Page MenuHomePhabricator
Files F34120094

02-T223654-api.patch
sbassett (Scott Bassett)
Actions

Authored By
sbassett
Feb 23 2021, 7:53 PM
Size
3 KB
Referenced Files
None
Subscribers
None

02-T223654-api.patch
View Options

From b99b3ac5fea1b88511d7ef0a2e0d7af3b06f8193 Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Tue, 23 Feb 2021 13:49:37 -0600
Subject: [PATCH] SECURITY: Avoid info leaks in ApiAbuseFilterCheckMatch
There are various info leaks for both deleted rc rows, and suppressed
AbuseLog entries.
Bug: T223654
Change-Id: I4900b1be73323599d74e3164447f81eded094d75
---
includes/AbuseFilterChangesList.php | 1 +
includes/Api/CheckMatch.php | 34 +++++++++++++++++++++++++++--
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/includes/AbuseFilterChangesList.php b/includes/AbuseFilterChangesList.php
index 80e85908..85cb18ff 100644
--- a/includes/AbuseFilterChangesList.php
+++ b/includes/AbuseFilterChangesList.php
@@ -37,6 +37,7 @@ class AbuseFilterChangesList extends OldChangesList {
if ( (int)$rc->getAttribute( 'rc_deleted' ) !== 0 ) {
$s .= ' ' . $this->msg( 'abusefilter-log-hidden-implicit' )->parse();
if ( !$this->userCan( $rc, RevisionRecord::SUPPRESSED_ALL ) ) {
+ // Remember to keep this in sync with the CheckMatch API
return;
}
}
diff --git a/includes/Api/CheckMatch.php b/includes/Api/CheckMatch.php
index 9cc6770b..ee4fe0d3 100644
--- a/includes/Api/CheckMatch.php
+++ b/includes/Api/CheckMatch.php
@@ -5,9 +5,13 @@ namespace MediaWiki\Extension\AbuseFilter\Api;
use ApiBase;
use ApiResult;
use FormatJson;
+use LogEventsList;
use LogicException;
+use LogPage;
use MediaWiki\Extension\AbuseFilter\AbuseFilterServices;
+use MediaWiki\Extension\AbuseFilter\Special\SpecialAbuseLog;
use MediaWiki\Extension\AbuseFilter\Variables\VariableHolder;
+use MediaWiki\Revision\RevisionRecord;
use RecentChange;
class CheckMatch extends ApiBase {
@@ -16,6 +20,7 @@ class CheckMatch extends ApiBase {
*/
public function execute() {
$afPermManager = AbuseFilterServices::getPermissionManager();
+ $user = $this->getUser();
$params = $this->extractRequestParams();
$this->requireOnlyOneParameter( $params, 'vars', 'rcid', 'logid' );
@@ -35,14 +40,33 @@ class CheckMatch extends ApiBase {
$this->dieWithError( [ 'apierror-nosuchrcid', $params['rcid'] ] );
}
+ $type = (int)$rc->getAttribute( 'rc_type' );
+ $deletedValue = $rc->getAttribute( 'rc_deleted' );
+ if (
+ (
+ $type === RC_LOG &&
+ !LogEventsList::userCanBitfield(
+ $deletedValue,
+ LogPage::SUPPRESSED_ACTION | LogPage::SUPPRESSED_USER,
+ $user
+ )
+ ) || (
+ $type !== RC_LOG &&
+ !RevisionRecord::userCanBitfield( $deletedValue, RevisionRecord::SUPPRESSED_ALL, $user )
+ )
+ ) {
+ // T223654 - Same check as in AbuseFilterChangesList
+ $this->dieWithError( 'apierror-permissiondenied-generic', 'deletedrc' );
+ }
+
// @phan-suppress-next-line PhanTypeMismatchArgumentNullable T240141
- $varGenerator = AbuseFilterServices::getVariableGeneratorFactory()->newRCGenerator( $rc, $this->getUser() );
+ $varGenerator = AbuseFilterServices::getVariableGeneratorFactory()->newRCGenerator( $rc, $user );
$vars = $varGenerator->getVars();
} elseif ( $params['logid'] ) {
$dbr = wfGetDB( DB_REPLICA );
$row = $dbr->selectRow(
'abuse_filter_log',
- 'afl_var_dump',
+ '*',
[ 'afl_id' => $params['logid'] ],
__METHOD__
);
@@ -51,6 +75,12 @@ class CheckMatch extends ApiBase {
$this->dieWithError( [ 'apierror-abusefilter-nosuchlogid', $params['logid'] ], 'nosuchlogid' );
}
+ if ( !$afPermManager->canSeeHiddenLogEntries( $user ) && SpecialAbuseLog::isHidden( $row ) ) {
+ // T223654 - Same check as in SpecialAbuseLog. Both the visibility of the AbuseLog entry
+ // and the corresponding revision are checked.
+ $this->dieWithError( 'apierror-permissiondenied-generic', 'deletedabuselog' );
+ }
+
$vars = AbuseFilterServices::getVariablesBlobStore()->loadVarDump( $row->afl_var_dump );
}
if ( $vars === null ) {
--
2.28.0

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
8899733
Default Alt Text
02-T223654-api.patch (3 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits