Page MenuHomePhabricator
Create Task
Maniphest T187638

When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504)
Closed, ResolvedPublic
Actions

Description

On the English Wikipedia [[Special:Redirect/logid/89126214]] links to https://en.wikipedia.org/w/index.php?title=Special%3ALog&limit=1&offset=20180216090941&type=rights&user=Oshwah, which shows

08:34, 16 February 2018 Oshwah (talk | contribs) changed group membership for Cyrus noto3at bulaga from extended confirmed user to extended confirmed user, pending changes reviewer and rollbacker (Granting pending changes reviewer and rollbacker. User is active in RC patrolling, reverting vandalism, and reviewing - would make good use of the tools.)

&user=Oshwah reveals the hidden user. The information may also be suppressed.

Linking to https://en.wikipedia.org/w/index.php?title=Special%3ALog&limit=1&offset=20180216090941&type=rights shows the correct log event.

09:09, 16 February 2018 (Username or IP removed) (log details removed) (Confirmed as recently active IP. Granting 'confirmed' flag manually.)
Log event from the API
{
    "batchcomplete": "",
    "query": {
        "logevents": [
            {
                "logid": 89126214,
                "actionhidden": "",
                "type": "rights",
                "action": "rights",
                "userhidden": "",
                "timestamp": "2018-02-16T09:09:40Z",
                "comment": "Confirmed as recently active IP. Granting 'confirmed' flag manually."
            }
        ]
    }
}
Log event hiding the above log event
{
    "batchcomplete": "",
    "continue": {
        "lecontinue": "20180214180709|89093360",
        "continue": "-||"
    },
    "query": {
        "logevents": [
            {
                "logid": 89126301,
                "ns": -1,
                "title": "Special:Log/rights",
                "pageid": 0,
                "logpage": 0,
                "params": {
                    "type": "logging",
                    "ids": [
                        "89126214"
                    ],
                    "old": {
                        "bitmask": 0
                    },
                    "new": {
                        "bitmask": 5,
                        "content": "",
                        "user": ""
                    }
                },
                "type": "delete",
                "action": "event",
                "user": "Oshwah",
                "timestamp": "2018-02-16T09:18:12Z",
                "comment": "[[WP:RD5|RD5]]: Other valid deletion under [[WP:DEL#REASON|deletion policy]]"
            }
        ]
    }
}

Special:Redirect/logid was implemented in rMW1b294bd3c538: Make Special:Redirect page redirect to log events by ID for T71107: Allow browsing log events by log ID.

Details

SubjectRepoBranchLines +/-
Add 'logid' parameter to Special:Logmediawiki/coreREL1_27+31 -71
Add 'logid' parameter to Special:Logmediawiki/coreREL1_29+31 -71
Add 'logid' parameter to Special:Logmediawiki/coreREL1_31+31 -77
Add 'logid' parameter to Special:Logmediawiki/coreREL1_30+31 -71
Add 'logid' parameter to Special:Logmediawiki/coremaster+30 -77
Customize query in gerrit

Related Objects
Search...

Event Timeline

JJMC89 created this task.Feb 18 2018, 4:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 18 2018, 4:51 AM
JJMC89 added a project: MediaWiki-Special-pages.Feb 18 2018, 4:52 AM

Apologies if this shouldn't be a Security task.

Bawolff added projects: MediaWiki-Revision-deletion, Vuln-Infoleak.Feb 18 2018, 12:37 PM
Bawolff subscribed.
In T187638#3981346, @JJMC89 wrote:

Apologies if this shouldn't be a Security task.

This definitely is a security task (leaking secret info)

Thank you for reporting this.

)

JJMC89 updated the task description. (Show Details)Feb 18 2018, 9:44 PM
Bawolff mentioned this in T188145: Special:Log implements revdel restrictions incorrectly when filtering on log type or log author.Feb 23 2018, 9:42 PM
Bawolff moved this task from Backlog / Other to Patch pending review on the acl*security board.Feb 23 2018, 9:56 PM
Bawolff added a project: Patch-For-Review.

There's also an issue with Special:redirect/user if the user has been revdel'd

T187638.patch3 KBDownload

Anomie subscribed.Feb 24 2018, 12:38 AM

Code-Review-1

+			'log_type' => LogPage::DELETED_ACTION,

We were discussing this on T188145, I don't think this is correct.

+		// get rid of log_id and log_deleted.
+		array_shift( $logparams );
 		array_shift( $logparams );

This should probably just use unset().

+				if ( !LogEventsList::userCan(
+					$rowMain, $fieldToBitsMapping[$cond], $user
+				) ) {
+					// This field is redacted for main log entry,
+					// so treat as always matching.
+					$matchedRows[] = $row;
+					continue;
+				}

This could go outside the inner loop, just assign $matchedRows = $logsSameTimestamps and continue. If you change the code below to use $mainRow instead of $matchedRows[0], you could even skip the assignment.

Also, won't this and the bits below generate undefined index warnings when trying to access $fieldToBitsMapping[$cond] for $cond === 'log_timestamp'?

Bawolff added a comment.Mar 5 2018, 3:11 AM

Thanks for the review. PS2:

T187638-v2.patch3 KBDownload

Anomie added a comment.Mar 5 2018, 6:12 PM
-               array_shift( $logparams );
+               // get rid of log_id and log_deleted.
+               unset( $logparams[0] );
+               unset( $logparams[1] );

Huh? $logparams doesn't have a [0] or [1] ... Oh, I see, this needs a rebase on top of rMW27c61fb1e94d: Add `actor` table and code to start using it.

+                       if (
+                               $logKey === 'log_user_text' &&
+                               !LogEventsList::userCan(
+                                       $rowMain, LogPage::DELETED_USER, $user
+                               )
+                       ) {
+                               continue;
+                       }
                        $query[$keys[$logKey]] = $matchedRows[0]->$logKey;

I'd prefer it if you used either $rowMain or $matchedRows[0] consistently here.

Bawolff added a parent task: T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Mar 28 2018, 6:59 AM
Samwilson subscribed.Apr 23 2018, 10:29 PM

Could this be fixed by removing the log look-up entirely from Special:Redirect and having a log-ID parameter to Special:Log? (Have done so in https://gerrit.wikimedia.org/r/#/c/428265/ for T191608).

Bawolff added a comment.May 2 2018, 10:46 PM

that would certainly simplify the code

Anomie merged a task: Restricted Task.May 3 2018, 2:30 PM
Anomie added a subscriber: Umherirrender.
Reedy subscribed.Jul 7 2018, 10:46 AM
In T187638#4151786, @Samwilson wrote:

Could this be fixed by removing the log look-up entirely from Special:Redirect and having a log-ID parameter to Special:Log? (Have done so in https://gerrit.wikimedia.org/r/#/c/428265/ for T191608).

Do we want to backport this patch then?

Reedy added a comment.Jul 7 2018, 11:13 AM

Done in https://gerrit.wikimedia.org/r/#/q/I5f2e52531cd2ba617a25570e40aa8c5168e284d9

Does this patch fix the bug fully on it's own then?

Reedy mentioned this in T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Jul 7 2018, 5:24 PM
Reedy closed this task as Resolved.Jul 7 2018, 5:29 PM
Reedy assigned this task to Samwilson.

Closing as patches merged.

To be opened up to public with security release

Legoktm mentioned this in T199021: Release MediaWiki 1.27.5/1.29.3/1.30.1/1.31.1.Aug 29 2018, 12:55 AM
Legoktm mentioned this in T199027: Obtain CVEs for 1.27.5/1.29.3/1.30.1/1.31.1 security releases.Aug 29 2018, 1:14 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:34 PM
MoritzMuehlenhoff renamed this task from When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information to When a log event is (partially) hidden Special:Redirect/logid can link to the incorrect log and reveal hidden information (CVE-2018-0504).Sep 21 2018, 7:25 AM
Bawolff mentioned this in T230402: Exposed suppressed username via Special:Redirect.Aug 19 2019, 10:14 PM
sbassett moved this task from Patch pending review to Done on the acl*security board.Sep 26 2019, 2:39 PM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits