Page MenuHomePhabricator
Create Task
Maniphest T258239

Everyone can view a restricted file
Closed, ResolvedPublicSecurity
Actions

Description

Reproduce:

  1. Open a private browser window
  2. View https://phabricator.wikimedia.org/F31920110

Feel free to decline if it is intentional. The log said it may only be viewed by acl*security Project, and this is also what the header said.

Related Objects

Event Timeline

Bugreporter created this task.Jul 17 2020, 8:06 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 17 2020, 8:06 AM
Bugreporter renamed this task from Everyone can view an restricted file to Everyone can view a restricted file.Jul 17 2020, 8:06 AM
Bugreporter added a project: Phabricator.
matmarex subscribed.Jul 17 2020, 10:58 AM

The file is "attached" to T249039, so Phabricator allows everyone who can view that task to also view this file.

It's a bit surprising to me that just mentioning the file's name "attaches" it, I would expect only embedding the file (i.e. syntax like {F.....}) to do that.

Bugreporter added a comment.Jul 17 2020, 11:03 AM

Hmm, mentioning the ID of a restricted task does not "attaches" it.

Aklapper added a subscriber: sbassett.EditedJul 17 2020, 11:09 AM

@Bugreporter: Thanks for reporting this! Confirming.

And I cannot edit/fix that file's visibility, though I am a member of #acl*security. Hence cannot check what was the very initial policy.
(Plus in theory adding subscribers won't help if those subscribers were not allowed to view the task.)
Note that *if* this file was uploaded by clicking "Upload File" in the *public* task then this is expected behavior and not a bug in Phabricator code.

Aklapper added a comment.Jul 17 2020, 11:10 AM

I wonder if https://www.mediawiki.org/wiki/Phabricator/Help#Uploading_file_attachments needs more clarification, sigh...

sbassett added a comment.EditedJul 17 2020, 12:13 PM

Thanks for reporting. I've gone ahead and changed the two files from T249039 to protected pastes instead and deleted the original files, which seems to fix the problem. There isn't really an issue for this specific case since 1) these files were part of a public "pre-launch" review and 2) it's trivial for an attacker to clone any of our publicly-available repos and run security scanning tools against them.

Still - this is either a bug with Phab files that should be fixed OR we should inform everyone that they should instead use protected Phab pastes for any potentially-sensitive data.

sbassett added a comment.Jul 17 2020, 8:45 PM
In T258239#6314890, @Aklapper wrote:

I wonder if https://www.mediawiki.org/wiki/Phabricator/Help#Uploading_file_attachments needs more clarification, sigh...

It might not be a bad idea to add an additional warning to that section summarizing the third paragraph. Or perhaps highlighting key points within the third paragraph in bold.

sbassett closed this task as Resolved.Jul 20 2020, 4:53 PM
sbassett claimed this task.

I've added another warning to the mediawiki doc. Hope that works. I'm going to resolve this task for now. I think it's likely fine to make public, but I'd to check first with some other Security-Team folks.

sbassett triaged this task as Low priority.Jul 21 2020, 4:30 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
DannyS712 subscribed.Jul 21 2020, 8:23 PM
sbassett mentioned this in T249039: Security Readiness Review For Wikidata Bridge.Jul 21 2020, 9:56 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL