Page MenuHomePhabricator
Create Task
Maniphest T274152

Special:AbuseFilter/examine reveals suppressed usernames (CVE-2021-31549)
Closed, ResolvedPublicSecurity
Actions

Description

Repro steps:

  • Make an edit
  • Suppress the username (and only that)
  • Go to Special:AbuseFilter/examine
  • Put the suppressed username in the user field, submit the form

-> The suppressed edit will show up, even if you don't have oversight rights

Details

SubjectRepoBranchLines +/-
Apply proper visibility checks for recentchanges queriesmediawiki/extensions/AbuseFilterREL1_35+22 -5
Apply proper visibility checks for recentchanges queriesmediawiki/extensions/AbuseFilterREL1_31+17 -6
SECURITY: Remove deleted rows from /examine and /testmediawiki/extensions/AbuseFilterREL1_31+12 -1
SECURITY: Remove deleted rows from /examine and /testmediawiki/extensions/AbuseFilterREL1_35+11 -1
Apply proper visibility checks for recentchanges queriesmediawiki/extensions/AbuseFiltermaster+18 -5
SECURITY: Remove deleted rows from /examine and /testmediawiki/extensions/AbuseFiltermaster+11 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Daimona created this task.Feb 8 2021, 3:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 8 2021, 3:41 PM
Daimona added projects: AbuseFilter, Vuln-Infoleak.Feb 8 2021, 3:41 PM
Daimona updated the task description. (Show Details)
Daimona claimed this task.Feb 8 2021, 4:26 PM

And also on /test. This would require the same logic as T233222, but for now I'm just hiding the rows.

sbassett moved this task from Incoming to Watching on the Security-Team board.Feb 8 2021, 4:27 PM
Daimona added a comment.Feb 8 2021, 4:36 PM

T274152.patch2 KBDownload

Daimona mentioned this in T274158: Improve revision visibility after recent security patches.Feb 8 2021, 4:39 PM
Daimona added a parent task: T274158: Improve revision visibility after recent security patches.
sbassett moved this task from Watching to Security Patch To Deploy on the Security-Team board.Feb 8 2021, 10:29 PM
Urbanecm moved this task from Security Patch To Deploy to Incoming on the Security-Team board.Feb 9 2021, 1:53 PM
Urbanecm subscribed.

Deployed!

14:52 <Urbanecm> !log Deploy security patch (T274152)
14:52 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log
sbassett moved this task from Incoming to In Progress on the Security-Team board.Feb 9 2021, 7:29 PM
sbassett mentioned this in T270466: Write and send supplementary release announcement for extensions and skins with security patches (1.31.13/1.35.2).
sbassett subscribed.Feb 9 2021, 7:34 PM
In T274152#6814992, @Urbanecm wrote:
14:52 <Urbanecm> !log Deploy security patch (T274152)

Thanks. I'm tracking this in T270466. I'll try to get to the backports (at least for master) and CVE this week.

brennen subscribed.Mar 9 2021, 5:53 PM

Like T71367, this patch no longer applies cleanly with --3way:

# --no-3way:
brennen@deploy1002:/srv/mediawiki-staging/php-1.36.0-wmf.34/extensions/AbuseFilter$ git apply --no-3way --check /srv/patches/1.36.0-wmf.34/extensions/AbuseFilter/05-T274152.patch
error: patch failed: includes/View/AbuseFilterViewTestBatch.php:254
error: includes/View/AbuseFilterViewTestBatch.php: patch does not apply

# --3way:
brennen@deploy1002:/srv/mediawiki-staging/php-1.36.0-wmf.34/extensions/AbuseFilter$ git apply --3way --check /srv/patches/1.36.0-wmf.34/extensions/AbuseFilter/05-T274152.patch
error: patch failed: includes/View/AbuseFilterViewTestBatch.php:254
Falling back to three-way merge...
Applied patch to 'includes/View/AbuseFilterViewTestBatch.php' cleanly.
sbassett triaged this task as Low priority.Mar 9 2021, 10:09 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Mar 9 2021, 10:10 PM

Change 670310 had a related patch set uploaded (by SBassett; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] SECURITY: Remove deleted rows from /examine and /test

https://gerrit.wikimedia.org/r/670310

gerritbot added a project: Patch-For-Review.Mar 9 2021, 10:10 PM
sbassett added a comment.Mar 9 2021, 10:17 PM

This will be backported to master once the change set above ^ is merged.

And here's an updated patch which should apply (without a 3-way fallback) to wmf.34 - I'll upload it to /srv/patches on deployment as well:

T274152-rev2.patch2 KBDownload

gerritbot added a comment.Mar 9 2021, 11:03 PM

Change 670310 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] SECURITY: Remove deleted rows from /examine and /test

https://gerrit.wikimedia.org/r/670310

Maintenance_bot removed a project: Patch-For-Review.Mar 9 2021, 11:10 PM
ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.35; 2021-03-16).Mar 10 2021, 12:00 AM
RhinosF1 subscribed.Mar 10 2021, 7:11 AM
gerritbot added a comment.Mar 11 2021, 10:52 AM

Change 670785 had a related patch set uploaded (by Daimona Eaytoy; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] Apply proper visibility checks for recentchanges queries

https://gerrit.wikimedia.org/r/670785

gerritbot added a project: Patch-For-Review.Mar 11 2021, 10:52 AM
gerritbot added a comment.Mar 18 2021, 10:03 AM

Change 670785 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Apply proper visibility checks for recentchanges queries

https://gerrit.wikimedia.org/r/670785

Maintenance_bot removed a project: Patch-For-Review.Mar 18 2021, 10:10 AM
gerritbot added a comment.Apr 13 2021, 12:53 AM

Change 678661 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Remove deleted rows from /examine and /test

https://gerrit.wikimedia.org/r/678661

gerritbot added a project: Patch-For-Review.Apr 13 2021, 12:53 AM
gerritbot added a comment.Apr 13 2021, 1:00 AM

Change 678662 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_35] Apply proper visibility checks for recentchanges queries

https://gerrit.wikimedia.org/r/678662

gerritbot added a comment.Apr 13 2021, 1:04 AM

Change 678663 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Remove deleted rows from /examine and /test

https://gerrit.wikimedia.org/r/678663

gerritbot added a comment.Apr 13 2021, 1:08 AM

Change 678661 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Remove deleted rows from /examine and /test

https://gerrit.wikimedia.org/r/678661

gerritbot added a comment.Apr 13 2021, 1:15 AM

Change 678663 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Remove deleted rows from /examine and /test

https://gerrit.wikimedia.org/r/678663

Reedy closed this task as Resolved.Apr 13 2021, 1:17 AM
gerritbot added a comment.Apr 13 2021, 1:19 AM

Change 678664 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_31] Apply proper visibility checks for recentchanges queries

https://gerrit.wikimedia.org/r/678664

gerritbot added a comment.Apr 13 2021, 1:31 AM

Change 678664 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_31] Apply proper visibility checks for recentchanges queries

https://gerrit.wikimedia.org/r/678664

gerritbot added a comment.Apr 13 2021, 1:32 AM

Change 678662 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_35] Apply proper visibility checks for recentchanges queries

https://gerrit.wikimedia.org/r/678662

Maintenance_bot removed a project: Patch-For-Review.Apr 13 2021, 2:11 AM
sbassett renamed this task from Special:AbuseFilter/examine reveals suppressed usernames to Special:AbuseFilter/examine reveals suppressed usernames (CVE-2021-31549).Apr 23 2021, 6:52 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL