Page MenuHomePhabricator
Create Task
Maniphest T326865

Special:CheckUser can expose suppressed information for log events
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT
Actions

Description

Splitting from T311337. Not setting as a security ticket as the cat is out of the bag.

Log actions stored by CheckUser that are in the logging table (and thus can be suppressed) are not hidden as CheckUser does not store the log ID so that it can look up the revision deletion status. This means that checkusers who do not have the oversight permissions can access oversighted logs.

To do this CheckUser needs to store any associated log ID. This will be done in T324907. Once this has been achieved this can be fixed.

Details

SubjectRepoBranchLines +/-
Respect log_deleted in Special:CheckUser 'Get actions'mediawiki/extensions/CheckUsermaster+89 -19
Customize query in gerrit

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
ResolvedBUG REPORTDreamy_JazzT326865 Special:CheckUser can expose suppressed information for log events
ResolvedDreamy_JazzT253796 Make CheckUser record the log_id of logged actions
· · ·

Event Timeline

Dreamy_Jazz created this task.Jan 12 2023, 9:05 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2023, 9:05 PM
Dreamy_Jazz mentioned this in T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.Jan 12 2023, 9:11 PM
Dreamy_Jazz added a subtask: T253796: Make CheckUser record the log_id of logged actions.Jan 12 2023, 9:34 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 17 2023, 5:13 PM
Aklapper added a project: CheckUser.Jan 18 2023, 4:18 PM
Dreamy_Jazz moved this task from General / Unsorted to CheckUser on the CheckUser board.Jan 18 2023, 9:48 PM
Dreamy_Jazz triaged this task as High priority.Jan 19 2023, 8:21 PM
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 23 2023, 6:14 PM
Dreamy_Jazz mentioned this in T330968: CVE-2023-37252: Special:CheckUserLog shows usernames which have been hidden.Mar 24 2023, 4:40 PM
Xaosflux subscribed.Mar 24 2023, 5:30 PM
RoySmith subscribed.Mar 24 2023, 5:44 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 7:48 PM
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM
Dreamy_Jazz mentioned this in T343983: Error: Call to a member function getTimestamp() on null.Sep 15 2023, 8:07 AM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:31 PM
Dreamy_Jazz mentioned this in T316360: Oversighted action text is shown in Special:CheckUser when the checkuser does not have the right to see it.Oct 4 2023, 2:43 PM
Dreamy_Jazz claimed this task.Wed, Apr 10, 1:38 PM
Dreamy_Jazz added projects: Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)), Trust and Safety Product Team.
Dreamy_Jazz moved this task from Priority Backlog to In Progress on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.
Dreamy_Jazz set the point value for this task to 2.
Dreamy_Jazz closed subtask T253796: Make CheckUser record the log_id of logged actions as Resolved.Wed, Apr 10, 1:41 PM
Dreamy_Jazz merged a task: Restricted Task.Wed, Apr 10, 1:49 PM
Dreamy_Jazz merged a task: Restricted Task.
Dreamy_Jazz added subscribers: sbassett, DannyS712, Urbanecm, Vermont.
Dreamy_Jazz added a subscriber: Umherirrender.
gerritbot added a comment.Wed, Apr 10, 8:13 PM

Change #1018782 had a related patch set uploaded (by Dreamy Jazz; author: Dreamy Jazz):

[mediawiki/extensions/CheckUser@master] Respect log_deleted in Special:CheckUser 'Get actions'

https://gerrit.wikimedia.org/r/1018782

gerritbot added a project: Patch-For-Review.Wed, Apr 10, 8:13 PM
Dreamy_Jazz moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Wed, Apr 10, 8:27 PM
Umherirrender unsubscribed.Wed, Apr 10, 8:40 PM
Dreamy_Jazz merged a task: Restricted Task.Fri, Apr 12, 10:37 AM
Dreamy_Jazz added a subscriber: mmartorana.
gerritbot added a comment.Mon, Apr 15, 5:13 PM

Change #1018782 merged by jenkins-bot:

[mediawiki/extensions/CheckUser@master] Respect log_deleted in Special:CheckUser 'Get actions'

https://gerrit.wikimedia.org/r/1018782

Dreamy_Jazz moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Mon, Apr 15, 5:49 PM

My suggestion for testing this is to suppress a variety of information for log events and then try to see if any of it is shown in Special:CheckUser, in a similar vein to T326867.

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.1; 2024-04-16).Mon, Apr 15, 6:00 PM
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Tabla (1st - 14th April)) board.Tue, Apr 16, 9:23 AM
dom_walden subscribed.

I suppressed all the log entries on my local wiki and then I did a "Get actions" Special:CheckUser request for a username, IP and temporary user. I could not find any references to suppressed usernames for any log entries.

Dreamy_Jazz closed this task as Resolved.Tue, Apr 16, 11:21 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL