Page MenuHomePhabricator
Files F34095060

T223654-api.patch
Daimona
Actions

Authored By
Daimona
Feb 8 2021, 12:37 PM
Size
3 KB
Referenced Files
None
Subscribers
None

T223654-api.patch
View Options

From 7ac84fd56d1249e494df010462ac66432120bf4f Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Mon, 8 Feb 2021 13:36:18 +0100
Subject: [PATCH] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch
There are various info leaks for both deleted rc rows, and suppressed
AbuseLog entries.
Bug: T223654
Change-Id: I4900b1be73323599d74e3164447f81eded094d75
---
includes/AbuseFilterChangesList.php | 1 +
includes/Api/CheckMatch.php | 35 +++++++++++++++++++++++++++--
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/includes/AbuseFilterChangesList.php b/includes/AbuseFilterChangesList.php
index bcaee22a..bb979f5d 100644
--- a/includes/AbuseFilterChangesList.php
+++ b/includes/AbuseFilterChangesList.php
@@ -37,6 +37,7 @@ class AbuseFilterChangesList extends OldChangesList {
if ( (int)$rc->getAttribute( 'rc_deleted' ) !== 0 ) {
$s .= ' ' . $this->msg( 'abusefilter-log-hidden-implicit' )->parse();
if ( !$this->userCan( $rc, RevisionRecord::SUPPRESSED_ALL ) ) {
+ // Remember to keep this in sync with the CheckMatch API
return;
}
}
diff --git a/includes/Api/CheckMatch.php b/includes/Api/CheckMatch.php
index ed128363..2fd7e3a7 100644
--- a/includes/Api/CheckMatch.php
+++ b/includes/Api/CheckMatch.php
@@ -5,9 +5,13 @@ namespace MediaWiki\Extension\AbuseFilter\Api;
use ApiBase;
use ApiResult;
use FormatJson;
+use LogEventsList;
use LogicException;
+use LogPage;
use MediaWiki\Extension\AbuseFilter\AbuseFilterServices;
+use MediaWiki\Extension\AbuseFilter\Special\SpecialAbuseLog;
use MediaWiki\Extension\AbuseFilter\Variables\VariableHolder;
+use MediaWiki\Revision\RevisionRecord;
use RecentChange;
class CheckMatch extends ApiBase {
@@ -16,11 +20,12 @@ class CheckMatch extends ApiBase {
*/
public function execute() {
$afPermManager = AbuseFilterServices::getPermissionManager();
+ $user = $this->getUser();
$params = $this->extractRequestParams();
$this->requireOnlyOneParameter( $params, 'vars', 'rcid', 'logid' );
// "Anti-DoS"
- if ( !$afPermManager->canViewPrivateFilters( $this->getUser() ) ) {
+ if ( !$afPermManager->canViewPrivateFilters( $user ) ) {
$this->dieWithError( 'apierror-abusefilter-canttest', 'permissiondenied' );
}
@@ -35,8 +40,28 @@ class CheckMatch extends ApiBase {
$this->dieWithError( [ 'apierror-nosuchrcid', $params['rcid'] ] );
}
+ $type = (int)$rc->getAttribute( 'rc_type' );
+ $deletedValue = $rc->getAttribute( 'rc_deleted' );
+ if (
+ (
+ $type === RC_LOG &&
+ !LogEventsList::userCanBitfield(
+ $deletedValue,
+ LogPage::SUPPRESSED_ACTION | LogPage::SUPPRESSED_USER,
+ $user
+ )
+ ) || (
+ $type !== RC_LOG &&
+ !RevisionRecord::userCanBitfield( $deletedValue, RevisionRecord::SUPPRESSED_ALL, $user )
+ )
+ ) {
+ // T223654 - Same check as in AbuseFilterChangesList
+ $this->dieWithError( 'apierror-permissiondenied-generic', 'deletedrc' );
+ }
+
+ $vars = new VariableHolder();
// @phan-suppress-next-line PhanTypeMismatchArgumentNullable T240141
- $varGenerator = AbuseFilterServices::getVariableGeneratorFactory()->newRCGenerator( $rc, $this->getUser() );
+ $varGenerator = AbuseFilterServices::getVariableGeneratorFactory()->newRCGenerator( $rc, $user );
$vars = $varGenerator->getVars();
} elseif ( $params['logid'] ) {
$dbr = wfGetDB( DB_REPLICA );
@@ -51,6 +76,12 @@ class CheckMatch extends ApiBase {
$this->dieWithError( [ 'apierror-abusefilter-nosuchlogid', $params['logid'] ], 'nosuchlogid' );
}
+ if ( !$afPermManager->canSeeHiddenLogEntries( $user ) && SpecialAbuseLog::isHidden( $row ) ) {
+ // T223654 - Same check as in SpecialAbuseLog. Both the visibility of the AbuseLog entry
+ // and the corresponding revision are checked.
+ $this->dieWithError( 'apierror-permissiondenied-generic', 'deletedabuselog' );
+ }
+
$vars = AbuseFilterServices::getVariablesBlobStore()->loadVarDump( $row->afl_var_dump );
}
if ( $vars === null ) {

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8885714
Default Alt Text
T223654-api.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits