Page MenuHomePhabricator

PageTriage: Api allows spamming users with notifications
Closed, ResolvedPublic

Description

Steps to reproduce:

  • Find a page created by a user
  • Repeatedly mark it as patrolled

This will send the user a notification each time.

Marked as a security bug due to potential for harassment.

Event Timeline

Restricted Application added a project: User-DannyS712. · View Herald TranscriptSep 27 2019, 9:26 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 added a project: PageCuration.
DannyS712 moved this task from Unsorted to Page Curation on the User-DannyS712 board.
DannyS712 added subscribers: MusikAnimal, MaxSem.
Restricted Application added a project: Growth-Team. · View Herald TranscriptSep 27 2019, 9:27 PM

Patch at https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/PageTriage/+/539624/ - I realize that generally patches should be private until fixed, but since this is a low-risk task and the fix is being implemented as part of T234074: Api: Don't log (un)reviewing or tagging as copyvio if state doesn't change, I think its okay

sbassett triaged this task as Low priority.Oct 7 2019, 4:21 PM

Making it clear that there is a patch pending - public at https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/PageTriage/+/539624/, but also covers this task

sbassett edited projects, added Security-Team; removed Security.Feb 26 2020, 4:17 PM
sbassett added a subscriber: sbassett.

@DannyS712 - do you think r539624 has a chance of getting merged soon? I'd rather someone else a little more familiar with the page triage functionality than myself provide the +2. I'm not aware of any reports of this being abused right now, though if it is a more pressing concern, we could probably just create a patch of the includes/Api/ApiPageTriageAction.php changes and security-deploy that for the time being.

sbassett moved this task from Incoming to Watching on the Security-Team board.Feb 26 2020, 4:17 PM

@DannyS712 - do you think r539624 has a chance of getting merged soon? I'd rather someone else a little more familiar with the page triage functionality than myself provide the +2. I'm not aware of any reports of this being abused right now, though if it is a more pressing concern, we could probably just create a patch of the includes/Api/ApiPageTriageAction.php changes and security-deploy that for the time being.

I'm not aware of it actually causing problems yet (but then again I don't have Security-Team access, so there are lots of tasks I can't see) so I think we can wait. Let me know if there are any reports and I'll add a security patch

Change 539624 merged by jenkins-bot:
[mediawiki/extensions/PageTriage@master] API: Alter behaviour if state doesn't change instead of proceeding

https://gerrit.wikimedia.org/r/539624

sbassett closed this task as Resolved.EditedMar 6 2020, 7:14 PM
sbassett added a subscriber: Reedy.

Great, let's let it go out next week before we make this task public, just to be safe. Since the security issue was resolved via a nondescript gerrit patch, I don't think this needs to be held or anything (I mean, it can't be) for the next security release (T240393), though not sure if @Reedy would want to include mention of it there or not.

Great, let's let it go out next week before we make this task public, just to be safe. Since the security issue was resolved via a nondescript gerrit patch, I don't think this needs to be held or anything (I mean, it can't be) for the next security release (T240393), though not sure if @Reedy would want to include mention of it there or not.

Can I be added to T240393 please?

Can I be added to T240393 please?

Done.

Can I be added to T240393 please?

Done.

Thanks, but I've come to see that some security tasks only serve to track other tasks that I can't see, and so aren't very informative. Oh well. Maybe I'll request security access at some point

Great, let's let it go out next week before we make this task public, just to be safe. Since the security issue was resolved via a nondescript gerrit patch, I don't think this needs to be held or anything (I mean, it can't be) for the next security release (T240393), though not sure if @Reedy would want to include mention of it there or not.

Should this be made public?

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 25 2020, 3:04 AM

Should this be made public?

Yes, done.