Page MenuHomePhabricator

Rolling back a revision with (username removed) exposes removed IP
Closed, DuplicatePublic

Description

https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Book&action=history

I clicked "rollback" to roll back the vandalism, but this exposed the redacted IP in the edit summary

Screenshot 2019-07-02 at 23.47.12.png (1×2 px, 432 KB)

Event Timeline

Unsure how the IP got hid in the first place. I've saved a few edits to https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Draft:A&action=history and anonymously, and it says "username removed" automatically, with no action from my side. On the other hand, the IP is visible in Special:RecentChanges with no problems. If this is a data leak (and not an issue like "ip is redacted while it shouldn't be"), then it's an important leak given the visibility of RC.

image.png (139×788 px, 35 KB)

Tried to revdel the IP in https://en.wikipedia.beta.wmflabs.org/w/index.php?title=Test&action=history and then rollbacked it. The summary says "Reverted edits by a hidden user to last revision by 81.158.28.42", which is what I expect it to :).

Would appreciate a more specific "Steps to reproduce", including "how to cause the edit to be hidden".

T227656 might actually be a dupe of this (and this is not actually a security bug)

T227656 might actually be a dupe of this (and this is not actually a security bug)

Looks so. Merging those two.

Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 10 2019, 5:45 PM