L36 Legalpad document is editable by anyone
Closed, ResolvedPublicSecurity
Actions

Assigned To

Authored By

	Dylsss
	May 10 2022, 1:37 AM

Description

L36 only requires you to be a member of User-JeanFred to edit, which is a publicly join-able project. Having abilities to edit Legalpad documents allows you to see signatures, which could contain real names and emails and which could potentially be considered PII. It also allows you to enable "Signature Required to use Phabricator" which will kick everyone off Phabricator until they sign it. The project should be removed from the access policy.

Details

Risk Rating: Low
Author Affiliation: Wikimedia Communities

Event Timeline

Dylsss created this task.May 10 2022, 1:37 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 10 2022, 1:37 AM

Dylsss renamed this task from Legalpad document is editable by anyone to L36 Legalpad document is editable by anyone.May 10 2022, 1:39 AM

Dylsss updated the task description. (Show Details)

Uhm... indeed. :( Thanks a lot for catching this; I have fixed it.

Aklapper moved this task from To Triage to Administration (UI) on the Phabricator board.May 10 2022, 7:15 AM

@Aklapper - I assume this is fine to make public now?

I think so, yes. Past changes in https://phabricator.wikimedia.org/legalpad/view/36/ look fine.

sbassett triaged this task as Medium priority.May 10 2022, 5:21 PM

sbassett changed Author Affiliation from N/A to Wikimedia Communities.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".

sbassett changed the edit policy from "Custom Policy" to "All Users".

sbassett changed Risk Rating from N/A to Low.

L36 Legalpad document is editable by anyoneClosed, ResolvedPublicSecurityActions

Description

Details

Event Timeline

L36 Legalpad document is editable by anyone
Closed, ResolvedPublicSecurity
Actions