There is a problem with hidden abusefilters, for example: this filter is actually not hidden: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/3, but older versions are hidden, for example, the last hidden version: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/item/40, without sysop rights not visible. The version after this is not hidden, so visible for all users: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/item/42. The problem now is, that the difference is visible for all users: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/diff/prev/42, and also the difference beetween hidden versions: https://de.wikipedia.org/wiki/Spezial:Missbrauchsfilter/history/3/diff/prev/40, so non sysops can construct the hidden version, thats the problem.
Description
Details
Related Objects
- Mentioned In
- T234983: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.6/1.32.6/1.33.2)
- Mentioned Here
- T226945: Decide on future of running Phan tests on release branches
T231966: Phan job should use composer instead of vendor for release branches ( undeclared class \Wikimedia\Equivset\Equivset )
T233759: Update mediawiki/mediawiki-codesniffer for php7.3 support in release branches
T234983: Write and send supplementary release announcement for extensions and skins with security patches (MediaWiki 1.31.6/1.32.6/1.33.2)
Event Timeline
A piece was missed there, which I restored in the patch below. Plus: use canViewPrivate everywhere, order by afh_id in a query, and add a @todo about caching for when the code will be public.
Thank you Daimona. Actions are always public, so it is not necessary to hide them, I think.
I wouldn't be too sure about that (e.g. throttle params are a bit sensitive), but I agree that it's probably fine not to hide them. Anyway, we can think about it once the code is public.
Note: when viewing the diff right before the hidden version, you'll still see a "newer change" button at the bottom; clicking it will just tell you that you cannot see the revision. I guess we can make it disappear in a follow-up.
I'm not seeing anything on the task that would prevent it from being made public. And given that it's for a non-bundled extension, we don't have to hold the task for a mediawiki security release or anything like that. The new announcements I've been trying to do (e.g. T234983) are designed to occur after backports and any other public disclosure (CVE, etc.)
Change 546723 had a related patch set uploaded (by SBassett; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] SECURITY: Check visibility for each version in ViewDiff
Change 546726 had a related patch set uploaded (by SBassett; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@REL1_34] SECURITY: Check visibility for each version in ViewDiff
Change 546723 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] SECURITY: Check visibility for each version in ViewDiff
Change 546726 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_34] SECURITY: Check visibility for each version in ViewDiff
Backports for master and REL1_34 were merged, CVE requested. It appears that for the other supported release branches (1.31, 1.32, 1.33) it's just an issue of line differences for the patch. I'll try to get some additional patches uploaded to gerrit for these branches. @Daimona - would you be able to review those just in case the patch isn't relevant? (I think it still is - whoops, it's not.)
Change 546752 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Check visibility for each version in ViewDiff
Change 546753 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/AbuseFilter@REL1_32] SECURITY: Check visibility for each version in ViewDiff
Change 546754 had a related patch set uploaded (by SBassett; owner: SBassett):
[mediawiki/extensions/AbuseFilter@REL1_33] SECURITY: Check visibility for each version in ViewDiff
Change 546754 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_33] SECURITY: Check visibility for each version in ViewDiff
FTR: I've updated the backports for 1.31, 32, and 33 to avoid using AbuseFilter::canViewPrivate (introduced in 1.34). For the 1.31 one, I also had to upgrade PHPCS to 19.1.0 (and disable a new sniff) because older versions fail on PHP7.3 (T233759).
As I've already pointed out, things would've been easier with phan running on REL branches (T226945 / T231966).
@Daimona - great, thanks for the help! Once the remaining backports are merged, I'll resolve this task.
Change 546752 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Check visibility for each version in ViewDiff
Change 546753 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@REL1_32] SECURITY: Check visibility for each version in ViewDiff