Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F26617569
T207085.patch
Daimona
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Daimona
Oct 17 2018, 5:43 AM
2018-10-17 05:43:07 (UTC+0)
Size
4 KB
Referenced Files
None
Subscribers
None
T207085.patch
View Options
From 0465da40626b7af878d8987d00e820ab609b45dd Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Tue, 16 Oct 2018 23:04:20 +0200
Subject: [PATCH] Remove info leak
Oversighted edits were entirely accessible to non-oversighters via
AbuseFilter/examine for RC, and via AbuseFilter/test.
Bug: T207085
Change-Id: Icfa48e366a7e5e3abd5d2155ecfddfc09b378088
---
includes/AbuseFilterChangesList.php | 5 +++++
includes/Views/AbuseFilterViewExamine.php | 18 ++++++++++++++----
includes/special/SpecialAbuseLog.php | 21 +++++++++++----------
3 files changed, 30 insertions(+), 14 deletions(-)
diff --git a/includes/AbuseFilterChangesList.php b/includes/AbuseFilterChangesList.php
index 139e01ba..22cbf156 100644
--- a/includes/AbuseFilterChangesList.php
+++ b/includes/AbuseFilterChangesList.php
@@ -23,6 +23,11 @@ class AbuseFilterChangesList extends OldChangesList {
* @suppress PhanUndeclaredProperty for $rc->filterResult, which isn't a big deal
*/
public function insertExtra( &$s, &$rc, &$classes ) {
+ if ( (int)$rc->getAttribute( 'rc_deleted' ) !== 0 ) {
+ $s .= ' ' . $this->msg( 'abusefilter-log-hidden-implicit' )->parse();
+ return;
+ }
+
$examineParams = [];
if ( $this->testFilter ) {
$examineParams['testfilter'] = $this->testFilter;
diff --git a/includes/Views/AbuseFilterViewExamine.php b/includes/Views/AbuseFilterViewExamine.php
index aec63b2c..79947233 100644
--- a/includes/Views/AbuseFilterViewExamine.php
+++ b/includes/Views/AbuseFilterViewExamine.php
@@ -112,6 +112,14 @@ class AbuseFilterViewExamine extends AbuseFilterView {
return;
}
+ if ( $row->rc_this_oldid ) {
+ $revision = Revision::newFromId( $row->rc_this_oldid );
+ if ( $revision && !$revision->userCan( Revision::SUPPRESSED_ALL, $this->getUser() ) ) {
+ $out->addWikiMsg( 'abusefilter-log-details-hidden-implicit' );
+ return;
+ }
+ }
+
self::$examineType = 'rc';
self::$examineId = $rcid;
@@ -157,10 +165,12 @@ class AbuseFilterViewExamine extends AbuseFilterView {
return;
}
- if ( SpecialAbuseLog::isHidden( $row ) === 'implicit' &&
- !$this->getUser()->isAllowed( 'deletedtext' ) ) {
- $out->addWikiMsg( 'abusefilter-log-details-hidden-implicit' );
- return;
+ if ( is_int( SpecialAbuseLog::isHidden( $row ) ) {
+ $rev = Revision::newFromId( $row->afl_rev_id );
+ if ( !$rev->userCan( SpecialAbuseLog::isHidden( $row ), $this->getUser() ) ) {
+ $out->addWikiMsg( 'abusefilter-log-details-hidden-implicit' );
+ return;
+ }
}
$vars = AbuseFilter::loadVarDump( $row->afl_var_dump );
$out->addJsConfigVars( 'wgAbuseFilterVariables', $vars->dumpAllVars( true ) );
diff --git a/includes/special/SpecialAbuseLog.php b/includes/special/SpecialAbuseLog.php
index 4344d77d..e8d5a5e4 100644
--- a/includes/special/SpecialAbuseLog.php
+++ b/includes/special/SpecialAbuseLog.php
@@ -541,11 +541,13 @@ class SpecialAbuseLog extends SpecialPage {
$out->addWikiMsg( 'abusefilter-log-details-hidden' );
return;
- } elseif ( self::isHidden( $row ) === 'implicit' &&
- !$this->getUser()->isAllowed( 'deletedtext' ) ) {
+ } elseif ( is_int( SpecialAbuseLog::isHidden( $row ) ) ) {
+ $rev = Revision::newFromId( $row->afl_rev_id );
// The log is visible, but refers to a deleted revision
- $out->addWikiMsg( 'abusefilter-log-details-hidden-implicit' );
- return;
+ if ( !$rev->userCan( SpecialAbuseLog::isHidden( $row ), $this->getUser() ) ) {
+ $out->addWikiMsg( 'abusefilter-log-details-hidden-implicit' );
+ return;
+ }
}
$output = Xml::element(
@@ -1052,7 +1054,7 @@ class SpecialAbuseLog extends SpecialPage {
$description .= ' ' .
$this->msg( 'abusefilter-log-hidden' )->parse();
$class = 'afl-hidden';
- } elseif ( $isHidden === 'implicit' ) {
+ } elseif ( is_int( $isHidden ) ) {
$description .= ' ' .
$this->msg( 'abusefilter-log-hidden-implicit' )->parse();
}
@@ -1100,8 +1102,9 @@ class SpecialAbuseLog extends SpecialPage {
*
* @param stdClass $row The abuse_filter_log row object.
*
- * @return Mixed true if the item is explicitly hidden, false if it is not.
- * The string 'implicit' if it is hidden because the corresponding revision is hidden.
+ * @return bool|int true if the item is explicitly hidden, false if it is not.
+ * Returns an integer if the associated revision is hidden, and such integer
+ * is one of the DELETED_ constants.
*/
public static function isHidden( $row ) {
// First, check if the entry is hidden. Since this is an oversight-level deletion,
@@ -1111,9 +1114,7 @@ class SpecialAbuseLog extends SpecialPage {
}
if ( $row->afl_rev_id ) {
$revision = Revision::newFromId( $row->afl_rev_id );
- if ( $revision && $revision->getVisibility() != 0 ) {
- return 'implicit';
- }
+ return $revision->getVisibility();
}
return false;
--
2.18.0.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
6549676
Default Alt Text
T207085.patch (4 KB)
Attached To
Mode
T207085: Suppressed edits remain examinable in AbuseFilter
Attached
Detach File
Event Timeline
Log In to Comment