Page MenuHomePhabricator

Force user ID to 0 when reading revisions from another wiki's database
Closed, ResolvedPublic

Description

For a UserIdentity constructed from a revision row loaded from the database of another wiki, the user ID (and actor ID) must be ignored and forced to be 0. To find the relevant code, search for calls to $user = User::newFromAnyId() in RevisionStore. These calls must have the user ID and actor ID suppressed if $this->wikiId is not false.

This is a stop-gap solution for the problem described in T222212: RevisionStore must not expose user IDs from a foreign wiki.

A more thorough solution will need T222380: Decide how to represent the identity of users from another wiki..

Details

Related Gerrit Patches:

Event Timeline

daniel created this task.May 2 2019, 4:39 PM
daniel updated the task description. (Show Details)
daniel updated the task description. (Show Details)

@BPirkle do you think you could take this on?

daniel triaged this task as High priority.May 2 2019, 4:42 PM

Bumping to high, since this has the potential to cause subtle data corruption and confusing failure modes. Cross-wiki revision access is still uncommon, so this isn't a very high risk, but still bad enough that we should look into it soon, I think.

BPirkle claimed this task.May 2 2019, 4:48 PM

Sure. As this is prioritized as high, I'll transition to it shortly.

Change 507908 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/core@master] Force user id and actor id to 0 when loading from remote wikis

https://gerrit.wikimedia.org/r/507908

Change 507908 merged by jenkins-bot:
[mediawiki/core@master] Force user id and actor id to 0 when loading from remote wikis

https://gerrit.wikimedia.org/r/507908

daniel closed this task as Resolved.May 6 2019, 3:29 PM