Page MenuHomePhabricator
Create Task
Maniphest T310098

acl*wmcs-team, acl*blog-admins joinable by anyone
Closed, ResolvedPublicSecurity
Actions

Description

acl*wmcs-team, acl*blog-admins is joinable by anyone due to policy being set to Policy-Admins and subproject acl*test_policy_admins being joinable by anyone (and there may be other places where Policy-Admins is used as a restriction). I restricted the edit and join policy of acl*test_policy_admins to project members and administrators so this should no longer be an issue. Though the policies of acl*wmcs-team and acl*blog-admins should probably be modified to remove Policy-Admins if there is no need for it.

Details

Risk Rating
High
Author Affiliation
Wikimedia Communities

Event Timeline

Dylsss created this task.Jun 7 2022, 7:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2022, 7:06 PM
Dylsss added a project: Phabricator.Jun 7 2022, 7:07 PM
Dylsss updated the task description. (Show Details)Jun 7 2022, 7:11 PM
Dylsss added a comment.Jun 7 2022, 7:23 PM

Though the policies of acl*wmcs-team and acl*blog-admins should probably be modified to remove Policy-Admins if there is no need for it.

It also means that any member of one acl can also be a member of acl*wmcs-team and acl*blog-admins which is probably a bit unnecessary.

Dylsss renamed this task from acl*wmcs-team, acl*blog-admins joinable by anyone. to acl*wmcs-team, acl*blog-admins joinable by anyone.Jun 7 2022, 7:25 PM
MarcoAurelio subscribed.Jun 8 2022, 9:46 AM

Removed Policy-Admins from acl*blog-admins. Only members in acl*phabricator are now allowed to edit the project (and add/remove members AIUI given that the project is set to be joinable by No One). Diff: previous settings, current settings.

Aklapper added a comment.EditedJun 8 2022, 2:59 PM

Thanks a lot everyone!! Changed the WMCS one in https://phabricator.wikimedia.org/project/manage/4858/#86960 by adding administrators instead.

Policy-Admins itself was only joinable and editable by Phabricator admins since 2016: https://phabricator.wikimedia.org/project/manage/1869/ .
I checked its subprojects and didn't spot any other "open" join or edit policy.

I think this is resolved?

For the records, SQL query which checks edit policies which include certain project tags: Policy-Admins is PHID-PROJ-gnvje5af6gcyto3uv7cz, so query would be SELECT CONCAT("https://phabricator.wikimedia.org/project/edit/", pr.id) FROM phabricator_policy.policy po JOIN phabricator_project.project pr ON po.phid = pr.editPolicy WHERE po.rules LIKE "%PHID-PROJ-gnvje5af6gcyto3uv7cz%"; (replace edit with join if needed)

sbassett closed this task as Resolved.Jun 13 2022, 4:42 PM
sbassett assigned this task to MarcoAurelio.
sbassett triaged this task as High priority.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett subscribed.
In T310098#7989264, @Aklapper wrote:

I think this is resolved?

Seems to be. I'd like to resolve it for now and, if things still look good in a week, we can make it public (I don't see anything obvious on the task preventing that disclosure).

sbassett changed Risk Rating from N/A to High.Jun 13 2022, 4:42 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jun 21 2022, 4:30 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Restricted Application added a project: User-MarcoAurelio. · View Herald TranscriptJun 21 2022, 4:30 PM
MarcoAurelio moved this task from unsorted/backlog to cabinet on the User-MarcoAurelio board.Jun 22 2022, 3:47 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits