Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34095359
T274152.patch
Daimona
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Daimona
Feb 8 2021, 4:35 PM
2021-02-08 16:35:56 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
T274152.patch
View Options
From 9523569a4e2fef6ea0452ba33b4ed8b3b27ea0c0 Mon Sep 17 00:00:00 2001
From: Daimona Eaytoy <daimona.wiki@gmail.com>
Date: Mon, 8 Feb 2021 17:34:19 +0100
Subject: [PATCH] SECURITY: Remove deleted rows from /examine and /test
This is kind of a nuclear option, if anything in a row is hidden, we
hide the whole row. This is just to keep this patch slim. A public
follow-up will adjust the visibility
Bug: T274152
Change-Id: I07f04c2d3225cf653d67a6badda270074d432ed2
---
includes/Pager/AbuseFilterExaminePager.php | 3 ++-
includes/View/AbuseFilterView.php | 8 ++++++++
includes/View/AbuseFilterViewTestBatch.php | 1 +
3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/includes/Pager/AbuseFilterExaminePager.php b/includes/Pager/AbuseFilterExaminePager.php
index 1d32a8b1..e1e0788a 100644
--- a/includes/Pager/AbuseFilterExaminePager.php
+++ b/includes/Pager/AbuseFilterExaminePager.php
@@ -59,12 +59,13 @@ class AbuseFilterExaminePager extends ReverseChronologicalPager {
}
$conds[] = $this->mPage->buildTestConditions( $dbr );
+ $conds = array_merge( $conds, $this->mPage->buildVisibilityConditions() );
$rcQuery = RecentChange::getQueryInfo();
$info = [
'tables' => $rcQuery['tables'],
'fields' => $rcQuery['fields'],
- 'conds' => array_filter( $conds ),
+ 'conds' => $conds,
'join_conds' => $rcQuery['joins'],
];
diff --git a/includes/View/AbuseFilterView.php b/includes/View/AbuseFilterView.php
index 72e93178..b5adc553 100644
--- a/includes/View/AbuseFilterView.php
+++ b/includes/View/AbuseFilterView.php
@@ -183,6 +183,14 @@ abstract class AbuseFilterView extends ContextSource {
], LIST_OR );
}
+ /**
+ * @todo Check what the user can actually see and use a proper bitmask. Core should provide such a method though.
+ * @return array
+ */
+ public function buildVisibilityConditions() : array {
+ return [ 'rc_deleted' => 0 ];
+ }
+
/**
* @param string|int $id
* @param string|null $text
diff --git a/includes/View/AbuseFilterViewTestBatch.php b/includes/View/AbuseFilterViewTestBatch.php
index 487a8ec0..e4236285 100644
--- a/includes/View/AbuseFilterViewTestBatch.php
+++ b/includes/View/AbuseFilterViewTestBatch.php
@@ -254,6 +254,7 @@ class AbuseFilterViewTestBatch extends AbuseFilterView {
$action = $this->mTestAction !== '0' ? $this->mTestAction : false;
$conds[] = $this->buildTestConditions( $dbr, $action );
+ $conds = array_merge( $conds, $this->buildVisibilityConditions() );
// Get our ChangesList
$changesList = new AbuseFilterChangesList( $this->getSkin(), $this->testPattern );
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8885898
Default Alt Text
T274152.patch (2 KB)
Attached To
Mode
T274152: Special:AbuseFilter/examine reveals suppressed usernames (CVE-2021-31549)
Attached
Detach File
Event Timeline
Log In to Comment