Page MenuHomePhabricator
Files F31767927

T250594.patch
DannyS712
Actions

Authored By
DannyS712
Apr 20 2020, 9:04 AM
Size
1 KB
Referenced Files
None
Subscribers
None

T250594.patch
View Options

From ed2f2bf9f6cee9a7d800d94db551ad6fc67cc34c Mon Sep 17 00:00:00 2001
From: dannys712-main <dannys712.enwiki@gmail.com>
Date: Sat, 18 Apr 2020 17:27:13 -0700
Subject: [PATCH] SECURITY: Do not leak user info via API
If a user is not allowed to see an account,
treat it the same as an account that doesn't
exist in terms of including any requested
information regarding edit count, user groups,
etc.
Bug: T250594
---
includes/api/ApiQueryGlobalUserInfo.php | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/includes/api/ApiQueryGlobalUserInfo.php b/includes/api/ApiQueryGlobalUserInfo.php
index 26f7966f..52316029 100644
--- a/includes/api/ApiQueryGlobalUserInfo.php
+++ b/includes/api/ApiQueryGlobalUserInfo.php
@@ -76,6 +76,10 @@ class ApiQueryGlobalUserInfo extends ApiQueryBase {
} else {
// The user doesn't exist or we pretend it doesn't if it's hidden
$data['missing'] = true;
+
+ // If we are pretending that the user doesn't exist because it is hidden,
+ // do not add any more information
+ $userExists = false;
}
$result->addValue( 'query', $this->getModuleName(), $data );
--
2.20.1.windows.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8387100
Default Alt Text
T250594.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL