Repro steps:
- Make an edit
- Suppress the username (and only that)
- Go to Special:AbuseFilter/examine
- Put the suppressed username in the user field, submit the form
-> The suppressed edit will show up, even if you don't have oversight rights
Daimona | |
Feb 8 2021, 3:41 PM |
F34148461: T274152-rev2.patch | |
Mar 9 2021, 10:17 PM |
F34095359: T274152.patch | |
Feb 8 2021, 4:36 PM |
Repro steps:
-> The suppressed edit will show up, even if you don't have oversight rights
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Daimona | T273970 Adjust visibility of AbuseLog entries and related items | |||
Resolved | Security | Daimona | T274158 Improve revision visibility after recent security patches | ||
Resolved | Security | Daimona | T274152 Special:AbuseFilter/examine reveals suppressed usernames (CVE-2021-31549) |
And also on /test. This would require the same logic as T233222, but for now I'm just hiding the rows.
Deployed!
14:52 <Urbanecm> !log Deploy security patch (T274152) 14:52 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log
Thanks. I'm tracking this in T270466. I'll try to get to the backports (at least for master) and CVE this week.
Like T71367, this patch no longer applies cleanly with --3way:
# --no-3way: brennen@deploy1002:/srv/mediawiki-staging/php-1.36.0-wmf.34/extensions/AbuseFilter$ git apply --no-3way --check /srv/patches/1.36.0-wmf.34/extensions/AbuseFilter/05-T274152.patch error: patch failed: includes/View/AbuseFilterViewTestBatch.php:254 error: includes/View/AbuseFilterViewTestBatch.php: patch does not apply # --3way: brennen@deploy1002:/srv/mediawiki-staging/php-1.36.0-wmf.34/extensions/AbuseFilter$ git apply --3way --check /srv/patches/1.36.0-wmf.34/extensions/AbuseFilter/05-T274152.patch error: patch failed: includes/View/AbuseFilterViewTestBatch.php:254 Falling back to three-way merge... Applied patch to 'includes/View/AbuseFilterViewTestBatch.php' cleanly.
Change 670310 had a related patch set uploaded (by SBassett; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] SECURITY: Remove deleted rows from /examine and /test
This will be backported to master once the change set above ^ is merged.
And here's an updated patch which should apply (without a 3-way fallback) to wmf.34 - I'll upload it to /srv/patches on deployment as well:
Change 670310 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] SECURITY: Remove deleted rows from /examine and /test
Change 670785 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Apply proper visibility checks for recentchanges queries
Change 670785 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Apply proper visibility checks for recentchanges queries
Change 678661 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Remove deleted rows from /examine and /test
Change 678662 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@REL1_35] Apply proper visibility checks for recentchanges queries
Change 678663 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Remove deleted rows from /examine and /test
Change 678661 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Remove deleted rows from /examine and /test
Change 678663 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Remove deleted rows from /examine and /test
Change 678664 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@REL1_31] Apply proper visibility checks for recentchanges queries
Change 678664 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_31] Apply proper visibility checks for recentchanges queries
Change 678662 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_35] Apply proper visibility checks for recentchanges queries