| Rxy |
| Apr 28 2019, 2:14 PM |
| F28838873: T222036.patch |
| Apr 28 2019, 8:12 PM |
Description
EditTags/revision delete interface leaks the following data for users with appropriate rights (in edittags case that is all users): The target of log entries that are restricted via log_deleted db field. The full log entry of logs that are restricted via $wgLogRestrictions
Case 1
Special:EditTags exposes suppressed (hideuser-ed) username in (Logs) link due to username are hard coded.
Step to reproduce:
- Logged in as user
- Go to Special:Log/block or similar page
- Check revision deleted or suppressed username log entry
- Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
- Click (Logs) Link
Expected:
Should not hard code username in the link when log is deleted or suppressed.
Original reporter : User:Ohgi
Case 2
Expose suppress log by set logid by manually
Step to reproduce:
- Logged in as user
- Go to Special:Log
- Check any entry
- Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
- Set logid as suppress log (e.g. increase or decrease logid by any logid)
- View the page
Expected:
MUST prohibit access to the log
Details
Related Objects
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | dancy | T302086 Set scap minimum python version to 3.7 | |||
| Resolved | None | T247045 Migrate all of production metal and VMs to Buster or later | |||
| Resolved | akosiaris | T249724 Track and remove jessie based container images from production | |||
| Resolved | Jdforrester-WMF | T224908 Drop jessie testing support | |||
| Resolved | Jdforrester-WMF | T224907 Drop php55 testing support | |||
| Resolved | Reedy | T205039 Release MediaWiki 1.27.6/1.30.2/1.31.2/1.32.2 | |||
| Resolved | Reedy | T205041 Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release | |||
| Resolved | sbassett | T222036 Exposed suppressed username or log in Special:EditTags |
- Mentioned In
- T239494: Requesting access to LogStash for rxy
T224499: RELEASE-NOTES for 1.27.6/1.30.2/1.31.2/1.32.2
T205048: Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases
T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release
T222324: Unable to perform revision deletion on Commons
T222038: Exposed suppressed log in RevisionDelete page
Event Timeline
This is security fix patch for Case 1
Just FYI I tested this on history pages, and the bug is not present on history pages.
In T222036#5142596, @Rxy wrote:T222036.patch1 KBDownloadThis is security fix patch for Case 1
So i think this is ok for right now, but long term we might want to make the logic that makes that link actually respect revdel status, like it does on history pages.
Possibly restricted editing tags on any deleted field is a bit too far, but we can sort that out later, I think this patch is good for right now.
So yeah, +1 on this patch
was deployed to 1.34.0-wmf.1 and 1.34.0-wmf.3.
Change 514767 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type
Change 514767 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type
Change 514778 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type
Change 514778 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type
Change 514854 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type
Change 514758 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Add permission check for user is permitted to view the log type
Change 514954 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type
Change 514978 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type
Change 514954 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type
Change 514978 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type
Change 514854 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type