Page MenuHomePhabricator
Create Task
Maniphest T242829

GlobalRename notes appear publically
Closed, InvalidPublicSecurity
Actions

Description

See https://meta.wikimedia.org/wiki/Special:PrefixIndex?prefix=GlobalRenameQueue&namespace=4

First occurred in August, as far as I can tell[1]

Note sure why, couldn't figure out how to add notes without rejecting or accepting a request when attempting to reproduce

[1] https://meta.wikimedia.org/w/index.php?title=Meta:GlobalRenameQueue/Notes/55397&action=history

Event Timeline

DannyS712 created this task.Jan 15 2020, 8:56 AM
Restricted Application added a project: User-DannyS712. · View Herald TranscriptJan 15 2020, 8:56 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
DannyS712 added projects: GlobalRename, Vuln-Infoleak.Jan 15 2020, 8:57 AM
Restricted Application added a project: MediaWiki-extensions-CentralAuth. · View Herald TranscriptJan 15 2020, 8:57 AM
DannyS712 moved this task from Unsorted to Reports on the User-DannyS712 board.Jan 15 2020, 8:57 AM
DannyS712 added subscribers: Urbanecm, Rxy.
revi subscribed.Jan 15 2020, 9:01 AM

image.png (62×1 px, 22 KB)

Renamers know that the notes are public.

revi unsubscribed.Jan 15 2020, 9:01 AM
Urbanecm closed this task as Invalid.Jan 15 2020, 9:03 AM

This isn't a security vuln, but intended.

DannyS712 added a subscriber: revi.Jan 15 2020, 9:07 AM

@revi @Urbanecm where exactly do you see the "Create notes..."? I tried to do this at https://deployment.wikimedia.beta.wmflabs.org/wiki/Special:GlobalRenameQueue/request/36 and there is only a "Notes/reasoning" field, and the log entry.

DannyS712 removed projects: Vuln-Infoleak, User-DannyS712.Jan 15 2020, 9:07 AM
revi unsubscribed.Jan 15 2020, 9:09 AM

It is probably configured via Mediawiki namespace page to show that interface message.

DannyS712 added a comment.Jan 15 2020, 9:10 AM

Oh, thanks. Sorry for the trouble

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Jan 15 2020, 11:40 AM
Legoktm changed the edit policy from "Custom Policy" to "All Users".
chasemp moved this task from Incoming to Our Part Is Done on the Security-Team board.Jan 16 2020, 7:44 PM
chasemp added a project: Security.Feb 10 2020, 10:50 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
MarcoAurelio moved this task from Backlog to Closed on the GlobalRename board.May 9 2020, 9:51 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL