Reason this is security flagged: I don't know how vulnerable multiple executions of the same API request in the form of a DoS type attack would affect a wikis server status
Error Message 1:
{"error":{"code":"internal_api_error_Wikimedia\\RequestTimeout\\RequestTimeoutException","info":"[cb78d894-a1fc-4dec-8329-08d4bfe7985a] Caught exception of type Wikimedia\\RequestTimeout\\RequestTimeoutException","errorclass":"Wikimedia\\RequestTimeout\\RequestTimeoutException"},"servedby":"mw1361"}
Error message 2:
upstream request timeout
Affected Authentications: Logged in with checkuserlog permission
Unaffected: Logged in without checkuserlog permission & logged out
Affected Wikis: Group 0 & Group 1 wikis - on MW 1.40.0-wmf.17
Not affected Wikis: Group 2 wikis - on 1.40.0-wmf.14
Reproduction:
- Go to a project in which you have checkuserlog abilities
- make a request to the API CheckUserLog where you expect a non-zero result (could even just be a generic view all CU logs request)
Ways not to reproduce:
- Specifying parameters where the CU log would have zero enteries - this produces as it should, no results
- While not logged in OR without the checkuserlog permission - this results in the proper permission denied