v1-SECURITY-HTMLUserTextField-Treat-hidden-users-as-unr.patch
matmarex (Bartosz Dziewoński)
Actions

Authored By

	matmarex
	Jul 14 2022, 1:17 AM

Size

1 KB

Referenced Files

None

Subscribers

None

v1-SECURITY-HTMLUserTextField-Treat-hidden-users-as-unr.patch
View Options

	From bb5df15c2654e04db6c453f066d73cde76919da6 Mon Sep 17 00:00:00 2001
	From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
	Date: Thu, 14 Jul 2022 03:13:04 +0200
	Subject: [PATCH] [SECURITY] HTMLUserTextField: Treat hidden users as
	unregistered if current user can't view them

	Bug: T309894
	Change-Id: I0707153ccbdb062a6b7ce461cc535aa2af8e4576
	---
	includes/htmlform/fields/HTMLUserTextField.php \| 6 +++++-
	1 file changed, 5 insertions(+), 1 deletion(-)

	diff --git a/includes/htmlform/fields/HTMLUserTextField.php b/includes/htmlform/fields/HTMLUserTextField.php
	index 378d05173ab..407aa97eb03 100644
	--- a/includes/htmlform/fields/HTMLUserTextField.php
	+++ b/includes/htmlform/fields/HTMLUserTextField.php
	@@ -56,7 +56,11 @@ class HTMLUserTextField extends HTMLTextField {
	return $this->msg( 'htmlform-user-not-valid', $value );
	} elseif (
	// check, if the user exists, if requested
	- ( $this->mParams['exists'] && !$user->isRegistered() ) &&
	+ ( $this->mParams['exists'] && !(
	+ $user->isRegistered() &&
	+ // Treat hidden users as unregistered if current user can't view them (T309894)
	+ !( $user->isHidden() && !( $this->mParent && $this->mParent->getUser()->isAllowed( 'hideuser' ) ) )
	+ ) ) &&
	// check, if the username is a valid IP address, otherwise save the error message
	!( $this->mParams['ipallowed'] && IPUtils::isValid( $value ) ) &&
	// check, if the username is a valid IP range, otherwise save the error message
	--
	2.28.0.windows.1

Mime Type: text/x-diff
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 9584866
Default Alt Text: v1-SECURITY-HTMLUserTextField-Treat-hidden-users-as-unr.patch (1 KB)