T307278-master.patch
Legoktm (Legoktm)
Actions

Authored By

	Legoktm
	Sep 28 2022, 10:50 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T307278-master.patch
View Options

	From 8a8059555f7f2ec33d98a5cff798a6ca4782575a Mon Sep 17 00:00:00 2001
	From: Manfredi Martorana <mmartorana@wikimedia.org>
	Date: Tue, 23 Aug 2022 11:58:09 -0500
	Subject: [PATCH] SECURITY: Hide suppressed users from rollback page error
	messages

	Bug: T307278
	Change-Id: I6cd890d10cdbd2ea244b32ad4538728d64963210
	---
	includes/actions/RollbackAction.php \| 8 +++++++-
	1 file changed, 7 insertions(+), 1 deletion(-)

	diff --git a/includes/actions/RollbackAction.php b/includes/actions/RollbackAction.php
	index 935e9cfabd..be35fb1100 100644
	--- a/includes/actions/RollbackAction.php
	+++ b/includes/actions/RollbackAction.php
	@@ -172,8 +172,14 @@ class RollbackAction extends FormAction {

	// The revision has the user suppressed, so the rollback has empty 'from',
	// so the check above would succeed in that case.
	+ // T307278 - Also check if the user has rights to view suppressed usernames
	if ( !$revUser ) {
	- $revUser = $rev->getUser( RevisionRecord::RAW );
	+ if ( $this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
	+ $revUser = $rev->getUser( RevisionRecord::RAW );
	+ } else {
	+ $userFactory = MediaWikiServices::getInstance()->getUserFactory();
	+ $revUser = $userFactory->newFromName( $this->context->msg( 'rev-deleted-user' )->plain() );
	+ }
	}

	$rollbackResult = $this->rollbackPageFactory
	--
	2.37.3

Attached To	Mode
T311776: Tracking bug for MediaWiki 1.35.8/1.37.5/1.38.3	Attached	Detach File
T307278: CVE-2022-41766: On action=rollback the message "alreadyrolled" can leak revision deleted user name	Attached	Detach File