Page MenuHomePhabricator
Create Task
Maniphest T162621

Flow Nuke integration is broken for non-existent users
Closed, ResolvedPublic
Actions

Description

For non-existent users ("This username was never registered"), it will instead show all anonymous Flow creations, risking that someone will accidentally delete constructive posts by anonymous users.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Don't treat non-existent user as "any anon"mediawiki/extensions/FlowREL1_28+1 -1
SECURITY: Don't treat non-existent user as "any anon"mediawiki/extensions/FlowREL1_27+1 -1
SECURITY: Don't treat non-existent user as "any anon"mediawiki/extensions/Flowmaster+1 -1
Customize query in gerrit

Event Timeline

Mattflaschen-WMF created this task.Apr 10 2017, 5:44 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 10 2017, 5:44 PM
Mattflaschen-WMF claimed this task.Apr 10 2017, 5:46 PM
Mattflaschen-WMF triaged this task as Unbreak Now! priority.
Mattflaschen-WMF updated the task description. (Show Details)
Mattflaschen-WMF added subscribers: SBisson, Trizek-WMF, Pginer-WMF and 4 others.
Mattflaschen-WMF added a comment.Apr 10 2017, 6:53 PM

T162621.patch943 BDownload

SBisson added a comment.Apr 10 2017, 7:00 PM
In T162621#3169312, @Mattflaschen-WMF wrote:

T162621.patch943 BDownload

+2

dpatrick subscribed.EditedApr 10 2017, 10:45 PM

This has been deployed:

22:45 dapatrick: Deployed patch for T162621 to wmf18 and wmf19

Catrope added projects: StructuredDiscussions, MediaWiki-extensions-Nuke.Apr 13 2017, 5:40 PM
Restricted Application added a project: Collaboration-Team-Triage. · View Herald TranscriptApr 13 2017, 5:40 PM
Catrope added a comment.Apr 13 2017, 5:41 PM

Now that the patch is deployed in production, should it be merged into master as well? It's not clear to me what the policy is for security fixes in extensions that are not part of the release bundle.

Catrope added a project: User-notice-collaboration.Apr 13 2017, 5:41 PM
Catrope removed a project: User-notice-collaboration.
Mattflaschen-WMF added a comment.Apr 17 2017, 4:05 AM
In T162621#3179557, @Catrope wrote:

Now that the patch is deployed in production, should it be merged into master as well? It's not clear to me what the policy is for security fixes in extensions that are not part of the release bundle.

Once it's deployed, it can go to Gerrit, per https://phabricator.wikimedia.org/T146425#2742263 .

Mattflaschen-WMF added a comment.Apr 17 2017, 4:52 AM

This is now merged to master and I've put up release branch backports:

master - https://gerrit.wikimedia.org/r/#/c/348407/ (merged)
1.27 - https://gerrit.wikimedia.org/r/#/c/348408/1
1.28 - https://gerrit.wikimedia.org/r/#/c/348409/1

Unfortunately, I ran into https://github.com/composer/composer/pull/5660, so the release branch commits are V-1. Nevertheless, it's public now, so I had to announce it to let people know to update. So I've sent it out to wikitech-l@lists.wikimedia.org and mediawiki-l@lists.wikimedia.org, but we now need to get those merged.

Legoktm said I should just cherry-pick a patch that excludes vendor, so I've done so:
1.27 - https://gerrit.wikimedia.org/r/348410
1.28 - https://gerrit.wikimedia.org/r/348411

Once the last two are merged, we should able to merge the security patch backports cleanly.

Mattflaschen-WMF added a comment.Apr 17 2017, 6:40 PM

This is now merged to all supported branches, and announced. Please make this task public.

Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Apr 17 2017, 6:42 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptApr 17 2017, 6:42 PM
Mattflaschen-WMF edited projects, added Collaboration-Team-Triage (Collab-Team-Q4-Apr-Jun-2017); removed Collaboration-Team-Triage.Apr 17 2017, 8:41 PM
Restricted Application removed a subscriber: TerraCodes. · View Herald TranscriptApr 17 2017, 8:41 PM
Mattflaschen-WMF moved this task from Untriaged to QA Review on the Collaboration-Team-Triage (Collab-Team-Q4-Apr-Jun-2017) board.Apr 17 2017, 8:41 PM
Etonkovidova added a comment.Apr 20 2017, 7:00 PM

Checked in enwiki betalabs - when non-existing username is entered on Special:Nuke, the warning is displayed: "No new pages by [non-existing username] in recent changes." And no list of new pages is displayed.

Screen Shot 2017-04-20 at 11.42.13 AM.png (621×651 px, 60 KB)

QA Recommendation: Resolve

Etonkovidova moved this task from QA Review to Product Review on the Collaboration-Team-Triage (Collab-Team-Q4-Apr-Jun-2017) board.Apr 20 2017, 7:36 PM
dpatrick closed this task as Resolved.Apr 25 2017, 4:10 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits