Page MenuHomePhabricator
Create Task
Maniphest T296137

Blocked users should not be able to view private filters
Closed, ResolvedPublicSecurity
Actions

Description

  1. From an administrator account on testwiki, block yourself
  2. Go to https://test.wikipedia.org/wiki/Special:AbuseFilter/6

Filter 6 is marked private, but it's still visible.

This is a problem because one of the most common reasons for an admin to be blocked (at least on enwiki) is that the account is compromised. It often takes time to find a steward to lock the account, and we don't want people exploring the private filters during the gap.

Details

Risk Rating
Medium
Author Affiliation
Wikimedia Communities
SubjectRepoBranchLines +/-
AbuseFilterPermissionManager: Add sitewide block checkmediawiki/extensions/AbuseFiltermaster+7 -3
Customize query in gerrit

Related Objects

Event Timeline

suffusion_of_yellow created this task.Nov 20 2021, 8:02 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2021, 8:02 PM
suffusion_of_yellow added a project: AbuseFilter.Nov 20 2021, 8:03 PM
sbassett added a subscriber: Daimona.Nov 22 2021, 2:47 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.Nov 22 2021, 4:48 PM
sbassett changed Risk Rating from N/A to Medium.
sbassett added a project: Vuln-Authn/Session.
sbassett edited projects, added Vuln-MissingAuthz; removed Vuln-Authn/Session.
sbassett moved this task from Incoming to Watching on the Security-Team board.Nov 22 2021, 4:54 PM
sbassett added a project: SecTeam-Processed.
Daimona added a comment.Nov 22 2021, 5:29 PM

Seems reasonable. Code-wise, we need to change AbuseFilterPermissionManager::canViewPrivateFilters() to check user blocks, like ::canEdit() does (and the check in canEdit() should stay).

mmartorana claimed this task.Nov 22 2021, 7:16 PM
sbassett added subscribers: mmartorana, sbassett.Nov 22 2021, 7:26 PM
sbassett moved this task from Watching to In Progress on the Security-Team board.Feb 16 2022, 6:13 PM
mmartorana removed mmartorana as the assignee of this task.May 31 2022, 7:32 PM
sbassett moved this task from In Progress to Back Orders on the Security-Team board.Jul 6 2022, 5:03 PM
AntiCompositeNumber subscribed.Aug 25 2022, 3:34 AM
AntiCompositeNumber merged a task: T320678: Blocked users should not be able to view private filters.Oct 13 2022, 2:45 PM
AntiCompositeNumber added subscribers: Novem_Linguae, Lomrjyo, Xaosflux and 3 others.
TheresNoTime added a comment.Oct 13 2022, 6:46 PM

@sbassett Can this be made public? (or, if not, can you advise what to do about my public patch, which I created based on T320678...)

sbassett added a comment.Oct 14 2022, 12:47 AM
In T296137#8315274, @TheresNoTime wrote:

@sbassett Can this be made public? (or, if not, can you advise what to do about my public patch, which I created based on T320678...)

I mean, it was already disclosed in multiple ways, so yes. And it's likely low-risk enough that making it into production next week (the change set looks pretty close to mergeable) should be fairly low-risk.

sbassett changed the task status from Open to In Progress.Oct 14 2022, 12:47 AM
sbassett assigned this task to TheresNoTime.
sbassett triaged this task as Medium priority.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett removed a project: Security-Team.
gerritbot added a comment.Oct 21 2022, 6:16 PM

Change 842009 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@master] AbuseFilterPermissionManager: Add sitewide block check

https://gerrit.wikimedia.org/r/842009

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.7; 2022-10-24).Oct 21 2022, 7:00 PM
TheresNoTime closed this task as Resolved.Nov 2 2022, 5:23 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL