Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Mitigate MITM (GHSA-gvpg-23fh-8g75)
Prepend an anti-phishing message to the code itself warning about source
Add instructions to delete the comment afterwards to protect privacy
  • Loading branch information
Kenny2github committed Apr 13, 2021
1 parent 3cc1afc commit 9220c2a
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 1 deletion.
2 changes: 2 additions & 0 deletions i18n/en.json
Expand Up @@ -7,6 +7,8 @@
"soa2-scratch-username": "Scratch username:",
"soa2-invalid-username": "Invalid username: $1",
"soa2-vercode-explanation": "Please go to $1 and comment the code below:",
"soa2-vercode-explanation2": "For added privacy, delete your comment immediately after logging in here.",
"soa2-vercode": "Copy this paragraph (including both the code and this message). Only post this code if it came from {{SERVER}} | $1",
"soa2-your-profile": "your profile",
"soa2-next": "Next",
"soa2-login": "I have done so",
Expand Down
2 changes: 2 additions & 0 deletions i18n/qqq.json
Expand Up @@ -7,6 +7,8 @@
"soa2-scratch-username": "Label for Scratch username field",
"soa2-invalid-username": "Error message for invalid username",
"soa2-vercode-explanation": "Instructions for user verification. $1 is the \"your profile\" link.",
"soa2-vercode-explanation2": "Instructions to delete the comment afterwards.",
"soa2-vercode": "A message prepended to the actual code to prevent man-in-the-middle attacks. $1 is the code.",
"soa2-your-profile": "Link text for \"your profile\"",
"soa2-next": "Next button text",
"soa2-login": "Login button text",
Expand Down
1 change: 1 addition & 0 deletions includes/common/login.php
Expand Up @@ -14,6 +14,7 @@ public static function gen_code( $session ) {
if (!$session->exists( 'soa2_scratch_code' )) {
$code = chunk_split(hash('sha256', random_bytes(32)), 5, ':');
$code = substr($code, 0, strlen($code) - 1); // chop off last colon
$code = wfMessage('soa2-vercode', $code)->text();
$session->set( 'soa2_scratch_code', $code );
$session->save();
}
Expand Down
3 changes: 2 additions & 1 deletion includes/special/SpecialScratchOAuth2.php
Expand Up @@ -120,8 +120,9 @@ public function loginForm( WebRequest $request ) { // Step 13
wfMessage('soa2-vercode-explanation')->rawParams($profile)->parse()
));
$out->addHTML(Html::rawElement('p', [], Html::element(
'code', [], $codes['code']
'textarea', [], $codes['code']
)));
$out->addWikiMsg('soa2-vercode-explanation2');
$out->addHTML(Html::rawElement('p', [], Html::submitButton(
wfMessage('soa2-login')->plain(), []
)));
Expand Down

0 comments on commit 9220c2a

Please sign in to comment.