Admins can get around oversight (suppression) of file revisions
Closed, ResolvedPublic

Description

Admins (More generally, users with undelete rights) can remove the revision deletion status of a file revision (Including if the file is suppressed), even if they don't have suppressrevision or deleterevision rights. Admins are not supposed to be able to do this.

Basically, when doing Special:Undelete, if the file version you're undeleting would be the newest version of the image (So it would be the main image associated with the file page), then the fa_deleted field is totally ignored during the undeletion process.

Steps to reproduce:

  • Find some file version that's suppressed. (this works both for "deleted" suppressed files, and files that are not "deleted" but just "suppressed")
  • If there is currently an image for the associated page, "delete" (that is, normal ?action=delete, not revdel) the image, so that there is no image when browsing to File:<filename>
  • Special:Undelete the specific revision you want to remove suppresion from (and only that revision)
  • Image should now be publicly viewable, despite the fact that admins aren't supposed to be able to view it.
Bawolff created this task.Apr 18 2016, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 18 2016, 4:09 PM
Restricted Application added projects: Multimedia, Commons. · View Herald TranscriptApr 18 2016, 4:10 PM

csteipp added a subscriber: aaron.Apr 19 2016, 9:38 PM
csteipp triaged this task as "High" priority.Apr 19 2016, 9:40 PM

@aaron, would you review Brian's patch here?

aaron added a comment.Jul 7 2016, 9:18 PM

Yeah, that check was backwards. The cleanupBatch field is already updated at the end of each loop iteration.

The patch looks all good to me.

dpatrick closed this task as "Resolved".Jul 18 2016, 10:37 PM

22:34 dapatrick: Deployed patch for T132926 to wmf.10

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".Aug 23 2016, 1:24 AM
demon changed Security from Software security bug to None.
Restricted Application added subscribers: JEumerus, Matanya. · View Herald TranscriptAug 23 2016, 1:24 AM

Change 306117 merged by jenkins-bot:
SECURITY: Do not allow undeleting a revdel'd file if its top file

https://gerrit.wikimedia.org/r/306117

Change 306131 had a related patch set uploaded (by Ejegg):
Do not allow undeleting a revdel'd file if its top file

https://gerrit.wikimedia.org/r/306131

Change 306108 merged by jenkins-bot:
SECURITY: Do not allow undeleting a revdel'd file if its top file

https://gerrit.wikimedia.org/r/306108

Change 306131 merged by jenkins-bot:
Do not allow undeleting a revdel'd file if its top file

https://gerrit.wikimedia.org/r/306131

Change 306089 merged by jenkins-bot:
SECURITY: Do not allow undeleting a revdel'd file if its top file

https://gerrit.wikimedia.org/r/306089

Change 306098 merged by jenkins-bot:
SECURITY: Do not allow undeleting a revdel'd file if its top file

https://gerrit.wikimedia.org/r/306098