Page MenuHomePhabricator

T250594.patch (v.1)

Authored By
DannyS712
Apr 19 2020, 12:44 AM
Size
1 KB
Referenced Files
None
Subscribers
None

T250594.patch (v.1)

From ed2f2bf9f6cee9a7d800d94db551ad6fc67cc34c Mon Sep 17 00:00:00 2001
From: dannys712-main <dannys712.enwiki@gmail.com>
Date: Sat, 18 Apr 2020 17:27:13 -0700
Subject: [PATCH] [SECURITY] Do not leak user info via API
If a user is not allowed to see an account,
treat it the same as an account that doesn't
exist in terms of including any requested
information regarding edit count, user groups,
etc.
Bug: T250594
---
includes/api/ApiQueryGlobalUserInfo.php | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/includes/api/ApiQueryGlobalUserInfo.php b/includes/api/ApiQueryGlobalUserInfo.php
index 26f7966f..52316029 100644
--- a/includes/api/ApiQueryGlobalUserInfo.php
+++ b/includes/api/ApiQueryGlobalUserInfo.php
@@ -76,6 +76,10 @@ class ApiQueryGlobalUserInfo extends ApiQueryBase {
} else {
// The user doesn't exist or we pretend it doesn't if it's hidden
$data['missing'] = true;
+
+ // If we are pretending that the user doesn't exist because it is hidden,
+ // do not add any more information
+ $userExists = false;
}
$result->addValue( 'query', $this->getModuleName(), $data );
--
2.20.1.windows.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8385740
Default Alt Text
T250594.patch (v.1) (1 KB)

Event Timeline

DannyS712 updated the name for this file from "T250594.patch" to "T250594.patch (v.1)".Apr 20 2020, 9:05 AM