Page MenuHomePhabricator

Oversighted action text is shown in Special:CheckUser when the checkuser does not have the right to see it
Closed, ResolvedPublicSecurity

Description

What is the problem

When using Special:CheckUser 'Get edits', a checkuser can run a check and see the actiontext associated with log actions that is hidden. This can be seen in the example screenshots further down in the description.

The actiontext should only be shown if the current user has the right to see it.

Steps to reproduce
  1. Install the CheckUser extension
  2. Add $wgCheckUserEventTablesMigrationStage = SCHEMA_COMPAT_WRITE_OLD | SCHEMA_COMPAT_NEW; to your LocalSettings.php file.
  3. Log into an account with the suppressor group
  4. Move a page
  5. Load Special:Log
  6. Click on the checkbox for the log item associated with the move and then click Change visibility of selected log entries
  7. On this new page, check the checkboxes labelled Hide target and parameters and Suppress data from administrators as well as others
  8. Submit that form
  9. Log into a different account with the checkuser group (and importantly not the suppressor group)
  10. Load Special:CheckUser
  11. Run a 'Get edits' check on the username of the account used in steps 3 to 8.

Observed behaviour: The move entry will show the suppressed actiontext.
Expected behaviour: The move entry will have the actiontext hidden.

Extra information

Similar to T315820, but the action text / comment can be hidden separately. The fix really relies on T145265 being solved so that CheckUser knows what the log entry is and can have it hidden if necessary.

Example:

Entry with these hidden for adminsThe log entry in Special:LogThe log entry in Special:CheckUser
image.png (633×1 px, 97 KB)
image.png (39×707 px, 10 KB)
image.png (57×1 px, 19 KB)

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

StatusSubtypeAssignedTask
OpenNone
ResolvedSecurityDreamy_Jazz
OpenDreamy_Jazz
OpenFeatureDreamy_Jazz
ResolvedLadsgroup
ResolvedMilimetric
OpenNone
OpenNone
OpenNone
OpenDreamy_Jazz
OpenNone
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedMarostegui
ResolvedPRODUCTION ERRORDreamy_Jazz
ResolvedMarostegui
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedBUG REPORTDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedBUG REPORTDreamy_Jazz
ResolvedBUG REPORTDreamy_Jazz
OpenDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedDreamy_Jazz
ResolvedPRODUCTION ERRORpmiazga
OpenNone
ResolvedDreamy_Jazz
OpenNone
ResolvedDreamy_Jazz
OpenNone

Event Timeline

Mstyles changed Risk Rating from N/A to Low.

This will be solved by T347773 which is a largely similar issue with but otherwise has the same fix.

Dreamy_Jazz renamed this task from Oversighted action text is shown in CheckUser when the checkuser does not have the right to see it to Oversighted action text is shown in Special:CheckUser when the checkuser does not have the right to see it.Oct 2 2023, 12:59 PM

T347773's patch is now merged which fixes this issue. As such I will move this to the QA column to verify using the provided steps.

This fix only works when T341829: Enable read new for the event table migration is complete, including on WMF wikis. If the Security-Team prefer to keep this private until this is fixed on WMF wikis, then I'm happy to do that.

This cannot be backported as it only works with a new database schema for cu_changes and two new tables. As such fixing this in any supported release version is not possible. However, this is low risk because:

  • You have to have the checkuser right to interact with this interface
  • You have to run a logged check

As such, a user abusing this would be made obvious by the check log and the users who could do this would already be trusted (and on WMF wikis must have signed the NDA).

I tested all the different combinations of visibility for a log entry.

A user with suppressor rights can see everything (hidden/suppressed stuff is crossed out but visible).

A user with sysop rights cannot see action text if it is suppressed, but can if it is only hidden.

A user just with checkuser rights cannot see action text if it is either hidden or suppressed.

Just in case of regression, I also tested with SCHEMA_COMPAT_READ_OLD to see that there were at least no errors.

Test environment: Local docker CheckUser 2.5 (45cf5bf) 00:35, 3 October 2023.

Adding Security-Team again for them to make a decision for the following:

I propose that this task be made public and resolved, because:

  • T326865 (a public task) already talks about this issue
  • This cannot be backported as it relies on a database change and therefore will remain unfixed in all release versions, so there are no more patches to review.
  • This fix will apply on WMF wikis once T341829 is completed (as this fix can only work when reading new for the database migration in T324907). In the mean time, I know a good few users with the checkuser group who know about this.

If creating a CVE and/or for the security release announcement, it would be good to mention that this is only fixed in WMF branches for now and will not be ready for the MW-1.41-release.

sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett added a subscriber: sbassett.

Resolving and making public per the above rationales in T316360#9215889 and T316360#9225136.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 6 2023, 7:54 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".