Page MenuHomePhabricator

Exposed suppressed username or log in Special:EditTags
Closed, ResolvedPublic

Description

EditTags/revision delete interface leaks the following data for users with appropriate rights (in edittags case that is all users): The target of log entries that are restricted via log_deleted db field. The full log entry of logs that are restricted via $wgLogRestrictions

Case 1

Special:EditTags exposes suppressed (hideuser-ed) username in (Logs) link due to username are hard coded.

Step to reproduce:

  1. Logged in as user
  2. Go to Special:Log/block or similar page
  3. Check revision deleted or suppressed username log entry
  4. Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
  5. Click (Logs) Link

Expected:
Should not hard code username in the link when log is deleted or suppressed.

Original reporter : User:Ohgi

Case 2

Expose suppress log by set logid by manually

Step to reproduce:

  1. Logged in as user
  2. Go to Special:Log
  3. Check any entry
  4. Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
  5. Set logid as suppress log (e.g. increase or decrease logid by any logid)
  6. View the page

e.g. https://test.wikipedia.org/w/index.php?action=historysubmit&type=logging&editchangetags=1&ids%5B224251%5D=1

Expected:
MUST prohibit access to the log

Event Timeline

Rxy renamed this task from Expose suppressed username in Special:EditTags to Expose suppressed username or log in Special:EditTags.Apr 28 2019, 2:49 PM
Rxy raised the priority of this task from High to Unbreak Now!.
Rxy updated the task description. (Show Details)
Rxy updated the task description. (Show Details)

This is security fix patch for Case 1

Rxy moved this task from Backlog to Security on the User-Rxy board.
Reedy renamed this task from Expose suppressed username or log in Special:EditTags to Exposed suppressed username or log in Special:EditTags.Apr 29 2019, 3:01 PM

Just FYI I tested this on history pages, and the bug is not present on history pages.

This is security fix patch for Case 1

So i think this is ok for right now, but long term we might want to make the logic that makes that (logs) link actually respect revdel status, like it does on history pages.

Possibly restricted editing tags on any deleted field is a bit too far, but we can sort that out later, I think this patch is good for right now.

So yeah, +1 on this patch

T222036.patch was deployed to 1.34.0-wmf.1 and 1.34.0-wmf.3.

sbassett claimed this task.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:03 PM

Change 514767 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514767

Change 514767 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514767

Change 514778 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514778

Change 514778 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514778

Change 514854 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514854

Change 514758 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514758

Change 514954 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514954

Change 514978 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514978

Change 514954 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514954

Change 514978 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514978

Change 514854 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514854