test for bad redirect targets
Change 556286 merged by jenkins-bot:
[mediawiki/core@REL1_32] ApiEditPage: Test for bad redirect targets
Change 556284 merged by jenkins-bot:
[mediawiki/core@REL1_33] ApiEditPage: Test for bad redirect targets