Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F35277545
0001-SECURITY-do-not-render-suppressed-usernames-at-Speci.patch
Zabe
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Zabe
Jun 26 2022, 4:06 PM
2022-06-26 16:06:23 (UTC+0)
Size
3 KB
Referenced Files
None
Subscribers
None
0001-SECURITY-do-not-render-suppressed-usernames-at-Speci.patch
View Options
From 9bf90df423bcdfc03a6be1edbe3041e8258bfda5 Mon Sep 17 00:00:00 2001
From: Alexander Vorwerk <zabe@avorwerk.net>
Date: Sat, 25 Jun 2022 18:02:00 +0200
Subject: [PATCH] SECURITY: do not render suppressed usernames at
Special:CheckUser
Bug: T311337
Change-Id: I86f6b0f940d9946878fb118a2f577b08bfad7e20
---
src/Specials/SpecialCheckUser.php | 78 ++++++++++++++++++++-----------
1 file changed, 51 insertions(+), 27 deletions(-)
diff --git a/src/Specials/SpecialCheckUser.php b/src/Specials/SpecialCheckUser.php
index 5c82287..23d5048 100644
--- a/src/Specials/SpecialCheckUser.php
+++ b/src/Specials/SpecialCheckUser.php
@@ -1948,33 +1948,7 @@ class SpecialCheckUser extends SpecialPage {
} else {
$line .= '<span>';
}
- $line .= Linker::userLink(
- $idforlinknfn, $row->cuc_user_text, $row->cuc_user_text ) . '</span>';
- $line .= Linker::userToolLinksRedContribs(
- $idforlink,
- $row->cuc_user_text,
- $user->getEditCount(),
- // don't render parentheses in HTML markup (CSS will provide)
- false
- );
- // Get block info
- if ( isset( $flagCache[$row->cuc_user_text] ) ) {
- $flags = $flagCache[$row->cuc_user_text];
- } else {
- $user = User::newFromName( $row->cuc_user_text, false );
- $ip = IPUtils::isIPAddress( $row->cuc_user_text ) ? $row->cuc_user_text : '';
- $flags = $this->userBlockFlags( $ip, $row->cuc_user, $user );
- $flagCache[$row->cuc_user_text] = $flags;
- }
- // Add any block information
- if ( count( $flags ) ) {
- $line .= ' ' . implode( ' ', $flags );
- }
- // Action text, hackish ...
- if ( $row->cuc_actiontext ) {
- $line .= ' ' . Linker::formatComment( $row->cuc_actiontext ) . ' ';
- }
- // Comment
+
if ( $row->cuc_type == RC_EDIT || $row->cuc_type == RC_NEW ) {
$revRecord = MediaWikiServices::getInstance()
->getRevisionLookup()
@@ -2007,6 +1981,56 @@ class SpecialCheckUser extends SpecialPage {
);
}
}
+
+ $hidden = !RevisionRecord::userCanBitfield(
+ $revRecord->getVisibility(),
+ RevisionRecord::DELETED_USER,
+ $this->getUser()
+ );
+ } else {
+ // To make phan happy
+ $revRecord = null;
+
+ $hidden = $user->isHidden() && !$this->getAuthority()->isAllowed( 'hideuser' );
+ }
+
+ if ( $hidden ) {
+ $line .= Html::element(
+ 'span',
+ [ 'class' => 'history-deleted' ],
+ $this->msg( 'rev-deleted-user' )->text()
+ );
+ } else {
+ $line .= Linker::userLink(
+ $idforlinknfn, $row->cuc_user_text, $row->cuc_user_text ) . '</span>';
+ $line .= Linker::userToolLinksRedContribs(
+ $idforlink,
+ $row->cuc_user_text,
+ $user->getEditCount(),
+ // don't render parentheses in HTML markup (CSS will provide)
+ false
+ );
+ }
+
+ // Get block info
+ if ( isset( $flagCache[$row->cuc_user_text] ) ) {
+ $flags = $flagCache[$row->cuc_user_text];
+ } else {
+ $user = User::newFromName( $row->cuc_user_text, false );
+ $ip = IPUtils::isIPAddress( $row->cuc_user_text ) ? $row->cuc_user_text : '';
+ $flags = $this->userBlockFlags( $ip, $row->cuc_user, $user );
+ $flagCache[$row->cuc_user_text] = $flags;
+ }
+ // Add any block information
+ if ( count( $flags ) ) {
+ $line .= ' ' . implode( ' ', $flags );
+ }
+ // Action text, hackish ...
+ if ( $row->cuc_actiontext ) {
+ $line .= ' ' . Linker::formatComment( $row->cuc_actiontext ) . ' ';
+ }
+ // Comment
+ if ( $row->cuc_type == RC_EDIT || $row->cuc_type == RC_NEW ) {
if ( RevisionRecord::userCanBitfield(
$revRecord->getVisibility(),
RevisionRecord::DELETED_COMMENT,
--
2.17.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9552471
Default Alt Text
0001-SECURITY-do-not-render-suppressed-usernames-at-Speci.patch (3 KB)
Attached To
Mode
T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension
Attached
Detach File
Event Timeline
Log In to Comment