Page MenuHomePhabricator
Create Task
Maniphest T316360

Oversighted action text is shown in Special:CheckUser when the checkuser does not have the right to see it
Closed, ResolvedPublicSecurity
Actions

Assigned To
Dreamy_Jazz
Authored By
Dreamy_Jazz
Aug 26 2022, 3:18 PM
Tags
Referenced Files
F35491713: image.png
Aug 26 2022, 3:18 PM
F35491710: image.png
Aug 26 2022, 3:18 PM
F35491715: image.png
Aug 26 2022, 3:18 PM
Subscribers
Aklapper
dom_walden
Dreamy_Jazz
GMikesell-WMF
kostajh
sbassett
Tchanders

Description

What is the problem

When using Special:CheckUser 'Get edits', a checkuser can run a check and see the actiontext associated with log actions that is hidden. This can be seen in the example screenshots further down in the description.

The actiontext should only be shown if the current user has the right to see it.

Steps to reproduce
  1. Install the CheckUser extension
  2. Add $wgCheckUserEventTablesMigrationStage = SCHEMA_COMPAT_WRITE_OLD | SCHEMA_COMPAT_NEW; to your LocalSettings.php file.
  3. Log into an account with the suppressor group
  4. Move a page
  5. Load Special:Log
  6. Click on the checkbox for the log item associated with the move and then click Change visibility of selected log entries
  7. On this new page, check the checkboxes labelled Hide target and parameters and Suppress data from administrators as well as others
  8. Submit that form
  9. Log into a different account with the checkuser group (and importantly not the suppressor group)
  10. Load Special:CheckUser
  11. Run a 'Get edits' check on the username of the account used in steps 3 to 8.

Observed behaviour: The move entry will show the suppressed actiontext.
Expected behaviour: The move entry will have the actiontext hidden.

Extra information

Similar to T315820, but the action text / comment can be hidden separately. The fix really relies on T145265 being solved so that CheckUser knows what the log entry is and can have it hidden if necessary.

Example:

Entry with these hidden for adminsThe log entry in Special:LogThe log entry in Special:CheckUser
image.png (633×1 px, 97 KB)
image.png (39×707 px, 10 KB)
image.png (57×1 px, 19 KB)

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedSecurityDreamy_JazzT316360 Oversighted action text is shown in Special:CheckUser when the checkuser does not have the right to see it
ResolvedDreamy_JazzT253796 Make CheckUser record the log_id of logged actions
· · ·

Event Timeline

Dreamy_Jazz created this task.Aug 26 2022, 3:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 26 2022, 3:18 PM
Dreamy_Jazz added a project: CheckUser.Aug 26 2022, 3:18 PM
Dreamy_Jazz updated the task description. (Show Details)Aug 26 2022, 3:21 PM
Dreamy_Jazz added a subtask: T145265: Store check user data action text in structured format.
Dreamy_Jazz added a project: Vuln-Infoleak.Sep 4 2022, 1:11 PM
Mstyles moved this task from Incoming to In Progress on the Security-Team board.Sep 6 2022, 4:23 PM
Mstyles changed Risk Rating from N/A to Low.
Dreamy_Jazz edited subtasks, added: T253796: Make CheckUser record the log_id of logged actions; removed: T145265: Store check user data action text in structured format.Nov 15 2022, 9:26 PM
Dreamy_Jazz triaged this task as Medium priority.Jan 30 2023, 12:15 AM
Mstyles added a project: Anti-Harassment.Mar 14 2023, 6:24 PM
Mstyles removed a project: Security-Team.
Mstyles added a project: SecTeam-Processed.
Dreamy_Jazz moved this task from Untriaged to CheckUser on the Anti-Harassment board.Jul 22 2023, 5:48 PM
Dreamy_Jazz added a comment.Sep 29 2023, 10:09 PM

This will be solved by T347773 which is a largely similar issue with but otherwise has the same fix.

Dreamy_Jazz renamed this task from Oversighted action text is shown in CheckUser when the checkuser does not have the right to see it to Oversighted action text is shown in Special:CheckUser when the checkuser does not have the right to see it.Oct 2 2023, 12:59 PM
Dreamy_Jazz updated the task description. (Show Details)Oct 2 2023, 2:20 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz added a comment.Oct 2 2023, 2:28 PM

T347773's patch is now merged which fixes this issue. As such I will move this to the QA column to verify using the provided steps.

This fix only works when T341829: Enable read new for the event table migration is complete, including on WMF wikis. If the Security-Team prefer to keep this private until this is fixed on WMF wikis, then I'm happy to do that.

This cannot be backported as it only works with a new database schema for cu_changes and two new tables. As such fixing this in any supported release version is not possible. However, this is low risk because:

  • You have to have the checkuser right to interact with this interface
  • You have to run a logged check

As such, a user abusing this would be made obvious by the check log and the users who could do this would already be trusted (and on WMF wikis must have signed the NDA).

Dreamy_Jazz edited projects, added Anti-Harassment (AHaT Sprint 32 - Baseball Cap); removed Anti-Harassment.Oct 2 2023, 2:28 PM
Dreamy_Jazz moved this task from Ready 🎬 (ONLY IF YOU HAVE NO MORE CODE TO REVIEW) to QA/Testing 🐞 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.
Dreamy_Jazz added subscribers: dom_walden, GMikesell-WMF, Tchanders, kostajh.
Dreamy_Jazz claimed this task.Oct 2 2023, 2:36 PM
dom_walden moved this task from QA/Testing 🐞 to Done Q1 2023-2024 on the Anti-Harassment (AHaT Sprint 32 - Baseball Cap) board.Oct 3 2023, 2:35 PM

I tested all the different combinations of visibility for a log entry.

A user with suppressor rights can see everything (hidden/suppressed stuff is crossed out but visible).

A user with sysop rights cannot see action text if it is suppressed, but can if it is only hidden.

A user just with checkuser rights cannot see action text if it is either hidden or suppressed.

Just in case of regression, I also tested with SCHEMA_COMPAT_READ_OLD to see that there were at least no errors.

Test environment: Local docker CheckUser 2.5 (45cf5bf) 00:35, 3 October 2023.

Dreamy_Jazz added a project: Security-Team.EditedOct 4 2023, 2:43 PM

Adding Security-Team again for them to make a decision for the following:

I propose that this task be made public and resolved, because:

  • T326865 (a public task) already talks about this issue
  • This cannot be backported as it relies on a database change and therefore will remain unfixed in all release versions, so there are no more patches to review.
  • This fix will apply on WMF wikis once T341829 is completed (as this fix can only work when reading new for the database migration in T324907). In the mean time, I know a good few users with the checkuser group who know about this.

If creating a CVE and/or for the security release announcement, it would be good to mention that this is only fixed in WMF branches for now and will not be ready for the MW-1.41-release.

Dreamy_Jazz moved this task from In Progress to Incoming on the Security-Team board.Oct 4 2023, 2:44 PM
sbassett closed this task as Resolved.Oct 6 2023, 7:53 PM
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
sbassett subscribed.

Resolving and making public per the above rationales in T316360#9215889 and T316360#9225136.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Oct 6 2023, 7:54 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
Dreamy_Jazz closed subtask T253796: Make CheckUser record the log_id of logged actions as Resolved.Apr 10 2024, 1:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits