Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F13975535
T187638.patch
No One
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Bawolff
Feb 23 2018, 9:55 PM
2018-02-23 21:55:29 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
T187638.patch
View Options
From c81092e76e9f72238f9d4ec7381e1b5a33abc57a Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 23 Feb 2018 21:31:28 +0000
Subject: [PATCH] SECURITY: Respect revision delete in Special:Redirect
Special:Redirect could potentially leak information about
revdel'd log entries and users (hideuser) to users who are not
supposed to see this information.
Bug: T187638
Change-Id: I16d4ec0801e8dda158ee12b8e3ebeae1878e051a
---
includes/specials/SpecialRedirect.php | 40 ++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/includes/specials/SpecialRedirect.php b/includes/specials/SpecialRedirect.php
index 3273046..4df031f 100644
--- a/includes/specials/SpecialRedirect.php
+++ b/includes/specials/SpecialRedirect.php
@@ -79,6 +79,9 @@ class SpecialRedirect extends FormSpecialPage {
if ( $user->isAnon() ) {
return null;
}
+ if ( $user->isHidden() && !$this->getUser()->isAllowed( 'hideuser' ) ) {
+ return null;
+ }
$userpage = Title::makeTitle( NS_USER, $username );
return $userpage->getFullURL( '', false, PROTO_CURRENT );
@@ -179,19 +182,24 @@ class SpecialRedirect extends FormSpecialPage {
$logparams = [
'log_id',
+ 'log_deleted',
'log_timestamp',
'log_type',
'log_user_text',
];
+ $user = $this->getUser();
+
$dbr = wfGetDB( DB_REPLICA );
+ // Exclude logs user does not have right to view
+ $restrictClause = LogEventsList::getExcludeClause( $dbr, 'user', $user ) ?: '1=1';
// Gets the nested SQL statement which
// returns timestamp of the log with the given log ID
$inner = $dbr->selectSQLText(
'logging',
[ 'log_timestamp' ],
- [ 'log_id' => $logid ]
+ [ 'log_id' => $logid, $restrictClause ]
);
// Returns all fields mentioned in $logparams of the logs
@@ -199,7 +207,7 @@ class SpecialRedirect extends FormSpecialPage {
$logsSameTimestamps = $dbr->select(
'logging',
$logparams,
- [ "log_timestamp = ($inner)" ]
+ [ "log_timestamp = ($inner)", $restrictClause ]
);
if ( $logsSameTimestamps->numRows() === 0 ) {
return null;
@@ -213,6 +221,13 @@ class SpecialRedirect extends FormSpecialPage {
}
}
+ $fieldToBitsMapping = [
+ 'log_type' => LogPage::DELETED_ACTION,
+ 'log_user_text' => LogPage::DELETED_USER
+ ];
+
+ // get rid of log_id and log_deleted.
+ array_shift( $logparams );
array_shift( $logparams );
// Stores all the rows with the same values in each column
@@ -220,6 +235,21 @@ class SpecialRedirect extends FormSpecialPage {
foreach ( $logparams as $cond ) {
$matchedRows = [];
foreach ( $logsSameTimestamps as $row ) {
+ if ( !LogEventsList::userCan(
+ $rowMain, $fieldToBitsMapping[$cond], $user
+ ) ) {
+ // This field is redacted for main log entry,
+ // so treat as always matching.
+ $matchedRows[] = $row;
+ continue;
+ }
+ if ( !LogEventsList::userCan(
+ $row, $fieldToBitsMapping[$cond], $user
+ ) ) {
+ // The comparision row is redacted, but the main
+ // row is not. Treat this as a non-match.
+ continue;
+ }
if ( $row->$cond === $rowMain->$cond ) {
$matchedRows[] = $row;
}
@@ -239,7 +269,11 @@ class SpecialRedirect extends FormSpecialPage {
];
foreach ( $logparams as $logKey ) {
- $query[$keys[$logKey]] = $matchedRows[0]->$logKey;
+ if ( LogEventsList::userCan(
+ $rowMain, $fieldToBitsMapping[$logKey], $user
+ ) ) {
+ $query[$keys[$logKey]] = $matchedRows[0]->$logKey;
+ }
}
$query['offset'] = $query['offset'] + 1;
$url = $query;
--
2.8.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
5562298
Default Alt Text
T187638.patch (3 KB)
Attached To
Mode
T187638: When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504)
Attached
Detach File
Event Timeline
Log In to Comment