Page MenuHomePhabricator
Create Task
Maniphest T108138

Sysops can undelete pages, although the page is protected against it
Closed, ResolvedPublic
Actions

Assigned To
Bawolff
Authored By
Luke081515
Aug 6 2015, 12:00 AM
Tags
Referenced Files
F6828065: T108138-master.patch
Mar 21 2017, 9:49 PM
F6828384: T108138-REL1_27.patch
Mar 21 2017, 9:49 PM
F6828383: T108138-REL1_23.patch
Mar 21 2017, 9:49 PM
F6828385: T108138-REL1_28.patch
Mar 21 2017, 9:49 PM
F4160033: Do not allow undelete a page they either cannot create or edit
Jun 13 2016, 7:22 AM
Subscribers
Aklapper
Bawolff
gerritbot
Legoktm
Luke081515
Reedy

Description

when a page is proteced at a level that a normal sysop can't override, he can recreate this page by undelete former revisions, see also the last to log entrys here: http://meta.wikimedia.beta.wmflabs.org/w/index.php?title=Special:Log&page=Superprotecttest, my normal account Luke081515 got rights to edit pages with superprotect, Luke081515.2 was a normal sysop, and can't edit pages with superprotect.

Details

SubjectRepoBranchLines +/-
SECURITY: Do not allow users to undelete a page they can't edit or createmediawiki/coreREL1_27+23 -5
SECURITY: Do not allow users to undelete a page they can't edit or createmediawiki/coremaster+23 -3
SECURITY: Do not allow users to undelete a page they can't edit or createmediawiki/coreREL1_28+23 -5
Customize query in gerrit

Related Objects
Search...

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Aug 6 2015, 12:00 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2015, 12:00 AM
Luke081515 created this task.Aug 6 2015, 12:00 AM
Luke081515 updated the task description. (Show Details)
Luke081515 added projects: MediaWiki-Page-protection, MediaWiki-Page-deletion, acl*security.
Luke081515 changed Security from None to Software security bug.
Luke081515 edited subscribers, added: Luke081515; removed: Aklapper.
Luke081515 added a subscriber: Aklapper.Aug 6 2015, 12:13 AM

this removal happens automatically then you create a bug with "software security bug"

csteipp claimed this task.Aug 12 2015, 8:39 PM
csteipp added a project: Security-Team.
csteipp triaged this task as Medium priority.Sep 8 2015, 7:55 PM
csteipp added a subscriber: Anomie.

reproduction

  • delete existing page
  • add protection to title to allow only superprotect users to create the title
  • As a user who can undelete, but not superprotect, undelete the title
  • After restoration, the page is not limited to superprotect users, so anyone can edit

While testing this, I noticed that a non-superprotect user can update the protection for a deleted (or never created) + superprotected page also, so restoring a deleted revision isn't actually needed.

@Anomie, did superprotect intentionally not cover this case, or do protect and undelete need to check creation rights for that title?

csteipp added a comment.Sep 8 2015, 7:56 PM

While testing this, I noticed that a non-superprotect user can update the protection for a deleted (or never created) + superprotected page also, so restoring a deleted revision isn't actually needed.

Which is T108141

csteipp removed csteipp as the assignee of this task.Sep 8 2015, 7:57 PM
Bawolff added a project: Patch-For-Review.Jun 13 2016, 7:22 AM
Bawolff subscribed.

Do not allow undelete a page they either cannot create or edit4 KBDownload

Anomie added a comment.Jun 13 2016, 3:10 PM
In T108138#2375328, @Bawolff wrote:

Do not allow undelete a page they either cannot create or edit4 KBDownload

Code-Review: +1 Looks sane, haven't tested.

Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.Jul 10 2016, 5:57 PM
Bawolff moved this task from Patch pending review to Patch pending deployment on the acl*security board.Jul 14 2016, 7:09 AM
Aklapper added a comment.Aug 17 2016, 11:01 AM
In T108138#2375328, @Bawolff wrote:

Do not allow undelete a page they either cannot create or edit4 KBDownload

Who could give these 25 lines (in includes/Title.php and includes/api/ApiUndelete.php) a final review / decision?

Bawolff added a parent task: T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Feb 3 2017, 9:01 AM
Reedy subscribed.Mar 20 2017, 12:02 AM

Can we get this tested?

Reedy mentioned this in T140591: MediaWiki 1.28.1/1.27.2/1.23.16 security release.Mar 20 2017, 12:04 AM
Reedy added a comment.Mar 21 2017, 9:49 PM

T108138-master.patch4 KBDownload

Seems there were a few changes that needed rebasing for...

T108138-REL1_23.patch5 KBDownload

T108138-REL1_27.patch4 KBDownload

T108138-REL1_28.patch4 KBDownload

Reedy assigned this task to Bawolff.Mar 31 2017, 12:17 AM
Reedy closed this task as Resolved.Apr 1 2017, 4:35 PM

Closing for ease of tracking progress. Patches attached to parent bug, due for next release

Luke081515 added a comment.Apr 1 2017, 4:44 PM

Can you take a look at T108141 as well, since it is related, and there is already a patch awaiting review?

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 6 2017, 8:57 PM
Reedy changed the edit policy from "Custom Policy" to "All Users".
gerritbot subscribed.Apr 6 2017, 9:46 PM

Change 346847 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Do not allow users to undelete a page they can't edit or create

https://gerrit.wikimedia.org/r/346847

ReleaseTaggerBot added projects: MW-1.29-release-notes, MW-1.29-release (WMF-deploy-2017-04-11_(1.29.0-wmf.20)).Apr 6 2017, 10:00 PM
gerritbot added a comment.Apr 6 2017, 10:51 PM

Change 346866 merged by jenkins-bot:
[mediawiki/core@REL1_28] SECURITY: Do not allow users to undelete a page they can't edit or create

https://gerrit.wikimedia.org/r/346866

ReleaseTaggerBot added a project: MW-1.28-release-notes.Apr 6 2017, 11:00 PM
gerritbot added a comment.Apr 7 2017, 1:42 AM

Change 346856 merged by jenkins-bot:
[mediawiki/core@REL1_27] SECURITY: Do not allow users to undelete a page they can't edit or create

https://gerrit.wikimedia.org/r/346856

ReleaseTaggerBot added a project: MW-1.27-release-notes.Apr 7 2017, 2:00 AM
Jasper mentioned this in T163144: Restoration of deleted items broken on Wikidata.Apr 17 2017, 8:05 PM
Legoktm subscribed.Apr 17 2017, 8:07 PM

This caused T163144: Restoration of deleted items broken on Wikidata.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.Jun 11 2019, 7:17 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:38 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL