Le 16 févr. 2012 à 17:45, Bergi a écrit :
Nicolas Brouard INED schrieb:
Then, just try to enter your e-mail on a standard wiki in place of your username and you will be authenticated to the first ID (and user_name) having your e-mail.
Great Idea!
Thank you. Now we have to convince developers transforming this idea into reality...
If someone could test this patch above and report the security issues as well as performances, it could be great for us.
No idea about PHP and performance, but a possible security hole: Are there any system messages that output the username when failing to login?
We tested this patch already on some wikis.
The patch is very short as you can see. If the e-mail entered doesn't belong to the user_name list, the e-mail is test amongst the user_email list. If the e-mail doesn't belong to the user_email list (no row and thus no user_id with this e-mail) the null return is similar to a null return because of a unknown user_name and thus a message is sent with an "Unknown user" with the e-mail (and not the user_name).
It the e-mail belongs to the list of e-mails,
mysql> SELECT user_id, user_name, user_email FROM wikidb WHERE user_email='jfox@foo.fr; +---------+-----------------+-----------------+ | user_id | user_name | user_email | +---------+-----------------+-----------------+ | 2 | John Fox | jfox@foo.fr | | 3 | JFBot | jfox@foo.fr | | 443 | John FOX | jfox@foo.fr | +---------+-----------------+-----------------+
an array of corresponding user_id is sent and the first user_id (here 2) is chosen by default if you are not asking for an array in selectRow.
If you entered the password of "John Fox", you will be logged as is you entered "John Fox" instead of "jfox@foo.fr". If you entered a wrong password for John Fox, for example the password of John FOX, Wikipedia will tell you that the password for "jfox@foo.fr" is wrong.
If you ask for new password to be sent, you will receive an e-mail at the name of John Fox, not John FOX nor JFBot, but it is an e-mail at your e-mail box and I don't see any trouble.
If these messages would use the username from the database query (because of normalizing or something?) and not from $_POST, you could find out users' email adresses.
I hope that my previous explanations are also answering your above issue which I do not completely understand.
Regards,
Nicolas
Bergi
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Nicolas Brouard INED brouard@ined.fr