Page MenuHomePhabricator
Create Task
Maniphest T304354

It is impossible to oversight who has reviewed a revision via FlaggedRevs (CVE-2022-28212)
Closed, ResolvedPublicSecurity
Actions

Description

I have received a request to oversight all usernames from a template on ruwikinews, https://ru.wikinews.org/w/index.php?title=Шаблон:Оформление_категории&action=history (the reasoning is that there is a risk of prosecution under the current Russian laws for the inclusion of Facebook there).

While I have managed to suppress usernames in history and all the logs, I do not see a way to suppress the information who has reviewed certain revisions (revreview-hist-basic-user) which is shown next to them in the history (the respective log records are now suppressed but this does not affect the view in history).

If there is a way to do that which I miss please tell me how, otherwise either the suppression of log records should affect this (perfectly) or a separate way to affect this information should be implemented.

Details

SubjectRepoBranchLines +/-
SECURITY: Do not show patrol details if the author is hiddenmediawiki/extensions/FlaggedRevsREL1_38+4 -1
SECURITY: Do not show patrol details if the author is hiddenmediawiki/extensions/FlaggedRevsmaster+4 -1
SECURITY: Do not show patrol details if the author is hiddenmediawiki/extensions/FlaggedRevsREL1_37+4 -1
Customize query in gerrit

Related Objects

Event Timeline

Base created this task.Mar 21 2022, 7:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 21 2022, 7:18 PM
taavi edited projects, added Security, Security-Team; removed acl*stewards, WMF-NDA.Mar 21 2022, 7:21 PM
MarcoAurelio added a project: Vuln-Infoleak.Mar 21 2022, 7:22 PM
Zabe subscribed.Mar 21 2022, 7:22 PM
MarcoAurelio subscribed.Mar 21 2022, 7:22 PM
Base added a comment.Mar 21 2022, 7:28 PM

(For the record, in case someone would want to use some manual suppression means in the meanwhile, the request also included https://ru.wikinews.org/w/index.php?title=Шаблон:Социальные_закладки&action=history )

taavi subscribed.Mar 21 2022, 7:32 PM

So apparently uselang=qqx also leaks the user name for automatically checked revisions.

Proposed patch:

0001-SECURITY-Do-not-show-patrol-details-if-the-author-is.patch1 KBDownload

taavi triaged this task as High priority.Mar 21 2022, 7:33 PM
Zabe added a comment.EditedMar 21 2022, 7:37 PM
In T304354#7794242, @Majavah wrote:

So apparently uselang=qqx also leaks the user name for automatically checked revisions.

Proposed patch:

0001-SECURITY-Do-not-show-patrol-details-if-the-author-is.patch1 KBDownload

+2

Not tested. It does now hides usernames of completly different users when the revision is not autoreviewed, but it also does that when the revision is revision deleted. So that is definitely the much smaller problem.

Base added a comment.Mar 21 2022, 7:41 PM

On the first glance at the patch it probably checks if the revision rather than the respective log record is suppressed, doens't it? So probably suboptimal but indeed better than nothing as a way to remove the exposure.

AntiCompositeNumber subscribed.Mar 21 2022, 7:47 PM

That annotation is added in rEFLR frontend/FlaggedRevsUIHooks.php:789. It looks like if the revision text is deleted, the annotation won't be shown at all, based on rEFLR frontend/FlaggedRevsUIHooks.php:763. Easy fix would be to change that so it isn't shown if any part of the revision is deleted.

Alternately, you should be able to get it removed by unapproving the revision.

Krinkle subscribed.Mar 21 2022, 7:52 PM

To clarify, the objective is to hide the username in the "checked by" appendix on history lines, such as:

  • September 2021‎ (username removed)‎ 9,334 bytes −1‎ No edit summary undo [checked by Someone]

The FlaggedRevs code already omits this appendix if the revision text is revdel'ed. The patch expands this to also omit it if the revision actor is revdel'ed.

+2.

taavi added a comment.Mar 21 2022, 8:02 PM
In T304354#7794289, @Base wrote:

On the first glance at the patch it probably checks if the revision rather than the respective log record is suppressed, doens't it? So probably suboptimal but indeed better than nothing as a way to remove the exposure.

Yeah, correct - I don't see an easy way to access the log entry assosiated log entry from that context.

taavi added a comment.Mar 22 2022, 5:16 PM
In T304354#7794242, @Majavah wrote:

0001-SECURITY-Do-not-show-patrol-details-if-the-author-is.patch1 KBDownload

Deployed for 1.39.0-wmf.3.

sbassett mentioned this in T297839: Write and send supplementary release announcement for extensions and skins with security patches (1.35.6/1.36.4/1.37.2).Mar 22 2022, 6:54 PM
sbassett moved this task from Incoming to Watching on the Security-Team board.Mar 22 2022, 8:04 PM
sbassett added a project: SecTeam-Processed.
sbassett subscribed.
In T304354#7797563, @Majavah wrote:

Deployed for 1.39.0-wmf.3.

Thanks. SAL. Also tracked at T276237 and T297839.

Mstyles renamed this task from It is impossible to oversight who has reviewed a revision via FlaggedRevs to It is impossible to oversight who has reviewed a revision via FlaggedRevs (CVE-2022-28212).Mar 31 2022, 5:44 PM
Mstyles closed this task as Resolved.
Mstyles claimed this task.
Mstyles moved this task from Watching to Our Part Is Done on the Security-Team board.
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 31 2022, 5:47 PM
Mstyles changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Mar 31 2022, 10:58 PM

Change 776008 had a related patch set uploaded (by Mstyles; author: Majavah):

[mediawiki/extensions/FlaggedRevs@master] SECURITY: Do not show patrol details if the author is hidden

https://gerrit.wikimedia.org/r/776008

gerritbot added a project: Patch-For-Review.Mar 31 2022, 10:58 PM
gerritbot added a comment.Mar 31 2022, 11:28 PM

Change 775943 had a related patch set uploaded (by Mstyles; author: Majavah):

[mediawiki/extensions/FlaggedRevs@REL1_37] SECURITY: Do not show patrol details if the author is hidden

https://gerrit.wikimedia.org/r/775943

gerritbot added a comment.Mar 31 2022, 11:36 PM

Change 776008 merged by jenkins-bot:

[mediawiki/extensions/FlaggedRevs@master] SECURITY: Do not show patrol details if the author is hidden

https://gerrit.wikimedia.org/r/776008

gerritbot added a comment.Mar 31 2022, 11:50 PM

Change 775943 merged by jenkins-bot:

[mediawiki/extensions/FlaggedRevs@REL1_37] SECURITY: Do not show patrol details if the author is hidden

https://gerrit.wikimedia.org/r/775943

ReleaseTaggerBot added a project: MW-1.39-notes (1.39.0-wmf.6; 2022-04-04).Apr 1 2022, 12:00 AM
Maintenance_bot removed a project: Patch-For-Review.Apr 1 2022, 12:10 AM
gerritbot added a comment.Apr 1 2022, 6:53 PM

Change 776043 had a related patch set uploaded (by Zabe; author: Majavah):

[mediawiki/extensions/FlaggedRevs@REL1_38] SECURITY: Do not show patrol details if the author is hidden

https://gerrit.wikimedia.org/r/776043

gerritbot added a project: Patch-For-Review.Apr 1 2022, 6:53 PM
gerritbot added a comment.Apr 1 2022, 6:58 PM

Change 776043 merged by jenkins-bot:

[mediawiki/extensions/FlaggedRevs@REL1_38] SECURITY: Do not show patrol details if the author is hidden

https://gerrit.wikimedia.org/r/776043

MarcoAurelio changed the subtype of this task from "Task" to "Security Issue".Apr 4 2022, 4:03 PM
Zabe removed a project: Patch-For-Review.Jul 13 2022, 11:01 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits