Page MenuHomePhabricator
Create Task
Maniphest T222036

Exposed suppressed username or log in Special:EditTags
Closed, ResolvedPublic
Actions

Description

EditTags/revision delete interface leaks the following data for users with appropriate rights (in edittags case that is all users): The target of log entries that are restricted via log_deleted db field. The full log entry of logs that are restricted via $wgLogRestrictions

Case 1

Special:EditTags exposes suppressed (hideuser-ed) username in (Logs) link due to username are hard coded.

Step to reproduce:

  1. Logged in as user
  2. Go to Special:Log/block or similar page
  3. Check revision deleted or suppressed username log entry
  4. Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
  5. Click (Logs) Link

Expected:
Should not hard code username in the link when log is deleted or suppressed.

Original reporter : User:Ohgi

Case 2

Expose suppress log by set logid by manually

Step to reproduce:

  1. Logged in as user
  2. Go to Special:Log
  3. Check any entry
  4. Click [Edit tags of selected log entries] (MediaWiki:log-edit-tags) button
  5. Set logid as suppress log (e.g. increase or decrease logid by any logid)
  6. View the page

e.g. https://test.wikipedia.org/w/index.php?action=historysubmit&type=logging&editchangetags=1&ids%5B224251%5D=1

Expected:
MUST prohibit access to the log

Details

SubjectRepoBranchLines +/-
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_31+4 -1
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_33+4 -1
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_32+4 -1
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coremaster+4 -1
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_30+4 -1
SECURITY: Add permission check for user is permitted to view the log typemediawiki/coreREL1_27+4 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

Rxy created this task.Apr 28 2019, 2:14 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 28 2019, 2:14 PM
Rxy triaged this task as High priority.Apr 28 2019, 2:15 PM
Rxy added projects: MediaWiki-General, MediaWiki-Revision-deletion.
Rxy updated the task description. (Show Details)Apr 28 2019, 2:18 PM
Rxy added a subscriber: Ohgi.Apr 28 2019, 2:24 PM
Rxy renamed this task from Expose suppressed username in Special:EditTags to Expose suppressed username or log in Special:EditTags.Apr 28 2019, 2:49 PM
Rxy raised the priority of this task from High to Unbreak Now!.
Rxy updated the task description. (Show Details)
Rxy updated the task description. (Show Details)
Rxy mentioned this in T222038: Exposed suppressed log in RevisionDelete page.Apr 28 2019, 2:56 PM
Rxy updated the task description. (Show Details)Apr 28 2019, 3:10 PM
Rxy added a project: MediaWiki-Logevents.Apr 28 2019, 6:54 PM
Rxy added a project: Patch-For-Review.Apr 28 2019, 8:12 PM

T222036.patch1 KBDownload

This is security fix patch for Case 1

Rxy added a project: User-Rxy.Apr 28 2019, 8:36 PM
Rxy moved this task from Backlog to Security on the User-Rxy board.
Reedy renamed this task from Expose suppressed username or log in Special:EditTags to Exposed suppressed username or log in Special:EditTags.Apr 29 2019, 3:01 PM
Reedy added a parent task: T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.Apr 30 2019, 3:51 PM
Bawolff subscribed.Apr 30 2019, 4:17 PM

Just FYI I tested this on history pages, and the bug is not present on history pages.

Bawolff updated the task description. (Show Details)Apr 30 2019, 5:38 PM
Bawolff added a comment.EditedApr 30 2019, 7:01 PM
In T222036#5142596, @Rxy wrote:

T222036.patch1 KBDownload

This is security fix patch for Case 1

So i think this is ok for right now, but long term we might want to make the logic that makes that (logs) link actually respect revdel status, like it does on history pages.

Possibly restricted editing tags on any deleted field is a bit too far, but we can sort that out later, I think this patch is good for right now.

So yeah, +1 on this patch

sbassett subscribed.Apr 30 2019, 9:53 PM

T222036.patch was deployed to 1.34.0-wmf.1 and 1.34.0-wmf.3.

sbassett closed this task as Resolved.Apr 30 2019, 9:54 PM
sbassett claimed this task.
sbassett mentioned this in T222324: Unable to perform revision deletion on Commons.May 2 2019, 3:59 PM
Reedy mentioned this in T205041: Tracking bug for 1.27.6/1.30.2/1.31.2/1.32.2 security release.May 28 2019, 2:50 PM
Reedy mentioned this in T205048: Obtain CVEs for 1.27.6/1.30.2/1.31.2/1.32.2 security releases.May 29 2019, 12:13 AM
Reedy mentioned this in T224499: RELEASE-NOTES for 1.27.6/1.30.2/1.31.2/1.32.2.May 29 2019, 12:32 AM
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 6 2019, 4:03 PM
gerritbot added a comment.Jun 6 2019, 4:06 PM

Change 514767 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514767

gerritbot added a comment.Jun 6 2019, 4:07 PM

Change 514767 merged by Reedy:
[mediawiki/core@REL1_27] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514767

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514778 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514778

gerritbot added a comment.Jun 6 2019, 4:08 PM

Change 514778 merged by Reedy:
[mediawiki/core@REL1_30] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514778

ReleaseTaggerBot added projects: MW-1.27-release-notes, MW-1.30-release-notes.Jun 6 2019, 5:00 PM
gerritbot added a comment.Jun 6 2019, 7:02 PM

Change 514854 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514854

gerritbot added a comment.Jun 6 2019, 8:36 PM

Change 514758 merged by jenkins-bot:
[mediawiki/core@master] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514758

gerritbot added a comment.Jun 6 2019, 8:51 PM

Change 514954 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514954

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.10; 2019-06-18).Jun 6 2019, 9:00 PM
gerritbot added a comment.Jun 6 2019, 11:02 PM

Change 514978 had a related patch set uploaded (by Reedy; owner: Rxy):
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514978

gerritbot added a comment.Jun 6 2019, 11:14 PM

Change 514954 merged by jenkins-bot:
[mediawiki/core@REL1_32] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514954

gerritbot added a comment.Jun 6 2019, 11:39 PM

Change 514978 merged by jenkins-bot:
[mediawiki/core@REL1_33] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514978

ReleaseTaggerBot added projects: MW-1.33-notes, MW-1.32-notes.Jun 7 2019, 12:01 AM
gerritbot added a comment.Jun 7 2019, 12:03 AM

Change 514854 merged by jenkins-bot:
[mediawiki/core@REL1_31] SECURITY: Add permission check for user is permitted to view the log type

https://gerrit.wikimedia.org/r/514854

ReleaseTaggerBot added a project: MW-1.31-release-notes.Jun 7 2019, 1:00 AM
Rxy mentioned this in T239494: Requesting access to LogStash for rxy.Nov 30 2019, 12:26 AM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL