Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F35316520
v2-SECURITY-HTMLUserTextField-Treat-hidden-users-as-unr.patch
matmarex (Bartosz Dziewoński)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
matmarex
Jul 14 2022, 1:17 AM
2022-07-14 01:17:48 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
v2-SECURITY-HTMLUserTextField-Treat-hidden-users-as-unr.patch
View Options
From 33d02796092c0ac86def0f0a6132776324ff512d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Thu, 14 Jul 2022 03:13:04 +0200
Subject: [PATCH] [SECURITY] HTMLUserTextField: Treat hidden users as
unregistered if current user can't view them
Bug: T309894
Change-Id: I0707153ccbdb062a6b7ce461cc535aa2af8e4576
---
includes/htmlform/fields/HTMLUserTextField.php | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/includes/htmlform/fields/HTMLUserTextField.php b/includes/htmlform/fields/HTMLUserTextField.php
index 7520c0ef1c3..f8e1b0d393c 100644
--- a/includes/htmlform/fields/HTMLUserTextField.php
+++ b/includes/htmlform/fields/HTMLUserTextField.php
@@ -51,7 +51,11 @@ class HTMLUserTextField extends HTMLTextField {
$user = User::newFromName( $value );
if ( $user ) {
// check if the user exists, if requested
- if ( $this->mParams['exists'] && !$user->isRegistered() ) {
+ if ( $this->mParams['exists'] && !(
+ $user->isRegistered() &&
+ // Treat hidden users as unregistered if current user can't view them (T309894)
+ !( $user->isHidden() && !( $this->mParent && $this->mParent->getUser()->isAllowed( 'hideuser' ) ) )
+ ) ) {
return $this->msg( 'htmlform-user-not-exists', $user->getName() );
}
} else {
--
2.28.0.windows.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9584867
Default Alt Text
v2-SECURITY-HTMLUserTextField-Treat-hidden-users-as-unr.patch (1 KB)
Attached To
Mode
T309894: CVE-2022-41765: HTMLUserTextField exposes existence of hidden users
Attached
Detach File
Event Timeline
Log In to Comment