Page MenuHomePhabricator
Create Task
Maniphest T120562

AbuseFilter reveals hit count even without appropriate rights
Closed, ResolvedPublic
Actions

Description

In Czech Wikipedia, anonymous users cannot see number of hits for each filter in the main interface. However, if you inspect any of public filters (like the first one), there is a (non-functional) link to the abuse log with number of hits.

See also

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Check whether user is allowed to see the hit countmediawiki/extensions/AbuseFiltermaster+1 -1
Customize query in gerrit

Related Objects

Event Timeline

matej_suchanek created this task.Dec 6 2015, 9:43 AM
matej_suchanek raised the priority of this task from to Needs Triage.
matej_suchanek updated the task description. (Show Details)
matej_suchanek added a project: AbuseFilter.
matej_suchanek subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 6 2015, 9:43 AM
matej_suchanek mentioned this in T120563: Sorting by hit counts may partly reveal the numbers.Dec 6 2015, 9:48 AM
Billinghurst subscribed.Dec 6 2015, 10:21 AM

And?

matej_suchanek added a comment.EditedDec 6 2015, 10:35 AM

So why are they hidden at all, then?

Billinghurst unsubscribed.Dec 14 2015, 10:58 AM
He7d3r updated the task description. (Show Details)Oct 17 2016, 2:00 PM
gerritbot subscribed.Nov 14 2016, 2:13 PM

Change 321370 had a related patch set uploaded (by Matěj Suchánek):
Check whether user is allowed to see the hit count

https://gerrit.wikimedia.org/r/321370

gerritbot added a project: Patch-For-Review.Nov 14 2016, 2:13 PM
matej_suchanek claimed this task.Nov 14 2016, 2:14 PM
matmarex closed this task as Resolved.Dec 11 2016, 8:16 PM
matmarex edited projects, added acl*security, Vuln-Infoleak; removed Patch-For-Review.
matmarex subscribed.

This probably should've been a security bug (even if the issue is minor), but it's been public for a year, so…

gerritbot added a comment.Dec 11 2016, 8:25 PM

Change 321370 merged by jenkins-bot:
Check whether user is allowed to see the hit count

https://gerrit.wikimedia.org/r/321370

ReleaseTaggerBot added a project: MW-1.29-release (WMF-deploy-2016-12-13_(1.29.0-wmf.6)).Dec 11 2016, 9:00 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits