Page MenuHomePhabricator

AbuseFilter reveals hit count even without appropriate rights
Closed, ResolvedPublic

Description

In Czech Wikipedia, anonymous users cannot see number of hits for each filter in the main interface. However, if you inspect any of public filters (like the first one), there is a (non-functional) link to the abuse log with number of hits.

See also

Event Timeline

matej_suchanek raised the priority of this task from to Needs Triage.
matej_suchanek updated the task description. (Show Details)
matej_suchanek added a project: AbuseFilter.
matej_suchanek added a subscriber: matej_suchanek.

So why are they hidden at all, then?

Change 321370 had a related patch set uploaded (by Matěj Suchánek):
Check whether user is allowed to see the hit count

https://gerrit.wikimedia.org/r/321370

matmarex edited projects, added acl*security, Vuln-Infoleak; removed Patch-For-Review.
matmarex added a subscriber: matmarex.

This probably should've been a security bug (even if the issue is minor), but it's been public for a year, so…

Change 321370 merged by jenkins-bot:
Check whether user is allowed to see the hit count

https://gerrit.wikimedia.org/r/321370