Page MenuHomePhabricator
Create Task
Maniphest T127325

Phabricator Paste access permission weirdness after T120013 upgrade
Closed, ResolvedPublic
Actions

Description

So far I think this is not a security issue (see below) but definitely welcomes more investigation hence playing safe here and filing as a Sec task.

CC'ing @hoo who pinged me in a private message on IRC.
@hoo: If you could provide a specific example that would be georgeous!

  1. Go to https://phabricator.wikimedia.org/P2621 or https://phabricator.wikimedia.org/P2624 (if you're not their author)
  2. Get "Access Denied: Restricted File. You do not have permission to view this object."
  3. Go to https://phabricator.wikimedia.org/paste/
  4. See "P2621 SPARQL: Films that won most Academy Awards" listed and the content of its first five lines.
  5. Mention "P2621" on #wikimedia-tech
  6. Get: <stashbot> P2621 SPARQL: Films that won most Academy Awards - https://phabricator.wikimedia.org/P2621

Testing with P2629 which only @Aklapper and two other users can access, https://phabricator.wikimedia.org/paste/ lists P2629 when being logged in as @Aklapper, but it does not list P2629 when being logged in with my private account @Malyacko. Hence I hope there is just some misconfiguration.

Related Objects

Event Timeline

Aklapper created this task.Feb 18 2016, 4:11 PM
Krenair subscribed.Feb 18 2016, 4:14 PM

Looks like the issue is actually that viewing all others' pastes directly is broken?

Restricted Application changed the visibility from "Custom Policy" to "Custom Policy". · View Herald TranscriptFeb 18 2016, 4:14 PM
Restricted Application changed the edit policy from "All Users" to "Custom Policy". · View Herald Transcript
Aklapper added a project: Phabricator.Feb 18 2016, 4:15 PM
Aklapper edited subscribers, added: chasemp; removed: Malyacko.
hoo added a comment.Feb 18 2016, 4:33 PM
In T127325#2039948, @Krenair wrote:

Looks like the issue is actually that viewing all others' pastes directly is broken?

I can view some logged in, also for example P2631 can be viewed logged out.

Krenair added a comment.Feb 18 2016, 4:36 PM

Okay, all others' pastes created before the upgrade?

csteipp subscribed.Feb 18 2016, 6:09 PM

It looks like pastes with restricted viewing policies (from both before and after the migration) are correctly not showing up in /paste, and are correctly not allowing users to view them directly. So yeah, it looks like the issue is viewing being restricted for public pastes prior to migration.

csteipp added a comment.Feb 23 2016, 10:37 PM

Should we make this public? Or does anyone think there is still a security issue here to address?

mmodell added a comment.Feb 23 2016, 11:26 PM

Seems like it should be public...

mmodell edited projects, added Phabricator (Upstream); removed acl*security.Feb 24 2016, 12:35 AM
mmodell changed the visibility from "Custom Policy" to "Public (No Login Required)".
mmodell changed the edit policy from "Custom Policy" to "All Users".
mmodell changed Security from Software security bug to None.
Restricted Application added subscribers: StudiesWorld, scfc. · View Herald TranscriptFeb 24 2016, 12:35 AM
mmodell closed this task as Resolved.Feb 24 2016, 5:30 AM
mmodell claimed this task.

I talked to Evan and he wrote a migration to fix things.

Resolved by applying https://secure.phabricator.com/rP03d6e7f1b699d89c829e92ba0da2178b41ad1d6a

jayvdb added a project: Regression.May 17 2016, 6:50 AM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptMay 17 2016, 6:50 AM
Danny_B added a project: Upstream.May 23 2016, 6:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL