Page MenuHomePhabricator
Create Task
Maniphest T326866

Special:Investigate can expose suppressed information for log events
Open, Needs TriagePublicBUG REPORT
Actions

Description

Splitting from T316414. Not setting as a security ticket as the cat is out of the bag.

Log actions stored by CheckUser that are in the logging table (and thus can be suppressed) are not hidden as CheckUser does not store the log ID so that it can look up the revision deletion status. This means that checkusers who do not have the oversight permissions can access oversighted logs.

To do this CheckUser needs to store any associated log ID. This will be done in T324907. Once this has been achieved this can be fixed.

Related Objects
Search...

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.
StatusSubtypeAssignedTask
· · ·
OpenBUG REPORTNoneT326866 Special:Investigate can expose suppressed information for log events
ResolvedDreamy_JazzT253796 Make CheckUser record the log_id of logged actions
· · ·

Event Timeline

Dreamy_Jazz created this task.Jan 12 2023, 9:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 12 2023, 9:07 PM
Dreamy_Jazz mentioned this in T311337: CVE-2022-39193: Edits with the performer suppressed still show the performer in results from the CheckUser extension.Jan 12 2023, 9:11 PM
Dreamy_Jazz added a project: Vuln-Infoleak.
Dreamy_Jazz added a project: Anti-Harassment.Jan 12 2023, 9:33 PM
Dreamy_Jazz added a subtask: T253796: Make CheckUser record the log_id of logged actions.
sbassett edited projects, added SecTeam-Processed; removed Security-Team.Jan 17 2023, 5:14 PM
Dreamy_Jazz added a project: CheckUser.Jan 18 2023, 9:48 PM
Dreamy_Jazz moved this task from General / Unsorted to Investigate on the CheckUser board.
sbassett mentioned this in T325849: Write and send supplementary release announcement for extensions and skins with security patches (1.35.10/1.38.6/1.39.3).Jan 23 2023, 6:14 PM
sbassett mentioned this in T333626: Write and send supplementary release announcement for extensions and skins with security patches (1.35.11/1.38.7/1.39.4/1.40.0).Apr 4 2023, 7:48 PM
sbassett mentioned this in T340874: Write and send supplementary release announcement for extensions and skins with security patches (1.35.12/1.39.5/1.40.1).Jul 6 2023, 3:27 PM
Dreamy_Jazz moved this task from Untriaged to CheckUser on the Anti-Harassment board.Jul 22 2023, 5:49 PM
sbassett mentioned this in T347659: Write and send supplementary release announcement for extensions and skins with security patches (1.35.14/1.39.6/1.40.2/1.41.0).Oct 2 2023, 10:31 PM
Dreamy_Jazz closed subtask T253796: Make CheckUser record the log_id of logged actions as Resolved.Wed, Apr 10, 1:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL