Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34454933
T281972.patch
Urbanecm
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Urbanecm
May 15 2021, 1:17 PM
2021-05-15 13:17:25 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T281972.patch
View Options
From a2b133da344229bd1c535f26d3b181d2c59d5ece Mon Sep 17 00:00:00 2001
From: Martin Urbanec <martin.urbanec@wikimedia.cz>
Date: Sat, 15 May 2021 08:42:46 +0200
Subject: [PATCH] SECURITY: Disable autoblocks for CentralAuth-issued
suppression blocks
They currently do not work (stacks are at T281972#7078879, T281972#7090229),
and according to T281972#7078969, properly fixing this is not easy.
Bug: T281972
Change-Id: I15d14c88a1e30df92c470bc191c4ee573172d4d1
---
includes/CentralAuthUser.php | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/includes/CentralAuthUser.php b/includes/CentralAuthUser.php
index f3714c55..50da78ef 100644
--- a/includes/CentralAuthUser.php
+++ b/includes/CentralAuthUser.php
@@ -1938,7 +1938,10 @@ class CentralAuthUser implements IDBAccessObject {
'timestamp' => wfTimestampNow(),
'expiry' => $dbw->getInfinity(),
'createAccount' => true,
- 'enableAutoblock' => true,
+ // T281972: This is currently disabled because it doesn't work with xwiki blocks
+ // It is fine to disable temporarily, because locks do not have any autoblock mechanism anyway,
+ // and stewards are used to it.
+ 'enableAutoblock' => false,
'hideName' => true,
'blockEmail' => true,
'by' => UserIdentityValue::newExternal(
--
2.20.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9073580
Default Alt Text
T281972.patch (1 KB)
Attached To
Mode
T281972: ActorStore::checkDatabaseDomain: InvalidArgumentException: DB connection domain does not match when suppressing via Special:CentralAuth (CVE-2021-36128)
Attached
Detach File
Event Timeline
Log In to Comment