[Mediawiki-api-announce] BREAKING CHANGE: Passwords and other sensitive fields for authentication must be in the POST body

As was previously announced, passing the lgpassword or lgtoken parameters to action=login in the query string rather than the POST body will begin to return an error starting with 1.29.0-wmf.13. See https://www.mediawiki.org/wiki/MediaWiki_1.29/Roadmap for the deployment schedule. On Mon, Oct 31, 2016 at 2:44 PM, Brad Jorsch (Anomie) &lt;bjorsch(a)wikimedia.org > Over the past 30 days, there has been exactly one hit to > action=clientlogin with sensitive data in the query string, and none to > action=createaccount, action=linkaccount, and action=changeauthenticationdata. > Beginning in 1.29.0-wmf.1 (to be deployed this week) these actions will now > begin throwing errors if sensitive fields are included in the query string. > > Over the past 30 days, logins have been attempted via action=login for 28 > different user names[1] with sensitive data (lgpassword or lgtoken) in the > query string. This will continue to work for now; my current plan is to > turn that warning into an error on February 15, 2017. > > > [1]: I can't post the list publicly at this time. If you want to know if > you're one of the 28, put your user agent into https://meta.wikimedia.org/ > wiki/Special:ApiFeatureUsage and look for "login-params-in-query-string". > > > On Fri, Aug 19, 2016 at 3:24 PM, Brad Jorsch (Anomie) < > bjorsch(a)wikimedia.org> >> For improved safety, passwords and other sensitive fields for >> authentication should not be included in the request URI during a POST. >> Instead, they should be in the POST body where they are less likely to be >> included in log files. With the merge of Gerrit change 305545,[1] the API >> will now produce a warning if such fields are detected in the URI. This >> should be deployed to WMF wikis with 1.28.0-wmf.16, see >> https://www.mediawiki.org/wiki/MediaWiki_1.28/Roadmap for the schedule. >> >> This affects the following modules and fields: >> * action=login: 'lgpassword' >> * action=clientlogin, action=createaccount, action=linkaccount, and >> action=changeauthenticationdata: Any fields reported as "sensitive" by >> action=query&meta=authmanagerinfo or by UI or REDIRECT responses. >> Currently, this affects the 'password' and 'retype' fields. >> >> The 'lgtoken' field for action=login will now also issue a warning if >> placed in the request URI. The error code for other tokens being in the >> request URI has changed from 'mustposttoken' to 'mustpostparams'. >> >> To check if your client's user agent is detected making such submissions, >> you can also use ApiFeatureUsage[2] and look for >> '<action>-params-in-query-string' once 1.28.0-wmf.16 is rolled out to >> wikis your client is logging in to. >> >> It is planned that these warnings will be changed to errors during 1.29. >> Let's avoid having a repeat of T142155,[3] update your code ASAP instead of >> waiting until it breaks. Thanks. >> >> [1]: https://gerrit.wikimedia.org/r/#/c/305545/ >> [2]: https://meta.wikimedia.org/wiki/Special:ApiFeatureUsage >> [3]: https://phabricator.wikimedia.org/T142155 >> >> -- >> Brad Jorsch (Anomie) >> Senior Software Engineer >> Wikimedia Foundation >> > > > > -- > Brad Jorsch (Anomie) > Senior Software Engineer > Wikimedia Foundation > -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation