Page MenuHomePhabricator

Templates are parsed in AbuseLog
Closed, ResolvedPublic

Description

In the abuse filter log (Special:AbuseLog), the description of the filter (see line 769 and 826 of "includes/special/SpecialAbuseLog.php" in AbuseFilter extension), should not be parsed.

For example, see https://en.wikipedia.org/w/index.php?title=Special:AbuseLog&wpSearchUser=MaxSem

Event Timeline

This is probably not a security issue, unless you see the same thing somewhere else too. From what I see, at worst it makes viewing some logs annoying. The filter descriptions can only be edited by trusted users.

I just quickly logged this bug, needs checking what else is parsed. If it's only things editable by privileged groups, then it can be made public.

RobLa-WMF lowered the priority of this task from Medium to Low.Aug 2 2016, 8:32 PM

@Bawolff, @dpatrick and I triaged this. Max, is the danger that someone can inject hyperlinks/etc in the AbuseLog?

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".

Making public, I don't see any way to exploit this

Change 418584 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/AbuseFilter@master] Always show abuse filter public comments as plain text

https://gerrit.wikimedia.org/r/418584

Change 418584 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Always show abuse filter public comments as plain text

https://gerrit.wikimedia.org/r/418584

matej_suchanek assigned this task to Melos.
matej_suchanek edited projects, added User-notice; removed Patch-For-Review.
matej_suchanek moved this task from To Triage to Announce in next Tech/News on the User-notice board.
matej_suchanek unsubscribed.