Page MenuHomePhabricator
Authored By
kostajh
Feb 2 2023, 11:44 AM
Size
1 KB
Referenced Files
None
Subscribers
None

T328643.patch

From 7550e240e97e42cd6f926088af55a1adaac6ad0e Mon Sep 17 00:00:00 2001
From: Kosta Harlan <kharlan@wikimedia.org>
Date: Thu, 2 Feb 2023 12:42:47 +0100
Subject: [PATCH] SECURITY: Exclude the timeZone property from user impact data
export
Bug: T328643
Change-Id: I9e4c26bedb2433c19cf33e40523dbc69a933dc82
---
includes/UserImpact/UserImpactFormatter.php | 3 +++
1 file changed, 3 insertions(+)
diff --git a/includes/UserImpact/UserImpactFormatter.php b/includes/UserImpact/UserImpactFormatter.php
index 4c819f60..aae095e2 100644
--- a/includes/UserImpact/UserImpactFormatter.php
+++ b/includes/UserImpact/UserImpactFormatter.php
@@ -45,6 +45,9 @@ class UserImpactFormatter {
}
$jsonData += $this->sortAndFilter( $jsonData );
unset( $jsonData['dailyArticleViews'] );
+ // Don't leak timezone preference data for arbitrary users (T328643)
+ // In a follow-up, we can remove the storage of the "timeZone" property entirely
+ unset( $jsonData['timeZone'] );
$this->fillDailyArticleViewsWithPageViewToolsUrl( $jsonData, $userImpact->getTimeZone() );
return $jsonData;
}
--
2.39.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10532648
Default Alt Text
T328643.patch (1 KB)

Event Timeline