[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T309787

Remove IEContentAnalyzer
Closed, ResolvedPublic
Actions

Description

IEContentAnalyzer was introduced to deal with content sniffing of resources on our potentially arbitrary user uploads.

IE8 introduced X-Content-Type-Options: nosniff, now supported by the major browsers, which if we would use it on all resources (esp. also uploads.wikimedia.org) should remove the need for IEContentAnalyzer if I understand it correctly.

Browsers listen and obey this header for all uris when they are attempted to be loaded as script or style resources. In addition the header triggers CORB protections if supported by the browser.

MediaWiki already returns x-content-type-options:nosniff` for all requests, but upload.wikimedia.org does not return results with X-Content-Type-Options: nosniff.

Removing IEContentAnalyzer was one of the notes of T232563: Drop IE6 and IE7 basic compatibility and security support. It is known that IEContentAnalyzer creates problems, it is the cause of T182264: IE content analyzer is executed on non-first chunks during chunk uploading, preventing legitimate uploads, which might actually explain some of the many user reports about failures with using chunked uploading. It is also blocking T28059: Add support for KML/KMZ filetype.

Details

SubjectRepoBranchLines +/-
Check images server responses for nosniffmediawiki/coremaster+41 -0
Remove IEContentAnalyzermediawiki/coremaster+9 -929
varnish: Set `X-Content-Type-Options: nosniff` on upload requestsoperations/puppetproduction+4 -0
Set "X-Content-Type-Options: nosniff" header in images/.htaccessmediawiki/coremaster+3 -0
Customize query in gerrit

Related Objects

Event Timeline

TheDJ created this task.Jun 2 2022, 2:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 2 2022, 2:25 PM
Maintenance_bot added a project: Commons.Jun 2 2022, 2:30 PM
gerritbot added a comment.Jun 2 2022, 7:17 PM

Change 802592 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] Remove IEContentAnalyzer

https://gerrit.wikimedia.org/r/802592

gerritbot added a project: Patch-For-Review.Jun 2 2022, 7:17 PM
Peachey88 removed a project: Commons.Jun 2 2022, 9:23 PM
TheDJ updated the task description. (Show Details)Jun 7 2022, 8:45 AM
TheDJ added a subscriber: Jgiannelos.Jun 14 2022, 6:39 PM

Hi @Jgiannelos. I believe you have a bit of Swift knowledge ?

I would like to see the header X-Content-Type-Options: nosniff added to at least the originals (and archived originals) of upload.wikimedia.org (to prevent browsers from content sniffing)

This could of course be done via the headers sent to swift or, I was thinking of setting it on the varnish (in upload-frontend.inc.vlc.erb ??) like we do for Access-Control-Allow-Origin. Or both ? What do you think makes the most sense ?

Jgiannelos added a comment.Jun 21 2022, 10:22 AM

Hey @TheDJ i have some experience with using Swift from a dev perspective but for the actual swift config I would defer to the data persistence team.

TheDJ added a comment.EditedJul 3 2022, 10:07 AM

Adding Data-Persistence (work done) to request feedback

I would like to see the header X-Content-Type-Options: nosniff added to at least the originals (and archived originals) of upload.wikimedia.org (to prevent browsers from content sniffing)

This could of course be done via the headers sent to swift or, I was thinking of setting it on the varnish (in upload-frontend.inc.vlc.erb ??) like we do for Access-Control-Allow-Origin. Or both ? What do you think makes the most sense ?

TheDJ added a project: Data-Persistence (work done).Jul 3 2022, 10:07 AM
Ladsgroup added a subscriber: MatthewVernon.Aug 3 2022, 9:06 AM
MatthewVernon added a comment.Aug 3 2022, 9:28 AM

I don't think Swift itself has a mechanism for setting X-Content-Type-Options; so I think if we want to do this, having it done by varnish is likely to be the way to go.

HouseBlaster moved this task from Unsorted to Needs removal on the Technical-Debt board.Dec 3 2022, 7:55 PM
gerritbot added a comment.Feb 21 2023, 1:58 AM

Change 890512 had a related patch set uploaded (by Legoktm; author: Legoktm):

[operations/puppet@production] varnish: Set `X-Content-Type-Options: nosniff` on upload requests

https://gerrit.wikimedia.org/r/890512

Legoktm edited projects, added Traffic; removed Data-Persistence (work done).Feb 21 2023, 1:59 AM
BCornwall subscribed.Feb 21 2023, 2:45 PM
ssingh moved this task from Backlog to Traffic team actively servicing on the Traffic board.Feb 21 2023, 3:51 PM
Maintenance_bot added a project: SRE.Feb 21 2023, 4:29 PM
BCornwall claimed this task.Feb 21 2023, 6:10 PM
BCornwall triaged this task as Lowest priority.
BCornwall moved this task from Traffic team actively servicing to Scheduled incidental work on the Traffic board.
BCornwall changed the task status from Open to In Progress.Feb 21 2023, 6:26 PM
BCornwall reassigned this task from BCornwall to Legoktm.
BCornwall added subscribers: Vgutierrez, BBlack.Feb 21 2023, 7:39 PM

@BBlack, @Vgutierrez: Is it reasonable to put this header into Varnish itself as per https://gerrit.wikimedia.org/r/c/890512? Seems sound to me since it's a blanket protection rather than on a per-request basis.... But I know there's a history of stuffing inappropriate solutions into Varnish so I want to make sure. :)

Vgutierrez added a comment.Feb 22 2023, 10:48 AM

I think so, I've took the liberty of amending the commit and adding a test for the new header as well

BCornwall moved this task from Scheduled incidental work to Traffic team actively servicing on the Traffic board.Feb 22 2023, 6:02 PM
BBlack added a comment.Feb 23 2023, 5:11 PM

Looks good to me, and appropriate at the Varnish layer in this case.

BCornwall added a comment.Feb 23 2023, 8:37 PM

Carrying over a conversation from https://gerrit.wikimedia.org/r/c/802592 in which @tstarling says:

Ideally I would like there to be more help for third party users. Say, extra documentation, and check for the header with curl during install, and warn the user if it is not present. The installer currently has config-upload-help which links to https://www.mediawiki.org/wiki/Manual:Security , which doesn't say anything about X-Content-Type-Options. Instructions should be sprinkled throughout the manual pages on mediawiki.org, for example at https://www.mediawiki.org/wiki/Manual:Configuring_file_uploads

I agree! And it sounds like Tim would like that to be part of the acceptance criteria for this ticket (rather than, say, doing the docs later in a separate ticket). Happy to do that part. Not sure I agree with talking about the header in Manual:Configuring_file_uploads since this is a more general security setting that applies to more than file uploads. Manual:Security seems like a decent place considering the Apache/nginx documentation doesn't seem to include much detail on site configuration itself.

Jdforrester-WMF subscribed.Feb 23 2023, 8:46 PM
TheDJ added a comment.EditedFeb 23 2023, 9:14 PM

check for the header with curl during install, and warn the user if it is not present.

I guess we can do this for upgrades, but for fresh installs, it is a bit hard to guess up front if people are going to use thumbor or another image hosting service or proxy that is not supplying this header.

We don't have some sort of recurring environment checks anywhere right ?

TheDJ added a comment.Feb 23 2023, 9:28 PM

Ugh.. ok. i see that the envCheckUploadsDirectory of the installer is not even checking wgUploadPath... and wgUploadBaseUrl either.

gerritbot added a comment.Feb 23 2023, 10:34 PM

Change 891678 had a related patch set uploaded (by TheDJ; author: TheDJ):

[mediawiki/core@master] [WIP] Check images path responses for nosniff

https://gerrit.wikimedia.org/r/891678

TheDJ added a comment.Feb 23 2023, 10:43 PM

whipped up a beginning for an installer check, but requires more work. (i'm about to go on vacation, so might be a while before i can get back to it)

Legoktm added a subscriber: taavi.Feb 25 2023, 4:56 AM

@taavi suggested adding the header in core's pre-existing images/.htaccess; I'll submit a patch for that.

gerritbot added a comment.Feb 25 2023, 5:03 AM

Change 891937 had a related patch set uploaded (by Legoktm; author: Legoktm):

[mediawiki/core@master] Set "X-Content-Type-Options: nosniff" header in images/.htaccess

https://gerrit.wikimedia.org/r/891937

Legoktm added a comment.Feb 25 2023, 5:16 AM

Few doc improvements: https://www.mediawiki.org/w/index.php?diff=5794808&oldid=5576457&title=Manual:Security and https://www.mediawiki.org/w/index.php?diff=5794835&oldid=5766210&title=Manual:Configuring_file_uploads - latter page needs more work.

gerritbot added a comment.Feb 25 2023, 9:40 AM

Change 891937 merged by jenkins-bot:

[mediawiki/core@master] Set "X-Content-Type-Options: nosniff" header in images/.htaccess

https://gerrit.wikimedia.org/r/891937

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.25; 2023-02-27).Feb 25 2023, 10:00 AM
gerritbot added a comment.Feb 27 2023, 11:46 AM

Change 890512 merged by Vgutierrez:

[operations/puppet@production] varnish: Set `X-Content-Type-Options: nosniff` on upload requests

https://gerrit.wikimedia.org/r/890512

Stashbot added a comment.Feb 27 2023, 11:49 AM

Mentioned in SAL (#wikimedia-operations) [2023-02-27T11:49:36Z] <vgutierrez> set "X-Content-Type-Options: nosniff" on upload.wm.o requests - T309787

Vgutierrez added a comment.Feb 27 2023, 11:58 AM
vgutierrez@cp6001:~$ curl -H 'Host: upload.wikimedia.org' -k https://127.0.0.1/favicon.ico -s -v -o /dev/null 2>&1 |grep x-content-type
< x-content-type-options: nosniff

varnish is now setting the header as expected (give puppet 30 minutes to roll out this across the fleet)

tstarling added a comment.Feb 28 2023, 12:18 AM

<legoktm> TimStarling: curious if you have thoughts on https://www.mediawiki.org/wiki/Manual:Security#Upload_security recommending "AllowOverride None" to disable .htaccess files, which would prevent core's images/.htaccess from applying extra hardening in the future

I think "AllowOverride None" is prudent for web-writable directories. The risk is escalation from an arbitrary file write vulnerability to arbitrary execution by writing a malicious .htaccess file. The risk created by not having .htaccess is only XSS, which is not so bad. If we do a curl request on install/upgrade, as I suggested on Gerrit, we could prompt the user to modify their Apache config.

gerritbot added a comment.Mar 7 2023, 2:44 AM

Change 802592 merged by jenkins-bot:

[mediawiki/core@master] Remove IEContentAnalyzer

https://gerrit.wikimedia.org/r/802592

ReleaseTaggerBot edited projects, added MW-1.40-notes (1.40.0-wmf.27; 2023-03-13); removed MW-1.40-notes (1.40.0-wmf.25; 2023-02-27).Mar 7 2023, 3:00 AM
Jdforrester-WMF closed this task as Resolved.Mar 7 2023, 1:52 PM
gerritbot added a comment.Mar 21 2023, 10:11 AM

Change 891678 merged by jenkins-bot:

[mediawiki/core@master] Check images server responses for nosniff

https://gerrit.wikimedia.org/r/891678

Maintenance_bot removed a project: Patch-For-Review.Mar 21 2023, 10:33 AM
ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.2; 2023-03-27).Mar 21 2023, 11:00 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits