Page MenuHomePhabricator
Create Task
Maniphest T314699

[[Special:Log/abusefilter]] incorrectly shows the recent change history even if the filter is private
Closed, DuplicatePublicSecurity
Actions

Description

Steps to replicate the issue (include links if applicable):

  1. Create a private filter (e.g. https://en.wikipedia.org/wiki/Special:AbuseFilter/1122 )
  2. Modify the private filter

What happens?:

What should have happened instead?:

  • [[Special:Log/abusefilter]] should not show the recent change item of the private filter if the user does not have abusefilter-view-private. This is the same behavior as the [[Special:AbuseFilter/history]] does.

Software version (skip for WMF-hosted wikis like Wikipedia):

WMF-hosted wiki. I have confirmed this bug on enwiki and jawiki.

Other information (browser name/version, screenshots, etc.):

  • image.png (689×1 px, 97 KB)
  • image.png (886×962 px, 104 KB)

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

aokomoriuta created this task.Aug 6 2022, 7:50 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 6 2022, 7:50 AM
aokomoriuta added a comment.Aug 6 2022, 7:56 AM
  • I tried to modify this bug and create a patch to send you by myself but failed.
  • Is it enough to modify class AbuseFilterModifyLogFormatter?
    • Currently I have not found how to modify this because I am not familiar with class LogFormatter. I would be glad if you tell me a hint or advice to hide the specific log item when some condition meets (i.e. on this bug, when the user doesn't have permission).
taavi set Security to Software security bug.Aug 6 2022, 8:06 AM
taavi added projects: Security, Security-Team.
taavi changed the visibility from "Public (No Login Required)" to "Custom Policy".
taavi changed the subtype of this task from "Bug Report" to "Security Issue".
taavi subscribed.
Daimona closed this task as a duplicate of T34959: Private filters should not be visible in recent changes.Aug 6 2022, 5:31 PM
aokomoriuta added a comment.Aug 6 2022, 9:02 PM

Thank you for making this a duplicate ticket.

@taavi As of T34959, this ticket is not a security problem. So can you make this public? My colleagues in hone wiki want to see my description of this ticket.

sbassett triaged this task as Low priority.Aug 8 2022, 2:50 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed Risk Rating from N/A to Low.
aokomoriuta mentioned this in T315199: Restrict viewing [[Special:Log/abusefilter]] only Abusefilter editors on ja.wikipedia.Aug 15 2022, 3:41 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL