Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F36817245
T328643-2.patch
Tgr (Gergő Tisza)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Tgr
Feb 9 2023, 9:19 AM
2023-02-09 09:19:55 (UTC+0)
Size
4 KB
Referenced Files
None
Subscribers
None
T328643-2.patch
View Options
From d2f0c2601a9b65ed6e3984224e728a71361637e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gerg=C5=91=20Tisza?= <tgr.huwiki@gmail.com>
Date: Fri, 3 Feb 2023 11:00:08 -0800
Subject: [PATCH] SECURITY: Do not expose user timezones
Drop UserTimeCorrection from whereever it is easy to drop
without making this patch large. Make sure it does not contain
any user data elsewhere. Bump cache version just in case this
patch needs to be removed.
Bug: T328643
Change-Id: I72ab6d5bbbce5f1f44adc5ee855121b88a04694e
---
.../UserImpact/ComputedUserImpactLookup.php | 2 +-
includes/UserImpact/UserImpact.php | 19 +------------------
2 files changed, 2 insertions(+), 19 deletions(-)
diff --git includes/UserImpact/ComputedUserImpactLookup.php includes/UserImpact/ComputedUserImpactLookup.php
index f4735c8d..f054e401 100644
--- includes/UserImpact/ComputedUserImpactLookup.php
+++ includes/UserImpact/ComputedUserImpactLookup.php
@@ -229,7 +229,7 @@ class ComputedUserImpactLookup implements UserImpactLookup {
$queryBuilder->caller( __METHOD__ );
$userTimeCorrection = new UserTimeCorrection(
- $this->userOptionsLookup->getOption( $user, 'timecorrection' ),
+ UserTimeCorrection::SYSTEM,
// Make the time correction object testing friendly - otherwise it would contain a
// current-time DateTime object.
new DateTime( '@' . ConvertibleTimestamp::time() ),
diff --git includes/UserImpact/UserImpact.php includes/UserImpact/UserImpact.php
index a602d780..81da69cd 100644
--- includes/UserImpact/UserImpact.php
+++ includes/UserImpact/UserImpact.php
@@ -22,7 +22,7 @@ use Wikimedia\Timestamp\ConvertibleTimestamp;
class UserImpact implements JsonSerializable {
/** Cache version, to be increased when breaking backwards compatibility. */
- public const VERSION = 5;
+ public const VERSION = 6;
/** @var UserIdentity */
private $user;
@@ -36,9 +36,6 @@ class UserImpact implements JsonSerializable {
/** @var int[] */
private $editCountByDay;
- /** @var UserTimeCorrection */
- private $timeZone;
-
/** @var int */
private $newcomerTaskEditCount;
@@ -80,7 +77,6 @@ class UserImpact implements JsonSerializable {
$this->receivedThanksCount = $receivedThanksCount;
$this->editCountByNamespace = $editCountByNamespace;
$this->editCountByDay = $editCountByDay;
- $this->timeZone = $timeZone;
$this->newcomerTaskEditCount = $newcomerTaskEditCount;
$this->lastEditTimestamp = $lastEditTimestamp;
$this->generatedAt = ConvertibleTimestamp::time();
@@ -133,14 +129,6 @@ class UserImpact implements JsonSerializable {
return $this->editCountByDay;
}
- /**
- * The timezone used to define what a day means, typically the timezone of the user.
- * @return UserTimeCorrection
- */
- public function getTimeZone(): UserTimeCorrection {
- return $this->timeZone;
- }
-
/**
* Number of edits the user made which have the newcomer task tag.
* Might exclude edits made a long time ago or many edits ago.
@@ -238,10 +226,6 @@ class UserImpact implements JsonSerializable {
$this->receivedThanksCount = $json['receivedThanksCount'];
$this->editCountByNamespace = $json['editCountByNamespace'];
$this->editCountByDay = $json['editCountByDay'];
- // Make the time correction object testing friendly - otherwise it would contain a
- // current-time DateTime object.
- $date = new DateTime( '@' . ConvertibleTimestamp::time() );
- $this->timeZone = new UserTimeCorrection( $json['timeZone'][0], $date, $json['timeZone'][1] );
$this->newcomerTaskEditCount = $json['newcomerTaskEditCount'];
$this->lastEditTimestamp = $json['lastEditTimestamp'];
$this->generatedAt = $json['generatedAt'];
@@ -271,7 +255,6 @@ class UserImpact implements JsonSerializable {
'receivedThanksCount' => $this->receivedThanksCount,
'editCountByNamespace' => $this->editCountByNamespace,
'editCountByDay' => $this->editCountByDay,
- 'timeZone' => [ $this->timeZone->toString(), $this->timeZone->getTimeOffset() ],
'newcomerTaskEditCount' => $this->newcomerTaskEditCount,
'lastEditTimestamp' => $this->lastEditTimestamp,
'generatedAt' => $this->generatedAt,
--
2.34.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
10706811
Default Alt Text
T328643-2.patch (4 KB)
Attached To
Mode
T328643: CVE-2023-29137: GrowthExperiments: UserImpactHandler returns timezone preference data for arbitrary users
Attached
Detach File
Event Timeline
Log In to Comment