Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F36704766
T328643-2.patch
Tgr (Gergő Tisza)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Tgr
Feb 3 2023, 7:09 PM
2023-02-03 19:09:15 (UTC+0)
Size
1 KB
Referenced Files
None
Subscribers
None
T328643-2.patch
View Options
From c200d4817242e7ec8c70a0593d32128721fb239f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Fri, 3 Feb 2023 11:00:08 -0800
Subject: [PATCH] SECURITY: Do not expose user timezones
Bug: T328643
Change-Id: I72ab6d5bbbce5f1f44adc5ee855121b88a04694e
---
includes/UserImpact/ComputedUserImpactLookup.php | 2 +-
includes/UserImpact/UserImpact.php | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git includes/UserImpact/ComputedUserImpactLookup.php includes/UserImpact/ComputedUserImpactLookup.php
index 22d6cf4b..0c8014e1 100644
--- includes/UserImpact/ComputedUserImpactLookup.php
+++ includes/UserImpact/ComputedUserImpactLookup.php
@@ -229,7 +229,7 @@ class ComputedUserImpactLookup implements UserImpactLookup {
$queryBuilder->caller( __METHOD__ );
$userTimeCorrection = new UserTimeCorrection(
- $this->userOptionsLookup->getOption( $user, 'timecorrection' ),
+ UserTimeCorrection::SYSTEM,
// Make the time correction object testing friendly - otherwise it would contain a
// current-time DateTime object.
new DateTime( '@' . ConvertibleTimestamp::time() ),
diff --git includes/UserImpact/UserImpact.php includes/UserImpact/UserImpact.php
index a602d780..03d66aea 100644
--- includes/UserImpact/UserImpact.php
+++ includes/UserImpact/UserImpact.php
@@ -241,7 +241,7 @@ class UserImpact implements JsonSerializable {
// Make the time correction object testing friendly - otherwise it would contain a
// current-time DateTime object.
$date = new DateTime( '@' . ConvertibleTimestamp::time() );
- $this->timeZone = new UserTimeCorrection( $json['timeZone'][0], $date, $json['timeZone'][1] );
+ $this->timeZone = new UserTimeCorrection( UserTimeCorrection::SYSTEM, $date, $json['timeZone'][1] );
$this->newcomerTaskEditCount = $json['newcomerTaskEditCount'];
$this->lastEditTimestamp = $json['lastEditTimestamp'];
$this->generatedAt = $json['generatedAt'];
--
2.34.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10615070
Default Alt Text
T328643-2.patch (1 KB)
Attached To
Mode
T328643: CVE-2023-29137: GrowthExperiments: UserImpactHandler returns timezone preference data for arbitrary users
Attached
Detach File
Event Timeline
Log In to Comment