Page MenuHomePhabricator

T328643.patch

Authored By
kostajh
Feb 2 2023, 12:12 PM
Size
1 KB
Referenced Files
None
Subscribers

T328643.patch

From 78c1d55c59fa90b117ca0213f40ae3a10223c825 Mon Sep 17 00:00:00 2001
From: Kosta Harlan <kharlan@wikimedia.org>
Date: Thu, 2 Feb 2023 12:42:47 +0100
Subject: [PATCH] SECURITY: Exclude the timeZone property from user impact data
export
Bug: T328643
Change-Id: I9e4c26bedb2433c19cf33e40523dbc69a933dc82
---
includes/UserImpact/UserImpactFormatter.php | 3 +++
1 file changed, 3 insertions(+)
diff --git a/includes/UserImpact/UserImpactFormatter.php b/includes/UserImpact/UserImpactFormatter.php
index f554931c..57af6289 100644
--- a/includes/UserImpact/UserImpactFormatter.php
+++ b/includes/UserImpact/UserImpactFormatter.php
@@ -43,6 +43,9 @@ class UserImpactFormatter {
$jsonData += $this->sortAndFilter( $jsonData );
unset( $jsonData['dailyArticleViews'] );
$this->fillDailyArticleViewsWithPageViewToolsUrl( $jsonData );
+ // Don't leak timezone preference data for arbitrary users (T328643)
+ // In a follow-up, we can remove the storage of the "timeZone" property entirely
+ unset( $jsonData['timeZone'] );
return $jsonData;
}
--
2.39.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10532674
Default Alt Text
T328643.patch (1 KB)

Event Timeline

kostajh added subscribers: Tgr, Sgs.