Page MenuHomePhabricator
Create Task
Maniphest T140010

CVE-2025-32697: Cascading protection is not preventing file reversions
Closed, ResolvedPublic
Actions

Description

Commons users without admin accounts are able to revert to previous versions of files with cascading protection (not manual protection). I don't know how long this has been the case, but a user just performed such a reversion to a cascade-protected image on the main page of the English Wikipedia: https://commons.wikimedia.org/wiki/File:Malcolm_Turnbull_at_the_Pentagon_2016_cropped.jpg (The action wasn't malicious in this instance.) I logged in to my non-admin test account and confirmed that this is possible.

I just set up a cascade-protected page with test transclusions of an image, a video file and an audio file: https://commons.wikimedia.org/wiki/User:David_Levy/Test I was able to perform reversions to all three via my non-admin test account.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
PermissionManager: Differentiate between cascading protection of file content and file pagesmediawiki/coreREL1_39+265 -56
PermissionManager: Differentiate between cascading protection of file content and file pagesmediawiki/coreREL1_42+256 -56
PermissionManager: Differentiate between cascading protection of file content and file pagesmediawiki/coreREL1_43+247 -56
PermissionManager: Differentiate between cascading protection of file content and file pagesmediawiki/coremaster+252 -56
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
Restricted Task
 ResolvedmatmarexT140010 CVE-2025-32697: Cascading protection is not preventing file reversions

Event Timeline

David_Levy created this task.Jul 11 2016, 8:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2016, 8:28 PM
David_Levy renamed this task from Cascading protection is not preventing image reversions. to Cascading protection is not preventing file reversions..Jul 11 2016, 8:55 PM
David_Levy updated the task description. (Show Details)
Krenair added projects: MediaWiki-Page-protection, MediaWiki-File-management.EditedJul 12 2016, 12:33 AM
Krenair subscribed.

I'm guessing this is because they're performing 'upload' actions instead of 'edit' actions, and only edit could be protected by cascading protection from non-file pages? What if you add {{File:B}} to File:A's description, cascade-protect File:A from uploading, then try to revert uploads on File:B?

Restricted Application added projects: Multimedia, Commons. · View Herald TranscriptJul 12 2016, 12:33 AM
David_Levy added a comment.EditedJul 12 2016, 1:19 AM
In T140010#2450976, @Krenair wrote:

I'm guessing this is because they're performing 'upload' actions instead of 'edit' actions, and only edit could be protected by cascading protection from non-file pages? What if you add {{File:B}} to File:A's description, cascade-protect File:A from uploading, then try to revert uploads on File:B?

The longstanding behavior is for the transclusion of a file on a cascade-protected page to prevent non-admin uploads under the relevant filename. For this reason, the English Wikipedia has (against my advice) come to rely on this function as a first-line protection method for images appearing on its main page. (A Commons bot monitors the upcoming images and transcludes them on a cascade-protected page.)

It remains impossible for someone using a non-admin account to upload an entirely new version of such a file; he/she may only revert to a previous revision publicly visible in the file's history.

I just tried transcluding my test image on the test video's description page, which I cascade-protected. This registered as an additional source of cascading protection for the image, but I still was able to perform a reversion via my non-admin test account.

matmarex subscribed.EditedJul 12 2016, 5:55 PM

I think this is a duplicate of T24521. That task has had a patch pending for nearly a year (https://gerrit.wikimedia.org/r/#/c/233207/). I think people are afraid to merge it, since it's security-sensitive code.

matmarex added a subscriber: zhuyifei1999.Jul 12 2016, 5:56 PM
David_Levy added a comment.Jul 12 2016, 8:17 PM
In T140010#2454353, @matmarex wrote:

I think this is a duplicate of T24521.

If I understand correctly, that's a request to change cascading protection's behavior by applying the resultant protection to the file alone (instead of both the file and the description page).

That isn't directly relevant to the issue that I'm reporting. The problem is that cascade-protecting a file has stopped preventing non-admin reversions to previous revisions of said file. This malfunction seems to have begun no earlier than 3 July 2016. (I fulfilled a related request on that date, so I know that the non-admin reversion prevention was in effect.)

dpatrick triaged this task as Medium priority.Jul 12 2016, 8:28 PM
Bawolff claimed this task.Jul 12 2016, 8:29 PM
zhuyifei1999 added a comment.EditedJul 12 2016, 8:36 PM

Oh basically cascading protection protects the edit permission only. For a normal upload; both edit and upload are required; but a reversion only needs upload, unprotected by cascading protection.

I'm unaware of the last issue (which caused this bug) when I wrote the above patch.

zhuyifei1999 added a comment.EditedJul 12 2016, 8:41 PM
In T140010#2450976, @Krenair wrote:

What if you add {{File:B}} to File:A's description, cascade-protect File:A from uploading, then try to revert uploads on File:B?

T62109

Edit 1: Never mind, they should inherit the protection in this case (at least that's what my knowledge of cascade protection says).

Edit 2: Thinking again, if the left side of https://gerrit.wikimedia.org/r/#/c/233207/9/includes/Title.php is still the current algorithm, that won't work; File:A's description must be [[File:B]] instead of {{File:B}} to have an imagelink to inherit the protection.

zhuyifei1999 added a comment.Jul 12 2016, 9:08 PM

Discovered an inconsistency:

Both of these are from 2011 or before, per blame

MarkTraceur moved this task from Untriaged to Tracking on the Multimedia board.Dec 2 2016, 9:37 PM
zhuyifei1999 added subscribers: Revent, Stemoc.May 12 2017, 8:35 AM

There was a discussion on IRC regarding the weirdness of cascading protection on File:Moon_Jae-in_May_2017.jpg, which should be cascade-protected by both Commons:Auto-protected_files/wikipedia/fr & Commons:Auto-protected_files/wikinews/en

zhuyifei1999 added subscribers: Majora, AlexisJazz.Nov 8 2018, 4:50 AM

https://commons.wikimedia.org/w/index.php?title=Commons:Administrators%27_noticeboard&oldid=326963106#Cascading_protection_doesn't_stop_me_from_overwriting_files

zhuyifei1999 added a subscriber: Steinsplitter.Nov 8 2018, 4:13 PM
Krinkle added a project: Security-Team.Nov 10 2018, 11:47 PM
Krinkle subscribed.
In T140010#2455301, @zhuyifei1999 wrote:

Discovered an inconsistency:

Both of these are from 2011 or before, per blame

Nice catch. That should be fairly straight-forward to patch to require edit and upload in both places.

zhuyifei1999 added a comment.Nov 10 2018, 11:55 PM

It does not make sense to require edit permissions in the first place. Besides, that 'workaround' is dependent on the current behavior of T24521: Cascade-protecting files should protect the file, not the description page, and have it never fixed.

chasemp moved this task from Incoming to Back Orders on the Security-Team board.Dec 2 2019, 8:52 PM
chasemp removed Bawolff as the assignee of this task.Dec 2 2019, 9:03 PM
chasemp added a subscriber: Bawolff.
chasemp added a project: Security.Feb 10 2020, 10:59 PM
Krinkle unsubscribed.Feb 10 2020, 11:45 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:07 PM
Reedy merged a task: Restricted Task.May 3 2021, 3:06 PM
Reedy added subscribers: Xaosflux, DannyS712, Jdforrester-WMF, Krinkle.
Reedy renamed this task from Cascading protection is not preventing file reversions. to Cascading protection is not preventing file reversions.Jun 21 2021, 3:37 PM
Reedy removed a project: Multimedia.
DannyS712 merged a task: Restricted Task.Jan 6 2022, 11:45 PM
DannyS712 added a subscriber: Dylsss.
Dylsss added a comment.Jan 8 2022, 8:07 PM

This is quite easy to fix without reworking parts of PermissionManager. Are there any issues with the below patch? This will mean the revert will require edit, so edit protection will prevent reverts, but this is already existing behavior with normal upload and if T24521 is resolved then this can be changed. I've also added a check for reupload as the right is required to overwrite existing files, which revert does.

T140010.patch1 KBDownload

matmarex added a comment.Jan 12 2022, 4:16 PM

Another similar patch has been submitted for review in November: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/737454

Dylsss added a comment.EditedJan 12 2022, 5:21 PM
In T140010#7616936, @matmarex wrote:

Another similar patch has been submitted for review in November: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/737454

That patch removes a check for upload using the action page, this isn't ideal as upload is a prerequisite for reupload/reupload-own and would allow users to revert files if the user group is assigned reupload/reupload-own but not upload. An example in WMF production are closed wikis, where upload rights are removed, however user groups may still have reupload/reupload-own rights. AFAIK This would allow users to modify closed wikis as long as they already have an account there.

Reedy edited projects, added SecTeam-Processed; removed Security-Team.Feb 2 2022, 7:52 PM
sbassett mentioned this in T304474: CVE-2025-32696: "reupload-own" restriction can be bypassed by reverting file.Mar 23 2022, 2:20 PM
sbassett added a subscriber: Porplemontage.
Dylsss added a subscriber: Func.Jan 6 2025, 1:45 AM
Dylsss added a comment.Jan 19 2025, 10:43 PM

Just noting https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1112359 would fix this.

matmarex added subscribers: sbassett, Reedy.Feb 8 2025, 1:37 AM

Indeed it would, thanks for noting it here.

I would like to merge that patch. @sbassett @Reedy I have two questions for you before I do that:

  • Is this something that should be backported to release versions? (It looks easily backportable to 1.42 with minor fixes, more challenging to backport to 1.39.)
  • Is it okay to just merge it, or would you like to coordinate it with the MediaWiki release timing somehow?
sbassett added a comment.EditedFeb 11 2025, 6:17 PM
In T140010#10533370, @matmarex wrote:
  • Is this something that should be backported to release versions? (It looks easily backportable to 1.42 with minor fixes, more challenging to backport to 1.39.)

In general, from a Security-Team perspective, we try to backport security fixes to any relevant supported release branches. If code never existed on an older release branch or was only briefly an issue on master or something, then it can't be backported. If it's non-trivial but possible to backport, I think that usually ends up being a judgment call for the developers/maintainers of the code.

  • Is it okay to just merge it, or would you like to coordinate it with the MediaWiki release timing somehow?

If we're talking about c1112359 above, as long as it goes through standard CR and tests fine, I think it can just be merged, as it's already a public change set.

matmarex added a subscriber: gerritbot.Feb 14 2025, 9:03 PM
gerritbot added a comment.Feb 14 2025, 11:13 PM

Change #1112359 merged by jenkins-bot:

[mediawiki/core@master] PermissionManager: Differentiate between cascading protection of file content and file pages

https://gerrit.wikimedia.org/r/1112359

matmarex moved this task from Backlog to Cascade on the MediaWiki-Page-protection board.Feb 15 2025, 12:43 AM
matmarex added a project: MediaWiki-Platform-Team.Feb 15 2025, 1:44 AM
larissagaulia moved this task from Inbox, needs triage to In progress on the MediaWiki-Platform-Team board.Feb 17 2025, 3:38 PM
Jdforrester-WMF added a project: MW-1.44-notes (1.44.0-wmf.17; 2025-02-18).Feb 18 2025, 4:38 PM
matmarex added a comment.Feb 21 2025, 1:43 AM

@sbassett Changes are live now. Would you please make this task public?

matmarex added a project: User-notice.Feb 21 2025, 2:02 AM

I added a draft entry for this and other recent work on cascading protection and file uploads to the Tech News for the week after next (so that we have some more time to discuss and edit them, as these changes are difficult to explain with brevity): https://meta.wikimedia.org/wiki/Tech/News/2025/10

sbassett closed this task as Resolved.Feb 21 2025, 3:03 PM
sbassett assigned this task to matmarex.
sbassett added a parent task: Restricted Task.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett mentioned this in T24521: Cascade-protecting files should protect the file, not the description page.Feb 21 2025, 3:07 PM
Quiddity moved this task from To Triage to Announce in next Tech/News on the User-notice board.Feb 21 2025, 9:11 PM
Quiddity moved this task from Announce in next Tech/News to In current Tech/News draft on the User-notice board.Feb 27 2025, 12:25 AM
Pppery moved this task from In current Tech/News draft to Already announced/Archive on the User-notice board.Mar 22 2025, 7:31 PM
gerritbot added a comment.Mar 24 2025, 12:56 PM

Change #1130586 had a related patch set uploaded (by Reedy; author: Dylsss):

[mediawiki/core@REL1_43] PermissionManager: Differentiate between cascading protection of file content and file pages

https://gerrit.wikimedia.org/r/1130586

gerritbot added a project: Patch-For-Review.Mar 24 2025, 12:56 PM

Change #1130587 had a related patch set uploaded (by Reedy; author: Dylsss):

[mediawiki/core@REL1_42] PermissionManager: Differentiate between cascading protection of file content and file pages

https://gerrit.wikimedia.org/r/1130587

gerritbot added a comment.Mar 24 2025, 12:57 PM

Change #1130588 had a related patch set uploaded (by Reedy; author: Dylsss):

[mediawiki/core@REL1_39] PermissionManager: Differentiate between cascading protection of file content and file pages

https://gerrit.wikimedia.org/r/1130588

Reedy added a comment.Mar 24 2025, 12:58 PM

Do we know offhand how long this has been around for?

gerritbot added a comment.Mar 24 2025, 1:47 PM

Change #1130586 merged by jenkins-bot:

[mediawiki/core@REL1_43] PermissionManager: Differentiate between cascading protection of file content and file pages

https://gerrit.wikimedia.org/r/1130586

ReleaseTaggerBot added a project: MW-1.43-notes.Mar 24 2025, 2:00 PM
gerritbot added a comment.Mar 24 2025, 2:19 PM

Change #1130587 merged by jenkins-bot:

[mediawiki/core@REL1_42] PermissionManager: Differentiate between cascading protection of file content and file pages

https://gerrit.wikimedia.org/r/1130587

ReleaseTaggerBot added a project: MW-1.42-notes.Mar 24 2025, 3:00 PM
Maintenance_bot edited projects, added User-notice-archive; removed User-notice.Apr 3 2025, 3:32 PM
Reedy renamed this task from Cascading protection is not preventing file reversions to CVE-2025-32697: Cascading protection is not preventing file reversions.Apr 9 2025, 12:57 PM
gerritbot added a comment.Apr 9 2025, 2:00 PM

Change #1130588 abandoned by Reedy:

[mediawiki/core@REL1_39] PermissionManager: Differentiate between cascading protection of file content and file pages

Reason:

Complexity and duplication...

https://gerrit.wikimedia.org/r/1130588

Reedy removed a project: Patch-For-Review.Apr 9 2025, 2:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits