Page MenuHomePhabricator
Create Task
Maniphest T222038

Exposed suppressed log in RevisionDelete page
Closed, ResolvedPublic
Actions

Assigned To
sbassett
Authored By
Rxy
Apr 28 2019, 2:56 PM
Tags
Referenced Files
F28838873: T222036.patch
Apr 28 2019, 8:30 PM
F28839068: T222038-formatter.patch
Apr 28 2019, 8:27 PM
F28839051: T222038.patch
Apr 28 2019, 8:27 PM
Subscribers
aaron
Aklapper
Bawolff
csteipp
Jalexander
Krenair
Ohgi
View All 11 Subscribers

Description

Expose suppress log (Special:Log/suppress) by set logid by manually

Pre-requirements:

  • The wiki haves one or more tags for add or remove tags.

Step to reproduce:

  1. Logged in as user
  2. Go to Special:Log
  3. Check any entry
  4. Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
  5. Set logid as suppress log (e.g. increase or decrease logid by any logid)
  6. View the page

e.g. https://test.wikipedia.org/w/index.php?action=historysubmit&type=logging&revisiondelete=1&ids%5B224251%5D=1

Expected:
MUST prohibit access to the log

Original reporter : User:Ohgi

Related with T222036 - Case 2

Details

SubjectRepoBranchLines +/-
Add permission check for user is permitted to view the log typemediawiki/coremaster+434 -3
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_31+23 -2
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_33+23 -2
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_32+23 -2
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coremaster+23 -2
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_30+24 -2
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_27+24 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Rxy created this task.Apr 28 2019, 2:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 28 2019, 2:56 PM
Rxy triaged this task as Unbreak Now! priority.Apr 28 2019, 2:57 PM
Rxy added a project: MediaWiki-Revision-deletion.
Rxy updated the task description. (Show Details)
Rxy added a subscriber: Ohgi.
Rxy updated the task description. (Show Details)Apr 28 2019, 3:11 PM
Rxy added a project: MediaWiki-Logevents.Apr 28 2019, 6:54 PM
Rxy added a project: Patch-For-Review.EditedApr 28 2019, 8:27 PM

T222038.patch2 KBDownload

This patch is security fix patch also covers T222036 Case 2 (must applied F28838873 T222036.patch too)

T222038-formatter.patch3 KBDownload

This patch is similar with F28839051 (T222038.patch), but additionally contains fixing to LogFormatter too (may overkill too).

Rxy added a project: User-Rxy.Apr 28 2019, 8:36 PM
Rxy moved this task from Backlog to Security on the User-Rxy board.
Reedy renamed this task from Expose suppressed log in RevisionDelete page to Exposed suppressed log in RevisionDelete page.Apr 29 2019, 3:00 PM
Reedy subscribed.Apr 29 2019, 3:13 PM

What is the difference between this and case 2 in T222036?

Rxy added a comment.Apr 29 2019, 3:58 PM
In T222038#5143924, @Reedy wrote:

What is the difference between this and case 2 in T222036?

I guess based trouble is same with T222036 Case2.

the task is wrote before I read or investigate codes. And I assumed to Case2 is specific to EditTags, but that assume is wrong and actually problem is LogEventsList::userCan() related.

Reedy added a parent task: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Apr 30 2019, 3:52 PM
Rxy updated the task description. (Show Details)Apr 30 2019, 4:07 PM
Bawolff subscribed.Apr 30 2019, 7:10 PM
In T222038#5142604, @Rxy wrote:

T222038.patch2 KBDownload

+1 on this patch

I do note some of the error messages are not great, but that was a pre-existing problem.

This patch is security fix patch also covers T222036 Case 2 (must applied F28838873 T222036.patch too)

T222038-formatter.patch3 KBDownload

This patch is similar with F28839051 (T222038.patch), but additionally contains fixing to LogFormatter too (may overkill too).

I think that's a reasonable hardening measure, but we should do that after the initial issue is fixed, and probably publicly.

sbassett subscribed.Apr 30 2019, 9:52 PM

T222038.patch was deployed to 1.34.0-wmf.1 and 1.34.0-wmf.3.

Chatting w/ @Bawolff and @Reedy, T222038-formatter.patch should just be pushed up publicly to gerrit.

sbassett closed this task as Resolved.Apr 30 2019, 9:53 PM
sbassett claimed this task.
sbassett mentioned this in T222324: Unable to perform revision deletion on Commons.May 2 2019, 3:59 PM
sbassett added a comment.May 2 2019, 8:03 PM

Note: T222038-formatter.patch is now up on gerrit: https://gerrit.wikimedia.org/r/507870

sbassett added a comment.EditedMay 2 2019, 8:10 PM

Well, duh, r/507870 is failing CI builds because LogFormatter::canViewLogType() doesn't exist on master. Set WIP for now. Given that the sec patches are already deployed, I think this can probably just wait in gerrit until it can be merged.

Rxy added a comment.May 3 2019, 1:13 AM
In T222038#5154164, @sbassett wrote:

Well, duh, r/507870 is failing CI builds because LogFormatter::canViewLogType() doesn't exist on master. Set WIP for now. Given that the sec patches are already deployed, I think this can probably just wait in gerrit until it can be merged.

It seems the gerrit patch is not same with F28839068 ...

Also I can't modify the gerrit patch due to recent permission changes

sbassett added a comment.May 3 2019, 2:53 PM

@Rxy - Apologies, the patch set should be fixed in gerrit now. I had manually modified F28839068 so as not to include the duplicate changes in F28839051 for includes/logging/LogEventsList.php, since that was already deployed as a security patch on Tuesday. Unfortunately, in doing so, I conflated userCanViewLogType and canViewLogType which, again, should now be resolved in the patch set.

Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.May 28 2019, 2:50 PM
Reedy mentioned this in T205048: Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases.May 29 2019, 12:13 AM
Reedy mentioned this in T224499: RELEASE-NOTES for 1.27.6/1.30.2/1.31.2/1.32.2.May 29 2019, 12:32 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:01 PM
gerritbot added a comment.Jun 6 2019, 4:06 PM

Change 514768 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514768

gerritbot added a comment.Jun 6 2019, 4:07 PM

Change 514768 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514768

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514779 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514779

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514779 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514779

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.30-release-notes.Jun 6 2019, 5:00 PM
Umherirrender merged a task: T96079: Can view and hide log entry for suppress actions.Jun 6 2019, 6:09 PM
Umherirrender added subscribers: Umherirrender, Krenair, csteipp and 2 others.
gerritbot added a comment.Jun 6 2019, 7:02 PM

Change 514855 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514855

gerritbot added a comment.Jun 6 2019, 8:37 PM

Change 514759 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514759

gerritbot added a comment.Jun 6 2019, 8:52 PM

Change 514955 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514955

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 6 2019, 9:00 PM
gerritbot added a comment.Jun 6 2019, 11:02 PM

Change 514979 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514979

gerritbot added a comment.Jun 6 2019, 11:19 PM

Change 514955 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514955

gerritbot added a comment.Jun 6 2019, 11:41 PM

Change 514979 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514979

ReleaseTaggerBot added projects: MW-1.33-notes, MW-1.32-notes.Jun 7 2019, 12:01 AM
gerritbot added a comment.Jun 7 2019, 12:03 AM

Change 514855 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514855

ReleaseTaggerBot added a project: MW-1.31-release-notes.Jun 7 2019, 1:00 AM
gerritbot added a comment.Jul 25 2019, 9:26 PM

Change 507870 merged by jenkins-bot:
[mediawiki/core@master] Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/507870

ReleaseTaggerBot edited projects, added MW-1.34-notes (1.34.0-wmf.16; 2019-07-30); removed MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jul 25 2019, 10:00 PM
Rxy mentioned this in T239494: Requesting access to LogStash for rxy.Nov 30 2019, 12:26 AM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL