Page MenuHomePhabricator
Create Task
Maniphest T327445

Suppress restrictions on LogPager are wrong when filtering on log type or log author (for Special:Log or log extracts)
Closed, ResolvedPublicSecurity
Actions

Description

Steps to replicate the issue (include links if applicable):

  • Block a user, which was never blocked before.
  • Suppress the log action for that block (Special:Log/block => Special:RevisionDelete with "Hide target and parameters" and "Suppress data from administrators as well as others")
  • Edit the user page of the blocked user with the suppressor (rights suppressrevision or viewsuppressed)
    • The log extract about the block is shown above the edit form ("This user is currently blocked. The latest block log entry is provided below for reference), the details are suppressed, there is a link to "change visibility" or "show" the details (that is expected)
  • Edit the user page of the blocked user with an logged out user or non-sysop user (user group without deletedhistory right)
    • No log extract about the block is shown above the edit form (that is expected)
  • Edit the user page of the blocked user with a sysop account (but not suppressor)

What happens?:
The log extract is show, the details are grey and the word "show" is not linked. According to avoid brute-force searches (T19342) and the fix https://gerrit.wikimedia.org/r/c/mediawiki/core/+/416595 for T188145 the log should not shown to the user.

In https://gerrit.wikimedia.org/r/c/mediawiki/core/+/416595 the constants for USER and ACTION are swapped, but the right side of the comparison in the next line was not adjust. That results in the following SQL condition ((log_deleted & 9) != 12) which is always true

What should have happened instead?:

Show no log extract. That no or the wrong block info is shown is another bug (T277466)

Special:Log is using the same code to build the query, so visiting Special:Log/block and use as "target" the blocked user, the log is shown, which is not expected.

Details

Risk Rating
Low
Author Affiliation
Wikimedia Communities

Related Objects

Event Timeline

Umherirrender created this task.Jan 19 2023, 8:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 19 2023, 8:09 PM
Umherirrender added a project: MediaWiki-Revision-deletion.Jan 20 2023, 4:35 PM
mmartorana changed the task status from Open to In Progress.Jan 25 2023, 3:59 PM
mmartorana triaged this task as Low priority.
mmartorana added a project: Vuln-Infoleak.
mmartorana changed Risk Rating from N/A to Low.
mmartorana added subscribers: Dreamy_Jazz, mmartorana.Mar 31 2023, 3:47 PM

Hi @Dreamy_Jazz - would you happen to have any thoughts or suggestions regarding this matter?

Dreamy_Jazz added a comment.Apr 2 2023, 9:07 PM

Based on the task description, it seems like an issue that needs fixing. Non-suppressors shouldn't have access to suppressed material and the show link being unclickable reinforces this. I'm probably not going to be able to work on this for the foreseeable future and I've not inspected the code to confirm the source of the issue, but the task description seems to be a viable cause.

sbassett edited projects, added SecTeam-Processed; removed Security-Team.Apr 3 2023, 4:06 PM
Aklapper changed the task status from In Progress to Open.Mar 22 2025, 7:25 AM

Resetting task status from "In Progress" to "Open" as this task has been "in progress" for more than two years.

Umherirrender closed this task as Resolved.Apr 10 2025, 6:53 PM

Fixed via fedc853b2b67bb6c06cf9fa455d04f66b7413833 / T385958

sbassett assigned this task to matmarex.Apr 10 2025, 7:31 PM
sbassett changed Author Affiliation from N/A to Wikimedia Communities.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
Maintenance_bot added a project: MW-Interfaces-Team.Apr 10 2025, 8:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits