Page MenuHomePhabricator
Create Task
Maniphest T224240

Deleting a log entry actor doesn't always hide the actor entirely
Closed, ResolvedPublic
Actions

Description

The "thanks" button can still be used to discover who committed the logged action.

See https://test.wikipedia.org/wiki/Special:Log?logid=220884 and then https://test.wikipedia.org/wiki/Special:Log?logid=220884&uselang=qqx

Details

SubjectRepoBranchLines +/-
SECURITY: Do not let users thank for a log entry if actor was deletedmediawiki/extensions/Thankswmf/1.34.0-wmf.11+2 -1
SECURITY: Do not let users thank for a log entry if actor was deletedmediawiki/extensions/Thankswmf/1.34.0-wmf.13+2 -1
SECURITY: Do not let users thank for a log entry if actor was deletedmediawiki/extensions/Thanksmaster+2 -1
Customize query in gerrit

Event Timeline

DannyS712 created this task.May 23 2019, 6:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 23 2019, 6:02 PM
DannyS712 added projects: Thanks, MediaWiki-Revision-deletion, User-DannyS712.May 23 2019, 6:03 PM
Restricted Application added a project: Growth-Team. · View Herald TranscriptMay 23 2019, 6:03 PM
DannyS712 moved this task from Unsorted to Others on the User-DannyS712 board.Jun 3 2019, 10:01 AM
Urbanecm claimed this task.Jul 11 2019, 9:27 AM
Urbanecm added a project: Vuln-Infoleak.
Urbanecm subscribed.

This should fix this.

T224240.patch1 KBDownload

Restricted Application added a project: User-Urbanecm. · View Herald TranscriptJul 11 2019, 9:29 AM
Urbanecm moved this task from Backlog to Waiting on review on the User-Urbanecm board.Jul 11 2019, 9:36 AM
Urbanecm moved this task from Backlog / Other to Patch pending review on the acl*security board.Jul 11 2019, 9:43 AM
Catrope subscribed.Jul 11 2019, 9:58 PM

Patch looks good to me, I will deploy it in an hour.

Catrope moved this task from Patch pending review to Patch pending deployment on the acl*security board.Jul 11 2019, 9:58 PM
Urbanecm added a comment.Jul 11 2019, 10:02 PM

Thank you, @Catrope. Could you please have a look at T207094 as well, if it's within your area of expertise? :-)

Catrope changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 11 2019, 10:51 PM
gerritbot added a comment.Jul 11 2019, 11:11 PM

Change 522202 merged by jenkins-bot:
[mediawiki/extensions/Thanks@master] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522202

gerritbot added a comment.Jul 11 2019, 11:31 PM

Change 522213 had a related patch set uploaded (by Catrope; owner: Urbanecm):
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.13] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522213

gerritbot added a project: Patch-For-Review.Jul 11 2019, 11:31 PM

Change 522214 had a related patch set uploaded (by Catrope; owner: Urbanecm):
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.11] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522214

gerritbot added a comment.Jul 11 2019, 11:47 PM

Change 522213 merged by jenkins-bot:
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.13] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522213

gerritbot added a comment.Jul 11 2019, 11:48 PM

Change 522214 merged by jenkins-bot:
[mediawiki/extensions/Thanks@wmf/1.34.0-wmf.11] SECURITY: Do not let users thank for a log entry if actor was deleted

https://gerrit.wikimedia.org/r/522214

ReleaseTaggerBot added a project: MW-1.34-notes (1.34.0-wmf.13; 2019-07-09).Jul 12 2019, 12:00 AM
Urbanecm added a comment.Jul 12 2019, 8:32 AM

Thanks @Catrope for deployment. Can this be closed as "resolved" then?

Catrope closed this task as Resolved.Jul 12 2019, 10:17 PM

Yes, sorry for forgetting. I was waiting for the patches to merge.

DannyS712 moved this task from Others to Resolved tasks (others) on the User-DannyS712 board.Jul 16 2019, 10:32 PM
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:36 PM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL