Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F33955446
0001-SECURITY-Act-like-users-don-t-exist_wmf22.patch
matmarex (Bartosz Dziewoński)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
matmarex
Dec 18 2020, 3:56 PM
2020-12-18 15:56:29 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
0001-SECURITY-Act-like-users-don-t-exist_wmf22.patch
View Options
From 45ad60f943c47579390207b50dbc8984073bd5c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Fri, 18 Dec 2020 16:47:05 +0100
Subject: [PATCH] SECURITY: Act like users don't exist if hidden from viewer
(VE edit notices)
Applying the changes from the MediaWiki core patch for T120883
(Ife272a0eb1f3322bc8eb30ca803bd21801acba3e) to our duplicated
code implementing the same functionality.
Bug: T270453
Change-Id: I1b2de322aa0c69eb6d3b3ffadaed3fbaa3a58bca
---
includes/ApiVisualEditor.php | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/includes/ApiVisualEditor.php b/includes/ApiVisualEditor.php
index ff98b2aaf..b4594e89e 100644
--- a/includes/ApiVisualEditor.php
+++ b/includes/ApiVisualEditor.php
@@ -393,11 +393,15 @@ class ApiVisualEditor extends ApiBase {
/* allow IP users*/ false
);
$block = $targetUser->getBlock();
-
- if (
- !( $targetUser && $targetUser->isLoggedIn() ) &&
- !User::isIP( $targetUsername )
+ $targetUserExists = ( $targetUser && $targetUser->isLoggedIn() );
+ if ( $targetUserExists && $targetUser->isHidden() &&
+ !$permissionManager->userHasRight( $user, 'hideuser' )
) {
+ // If the user exists, but is hidden, and the viewer cannot see hidden
+ // users, pretend like they don't exist at all. See T120883/T270453
+ $targetUserExists = false;
+ }
+ if ( !$targetUserExists && !User::isIP( $targetUsername ) ) {
// User does not exist
$notices[] = "<div class=\"mw-userpage-userdoesnotexist error\">\n" .
$this->msg( 'userpage-userdoesnotexist', wfEscapeWikiText( $targetUsername ) )
--
2.28.0.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8807624
Default Alt Text
0001-SECURITY-Act-like-users-don-t-exist_wmf22.patch (1 KB)
Attached To
Mode
T270453: CVE-2021-30153: ApiVisualEditor leaks info about hidden users
Attached
Detach File
Event Timeline
Log In to Comment