Page MenuHomePhabricator
Create Task
Maniphest T30306

RevDel: Suppressed username in file history is leaked in case of file transclusion (InstantCommons / $wgForeignFileRepos)
Closed, ResolvedPublic
Actions

Description

Suppressed username in file history is leaked in case of file transclusion using InstantCommons / $wgForeignFileRepos

The username of the first file revision in this testcase is shown on the foreign wiki:

http://commons.wikimedia.org/wiki/File:Example_file_for_a_RevDel_bug.jpg

http://de.wikipedia.org/wiki/Datei:Example_file_for_a_RevDel_bug.jpg

Version: 1.17.x
Severity: major

Details

Reference
bz28306

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 11:24 PM
bzimport added a project: MediaWiki-File-management.
bzimport set Reference to bz28306.
Raymond created this task.Mar 29 2011, 2:07 PM
Umherirrender added a comment.Apr 1 2011, 8:06 PM

Created attachment 8360
inverse isDeleted/local check

File::isDeleted( File::DELETED_USER ) is only checked for local files in ImagePage::imageHistoryLine. The attachment inverse the checks for isDeleted and for local files. That should fix this bug.

Attached:

bug28306.patch979 BDownload

brion added a comment.Apr 6 2011, 6:23 PM

Patch looks good; didn't apply (whitespace?) but doing the same switcharoo seems to do the job in my local testing, using ForeignDBRepo (same as the local configuration for Commons on the other Wikimedia sites).

ForeignAPIRepo doesn't expose the suppressed info through the API, so folks using the InstantCommons setup won't be affected.

Committed on trunk in r85555; should be merged down to 1.17 and production deployment as well.

Gilles added a project: Multimedia.Dec 4 2014, 10:30 AM
Gilles moved this task from Untriaged to Done on the Multimedia board.Dec 4 2014, 10:41 AM
Phabricator_maintenance added a project: MediaWiki-Revision-deletion.Aug 5 2016, 2:26 PM
Restricted Application added a project: Commons. · View Herald TranscriptAug 5 2016, 2:26 PM
Restricted Application added subscribers: JEumerus, Steinsplitter, Matanya. · View Herald Transcript
Phabricator_maintenance removed a parent task: T20840: [DO NOT USE] RevDelete/HideUser (tracking) [superseded by #MediaWiki-Revision-deletion].Aug 5 2016, 2:28 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL