Page MenuHomePhabricator
Create Task
Maniphest T272333

Disallow the edit if blocking the user didn't succeed (CVE-2021-31548)
Closed, ResolvedPublicSecurity
Actions

Description

For instance if the user is partially blocked, the block won't be successful and the AF will allow the edit to go through.

Related Objects
Search...

StatusSubtypeAssignedTask
Restricted Task
 ResolvedSecurityDaimonaT272333 Disallow the edit if blocking the user didn't succeed (CVE-2021-31548)

Event Timeline

Daimona created this task.Jan 19 2021, 1:26 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 19 2021, 1:26 AM
Daimona added a project: AbuseFilter.Jan 19 2021, 1:27 AM

I think a fix for this might be pushed publicly on gerrit, but creating as sec-protected for now.

DannyS712 added a subscriber: DannyS712.Jan 19 2021, 2:14 AM

Could also be fixed by T232885: Consequences: Don't allow activation of blockAutopromotion or block without activating disallow

DannyS712 added a subscriber: NickK.Jan 19 2021, 12:16 PM
Daimona added a parent task: Restricted Task.Jan 19 2021, 2:19 PM
Daimona added a comment.Jan 19 2021, 2:23 PM

For now I'm going to push a hacky patch on gerrit, pretending it's a cleanup, then we can make the task public and discuss better strategies.

Daimona added a comment.Jan 19 2021, 2:27 PM

https://gerrit.wikimedia.org/r/c/mediawiki/extensions/AbuseFilter/+/657092

Daimona claimed this task.Jan 19 2021, 2:28 PM
Daimona added a subscriber: matej_suchanek.Jan 21 2021, 11:14 AM

@matej_suchanek Thank you for merging the fix, I forgot to add you as subscriber here. Let's wait until the fix is deployed with the train next week, and then we can make this task public.

Urbanecm added a subscriber: Urbanecm.Jan 22 2021, 2:44 PM
In T272333#6764934, @Daimona wrote:

@matej_suchanek Thank you for merging the fix, I forgot to add you as subscriber here. Let's wait until the fix is deployed with the train next week, and then we can make this task public.

I already backported this yesterday, so considering this works as intended, and there's nothing to hide for now, I'm going to make this task public.

Urbanecm closed this task as Resolved.Jan 22 2021, 2:44 PM
Urbanecm changed the visibility from "Custom Policy" to "Public (No Login Required)".
Urbanecm changed the edit policy from "Custom Policy" to "All Users".

Closing, fix is backported.

RhinosF1 added a subscriber: RhinosF1.Jan 22 2021, 3:34 PM
sbassett mentioned this in T270466: Write and send supplementary release announcement for extensions and skins with security patches (1.31.13/1.35.2).Jan 22 2021, 3:42 PM
sbassett added a project: Vuln-MissingAuthz.Apr 8 2021, 7:27 PM
valerio.bozzolan awarded a token.Apr 8 2021, 7:29 PM
sbassett renamed this task from Disallow the edit if blocking the user didn't succeed to Disallow the edit if blocking the user didn't succeed (CVE-2021-31548).Apr 23 2021, 6:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL