Page MenuHomePhabricator

api.log still contains passwords in plaintext due to a rebase error in 4d38a489
Closed, ResolvedPublic


This was supposed to be fixed in T125177: api.log contains passwords in plaintext. But when F4932228 was rebased to be applied as rMW4d38a489b075: SECURITY: API: Don't log "sensitive" parameters, part of the code was incorrectly rebased after changes in rMW47e2bec3611d: API: Allow finding log events and links to special pages, causing it to not actually function properly.

When reviewing an unrelated patch I noticed a bit of code that made no sense, and tracked it down to the above situation.

This was CVE-2017-0361 on the last release (will reuse for reference)

Event Timeline

Anomie created this task.Nov 14 2017, 4:22 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 14 2017, 4:22 PM

Reedy updated the task description. (Show Details)Nov 14 2017, 7:29 PM
Reedy closed this task as Resolved.Nov 14 2017, 7:40 PM
Reedy assigned this task to Anomie.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:06 AM

Change 391456 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@master] SECURITY: Fix rebase error in 4d38a489

Change 391456 merged by Reedy:
[mediawiki/core@master] SECURITY: Fix rebase error in 4d38a489

Aklapper removed a subscriber: Anomie.Fri, Oct 16, 5:39 PM