Page MenuHomePhabricator
Create Task
Maniphest T180488

api.log still contains passwords in plaintext due to a rebase error in 4d38a489
Closed, ResolvedPublic
Actions

Assigned To
Anomie
Authored By
Anomie
Nov 14 2017, 4:22 PM
Tags
Referenced Files
F10794117: T180488-REL1_29.patch
Nov 14 2017, 7:07 PM
F10794169: T180488-REL1_30.patch
Nov 14 2017, 7:07 PM
F10792561: 0001-SECURITY-Fix-rebase-error-in-4d38a489.patch
Nov 14 2017, 4:23 PM
F4932228: 0001-SECURITY-API-Don-t-log-sensitive-parameters.patch
Nov 14 2017, 4:22 PM
Subscribers
Aklapper
Bawolff
gerritbot

Description

This was supposed to be fixed in T125177: api.log contains passwords in plaintext. But when F4932228 was rebased to be applied as rMW4d38a489b075: SECURITY: API: Don't log "sensitive" parameters, part of the code was incorrectly rebased after changes in rMW47e2bec3611d: API: Allow finding log events and links to special pages, causing it to not actually function properly.

When reviewing an unrelated patch I noticed a bit of code that made no sense, and tracked it down to the above situation.

This was CVE-2017-0361 on the last release (will reuse for reference)

Details

SubjectRepoBranchLines +/-
SECURITY: Fix rebase error in 4d38a489mediawiki/coremaster+3 -3
SECURITY: Fix rebase error in 4d38a489mediawiki/coreREL1_30+3 -3
SECURITY: Fix rebase error in 4d38a489mediawiki/coreREL1_29+5 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

Anomie created this task.Nov 14 2017, 4:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 14 2017, 4:22 PM
Anomie added projects: MediaWiki-Action-API, Patch-For-Review.Nov 14 2017, 4:23 PM

0001-SECURITY-Fix-rebase-error-in-4d38a489.patch1 KBDownload

Reedy added a parent task: T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 14 2017, 4:31 PM
Bawolff subscribed.Nov 14 2017, 7:07 PM

T180488-REL1_30.patch1 KBDownload

T180488-REL1_29.patch1 KBDownload

Reedy updated the task description. (Show Details)Nov 14 2017, 7:29 PM
Reedy mentioned this in T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 14 2017, 7:33 PM
Reedy closed this task as Resolved.Nov 14 2017, 7:40 PM
Reedy assigned this task to Anomie.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:06 AM
gerritbot subscribed.Nov 15 2017, 12:59 AM

Change 391456 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@master] SECURITY: Fix rebase error in 4d38a489

https://gerrit.wikimedia.org/r/391456

ReleaseTaggerBot added projects: MW-1.30-release-notes, MW-1.29-release-notes.Nov 15 2017, 1:01 AM
gerritbot added a comment.Nov 15 2017, 3:22 AM

Change 391456 merged by Reedy:
[mediawiki/core@master] SECURITY: Fix rebase error in 4d38a489

https://gerrit.wikimedia.org/r/391456

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 15 2017, 4:00 AM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits