CheckUser API can expose suppressed information for log events
Open, MediumPublicBUG REPORT
Actions

Assigned To

None

Authored By

	Dreamy_Jazz
	Jan 12 2023, 9:08 PM

Description

Splitting from T318166. Not setting as a security ticket as the cat is out of the bag.

Log actions stored by CheckUser that are in the logging table (and thus can be suppressed) are not hidden as CheckUser does not store the log ID so that it can look up the revision deletion status. This means that checkusers who do not have the oversight permissions can access oversighted logs.

To do this CheckUser needs to store any associated log ID. This will be done in T324907. Once this has been achieved this can be fixed.

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T340995 Display client hint data in Special:Investigate
Open	BUG REPORT	None	T326867 CheckUser API can expose suppressed information for log events
Open		Dreamy_Jazz	T253796 Make CheckUser record the log_id of logged actions
Open	Feature	Dreamy_Jazz	T324907 Create separate tables for log events in CheckUser
Resolved		Ladsgroup	T326105 Create cu_log_event and cu_private_event on WMF wikis
Resolved		Milimetric	T327447 FYI: Other changes to the CheckUser tables
Open		None	T341829 Enable read new for the event table migration
Resolved		Dreamy_Jazz	T330158 Enable write new for the event table migration
Resolved		Dreamy_Jazz	T328874 Create temporary column in cu_changes to assist in migration to the new tables
Resolved		• Marostegui	T329203 Add new column cuc_only_for_read_old to cu_changes for migration purposes to wmf wikis
Resolved	PRODUCTION ERROR	Dreamy_Jazz	T342902 Wikimedia\Rdbms\DBQueryError: Error 1054: Unknown column 'cuc_only_for_read_old' in 'field list'Function: MediaWiki\CheckUser\Hooks::onAuthManagerLoginAuthenticateAuditQuery: INSERT INTO `cu_changes` (cuc_page_id,cuc_namespac
Resolved		• Marostegui	T343174 Add missing column cuc_only_for_read_old to testcommonswiki
Open		Dreamy_Jazz	T328992 Add read new support to Special:CheckUser for event table migration
Open		Dreamy_Jazz	T328995 Enable read new support in Special:CheckUser's 'Get edits' mode
Open	BUG REPORT	Dreamy_Jazz	T347773 Log action text shown when reading new does not respect the deleted status of the log
Resolved		Dreamy_Jazz	T328997 Enable read new support in Special:CheckUser's 'Get users' mode
Open		Dreamy_Jazz	T328998 Enable read new support in Special:CheckUser's 'Get IP Addresses' mode
Open		None	T329189 Add read new support to Special:Investigate for event table migration
Open		Dreamy_Jazz	T329200 Enable read new support in Special:Investigate's 'Timeline' tab
Open		Dreamy_Jazz	T329201 Enable read new support in Special:Investigate's 'IPs & User agents' tab
Resolved		Dreamy_Jazz	T328988 Create a SelectQueryBuilder that allows selecting from all three tables
Open		Dreamy_Jazz	T347102 Alias column names in Special:Investigate to not include the "cuc_" prefix
Open		None	T341827 Add read new support to the CheckUser API
Resolved		Dreamy_Jazz	T342629 Investigate CheckUser currently saving failed login attempted to usernames which fail RIGOR_VALID
Open		Dreamy_Jazz	T341688 Create LogFormatter for cu_private_event log events
Open	BUG REPORT	Dreamy_Jazz	T347400 Read new cannot parse the log_params of global block log entries
Open		Dreamy_Jazz	T341830 Create maintenance script to delete entries only for read old
Resolved		Dreamy_Jazz	T341586 Allow write old and new for event table migration
Resolved		Dreamy_Jazz	T341934 Failing tests for CheckUser when event table migration config set to WRITE_BOTH and READ_NEW
Resolved		Dreamy_Jazz	T342371 Create a maintenance script used only for testing to insert a large volume of testing actions to CheckUser
Open	PRODUCTION ERROR	pmiazga	T343983 Error: Call to a member function getTimestamp() on null
Open		None	T346022 How does wgCheckUserLogAdditionalRights affect read new for event table migration
Open		Dreamy_Jazz	T346044 Remove CheckUserUnionQueryBuilder