Page MenuHomePhabricator

01-T309894.patch

Authored By
Urbanecm
Jul 19 2022, 9:04 AM
Size
1 KB
Referenced Files
None
Subscribers
None

01-T309894.patch

From de3afee4c0def6715059680b48a381c44110b14e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartosz=20Dziewo=C5=84ski?= <matma.rex@gmail.com>
Date: Thu, 14 Jul 2022 03:13:04 +0200
Subject: [PATCH] SECURITY: HTMLUserTextField: Treat hidden users as
unregistered if current user can't view them
Bug: T309894
Change-Id: I0707153ccbdb062a6b7ce461cc535aa2af8e4576
---
includes/htmlform/fields/HTMLUserTextField.php | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/includes/htmlform/fields/HTMLUserTextField.php b/includes/htmlform/fields/HTMLUserTextField.php
index 378d05173a..407aa97eb0 100644
--- a/includes/htmlform/fields/HTMLUserTextField.php
+++ b/includes/htmlform/fields/HTMLUserTextField.php
@@ -56,7 +56,11 @@ class HTMLUserTextField extends HTMLTextField {
return $this->msg( 'htmlform-user-not-valid', $value );
} elseif (
// check, if the user exists, if requested
- ( $this->mParams['exists'] && !$user->isRegistered() ) &&
+ ( $this->mParams['exists'] && !(
+ $user->isRegistered() &&
+ // Treat hidden users as unregistered if current user can't view them (T309894)
+ !( $user->isHidden() && !( $this->mParent && $this->mParent->getUser()->isAllowed( 'hideuser' ) ) )
+ ) ) &&
// check, if the username is a valid IP address, otherwise save the error message
!( $this->mParams['ipallowed'] && IPUtils::isValid( $value ) ) &&
// check, if the username is a valid IP range, otherwise save the error message
--
2.30.2

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9588132
Default Alt Text
01-T309894.patch (1 KB)

Event Timeline