Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F30864146
T104807.patch
Urbanecm
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Urbanecm
Oct 19 2019, 5:23 PM
2019-10-19 17:23:22 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
T104807.patch
View Options
From 0a1fde173e4daa069250c4aa3a27f16b5b6d25bb Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Fri, 18 Jan 2019 13:05:43 +0100
Subject: [PATCH] SECURITY: Check visibility for each version in ViewDiff
Instead of checking if the filter is currently hidden, check the
visibility for each version and, if the user cannot see private filters,
only show the diff if none of the revision is hidden.
Also avoid showing a "diff" link if the user cannot see it.
Bug: T104807
Change-Id: Ie23e8234ae550273bf3f6f9c5ac45b7fc54eec2a
---
includes/Views/AbuseFilterViewDiff.php | 10 +++++++
includes/pagers/AbuseFilterHistoryPager.php | 32 +++++++++++++++++----
2 files changed, 36 insertions(+), 6 deletions(-)
diff --git a/includes/Views/AbuseFilterViewDiff.php b/includes/Views/AbuseFilterViewDiff.php
index 9dc50b10..7e391318 100644
--- a/includes/Views/AbuseFilterViewDiff.php
+++ b/includes/Views/AbuseFilterViewDiff.php
@@ -117,6 +117,16 @@ class AbuseFilterViewDiff extends AbuseFilterView {
return false;
}
+ if ( !AbuseFilter::canViewPrivate( $this->getUser() ) &&
+ (
+ in_array( 'hidden', explode( ',', $this->mOldVersion['info']['flags'] ) ) ||
+ in_array( 'hidden', explode( ',', $this->mNewVersion['info']['flags'] ) )
+ )
+ ) {
+ $this->getOutput()->addWikiMsg( 'abusefilter-history-error-hidden' );
+ return false;
+ }
+
$this->mNextHistoryId = $this->getNextHistoryId(
$this->mNewVersion['meta']['history_id']
);
diff --git a/includes/pagers/AbuseFilterHistoryPager.php b/includes/pagers/AbuseFilterHistoryPager.php
index 55dfb901..870cae6d 100644
--- a/includes/pagers/AbuseFilterHistoryPager.php
+++ b/includes/pagers/AbuseFilterHistoryPager.php
@@ -120,15 +120,35 @@ class AbuseFilterHistoryPager extends TablePager {
$formatted = $display_actions;
break;
case 'afh_id':
+ // Set a link to a diff with the previous version if this isn't the first edit to the filter.
+ // Like in AbuseFilterViewDiff, don't show it if the user cannot see private filters and any
+ // of the versions is hidden.
$formatted = '';
if ( AbuseFilter::getFirstFilterChange( $row->afh_filter ) != $value ) {
- // Set a link to a diff with the previous version if this isn't the first edit to the filter
- $title = $this->mPage->getTitle(
- 'history/' . $row->afh_filter . "/diff/prev/$value" );
- $formatted = $this->linkRenderer->makeLink(
- $title,
- new HtmlArmor( $this->msg( 'abusefilter-history-diff' )->parse() )
+ $dbr = wfGetDB( DB_REPLICA );
+ $oldFlags = $dbr->selectField(
+ 'abuse_filter_history',
+ 'afh_flags',
+ [
+ 'afh_filter' => $row->afh_filter,
+ 'afh_id <' . $dbr->addQuotes( $row->afh_id ),
+ ],
+ __METHOD__,
+ [ 'ORDER BY' => 'afh_timestamp DESC' ]
);
+ if ( $this->getUser()->isAllowedAny( 'abusefilter-modify', 'abusefilter-view-private' ) ||
+ (
+ !in_array( 'hidden', explode( ',', $row->afh_flags ) ) &&
+ !in_array( 'hidden', explode( ',', $oldFlags ) )
+ )
+ ) {
+ $title = $this->mPage->getTitle(
+ 'history/' . $row->afh_filter . "/diff/prev/$value" );
+ $formatted = $this->linkRenderer->makeLink(
+ $title,
+ new HtmlArmor( $this->msg( 'abusefilter-history-diff' )->parse() )
+ );
+ }
}
break;
default:
--
2.17.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8137967
Default Alt Text
T104807.patch (3 KB)
Attached To
Mode
T104807: Older hidden versions of a currently-public AbuseFilter are exposed via diffs (CVE-2019-18612)
Attached
Detach File
Event Timeline
Log In to Comment