Page MenuHomePhabricator

Templates are parsed in AbuseLog
Closed, ResolvedPublic


In the abuse filter log (Special:AbuseLog), the description of the filter (see line 769 and 826 of "includes/special/SpecialAbuseLog.php" in AbuseFilter extension), should not be parsed.

For example, see

Event Timeline

MaxSem created this task.Jul 29 2016, 11:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 29 2016, 11:23 PM

This is probably not a security issue, unless you see the same thing somewhere else too. From what I see, at worst it makes viewing some logs annoying. The filter descriptions can only be edited by trusted users.

I just quickly logged this bug, needs checking what else is parsed. If it's only things editable by privileged groups, then it can be made public.

dpatrick triaged this task as Medium priority.Aug 2 2016, 8:29 PM
RobLa-WMF lowered the priority of this task from Medium to Low.Aug 2 2016, 8:32 PM

@Bawolff, @dpatrick and I triaged this. Max, is the danger that someone can inject hyperlinks/etc in the AbuseLog?

Bawolff updated the task description. (Show Details)Dec 10 2017, 3:32 PM
Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".

Making public, I don't see any way to exploit this

Looks like a duplicate of T26309 to me.

matmarex removed a subscriber: matmarex.Dec 11 2017, 5:16 PM

Change 418584 had a related patch set uploaded (by Melos; owner: Melos):
[mediawiki/extensions/AbuseFilter@master] Always show abuse filter public comments as plain text

Change 418584 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] Always show abuse filter public comments as plain text

matej_suchanek closed this task as Resolved.Mar 29 2018, 5:03 PM
matej_suchanek assigned this task to Melos.
matej_suchanek edited projects, added User-notice; removed Patch-For-Review.
matej_suchanek moved this task from To Triage to Announce in next Tech/News on the User-notice board.
matej_suchanek removed a subscriber: matej_suchanek.