Page MenuHomePhabricator

api.log still contains passwords in plaintext due to a rebase error in 4d38a489
Closed, ResolvedPublic


This was supposed to be fixed in T125177: api.log contains passwords in plaintext. But when F4932228 was rebased to be applied as rMW4d38a489b075: SECURITY: API: Don't log "sensitive" parameters, part of the code was incorrectly rebased after changes in rMW47e2bec3611d: API: Allow finding log events and links to special pages, causing it to not actually function properly.

When reviewing an unrelated patch I noticed a bit of code that made no sense, and tracked it down to the above situation.

This was CVE-2017-0361 on the last release (will reuse for reference)

Event Timeline

Reedy assigned this task to Anomie.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:06 AM

Change 391456 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@master] SECURITY: Fix rebase error in 4d38a489

Change 391456 merged by Reedy:
[mediawiki/core@master] SECURITY: Fix rebase error in 4d38a489