Page MenuHomePhabricator
Create Task
Maniphest T373265

CVE-2025-23074: Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed)
Closed, ResolvedPublicSecurity
Actions

Description

The special page Special:EditProfile allows users with the editothersprofiles user right to edit other users' social profiles. It bundles most of the Special:UpdateProfile page (which is usually usable by all registered users for updating their own social profile data) into a single-page view, excluding the preferences section of Special:UpdateProfile.

It also doesn't respect the profile fields' visibility setting ([visible to] everyone/friends/friends of friends/hidden). "Whoops".

Minimal reproducible test case:

  1. Have two accounts, let's call them Admin and User, with Admin belonging to a group which has been assigned the editothersprofiles user right
  2. As User, edit your profile via Special:UpdateProfile and select one or more fields to be NOT visible to everyone, e.g. friends or friends of friends only, or hidden; hidden is, of course, the easiest choice since that should never be shown to anyone else
  3. Give the chosen field some kind of a value
  4. Hit the save button
  5. Log out as User, log in as Admin and go to Special:EditProfile/User
  6. You'll be able to see the "hidden" field's (or fields') value(s) just fine, even though you shouldn't be (assuming that the field was indeed "hidden" and not "friends" or "friends of friends" and furthermore assuming that Admin isn't a friend of User or anyone who is friends with User)

One thing with my low-effort/no-effort patch, which I'll try to post here later today or so, I didn't check is how do fields that are hidden behave after someone with no rights to view 'em but the right to use Special:EditProfile edits their profile - my guess is that the data gets overwritten, and that'd also be less than ideal.

Details

SubjectRepoBranchLines +/-
Special:EditProfile: Respect profile field visibility settingsmediawiki/extensions/SocialProfileREL1_42+69 -35
Special:EditProfile: Respect profile field visibility settingsmediawiki/extensions/SocialProfileREL1_41+69 -35
Special:EditProfile: Respect profile field visibility settingsmediawiki/extensions/SocialProfilemaster+69 -35
Customize query in gerrit

Related Objects

Event Timeline

ashley created this task.Aug 25 2024, 12:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 25 2024, 12:15 PM
ashley renamed this task from Special:EditProfile exposes the contents of profile fields marked "hidden" to Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed).Aug 25 2024, 12:16 PM
ashley claimed this task.
ashley added projects: Vuln-Infoleak, SocialProfile.
sbassett mentioned this in T368628: Write and send supplementary release announcement for extensions and skins with security patches (1.39.9/1.41.3/1.42.2).Aug 26 2024, 4:20 PM
sbassett edited projects, added SecTeam-Processed; removed Security-Team.
ashley added a comment.Aug 26 2024, 7:45 PM

Here's the aforementioned low-effort patch, which adds UserProfilePage-like visibility checks to Special:EditProfile:

diff --git a/UserProfile/includes/specials/SpecialEditProfile.php b/UserProfile/includes/specials/SpecialEditProfile.php
index 928622b9..ea282fab 100644
--- a/UserProfile/includes/specials/SpecialEditProfile.php
+++ b/UserProfile/includes/specials/SpecialEditProfile.php
@@ -78,6 +78,8 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			return;
 		}
 
+		$this->profile_visible_fields = SPUserSecurity::getVisibleFields( $target, $user );
+
 		if ( $request->wasPosted() && $user->matchEditToken( $request->getVal( 'wpEditToken' ) ) ) {
 			$this->saveProfileBasic( $target );
 			$this->saveBasicSettings( $target );
@@ -246,7 +248,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 		$form .= '<div class="profile-update">
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-info' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-name' )->escaped() . '</p>
-			<p class="profile-update-unit"><input type="text" size="25" name="real_name" id="real_name" value="' . htmlspecialchars( $real_name, ENT_QUOTES ) . '"/></p>
+			<p class="profile-update-unit"><input type="text" size="25" name="real_name" id="real_name" value="' . ( $real_name && in_array( 'up_real_name', $this->profile_visible_fields ) ? htmlspecialchars( $real_name, ENT_QUOTES ) : '' ) . '"/></p>
 			<div class="visualClear"></div>';
 		if ( $this->getUser()->isAllowed( 'editothersprofiles-private' ) ) {
 			$form .= '<p class="profile-update-unit-left">' . $this->msg( 'email' )->escaped() . '</p>
@@ -273,7 +275,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 		$form .= '<div class="profile-update">
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-location' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-city' )->escaped() . '</p>
-			<p class="profile-update-unit"><input type="text" size="25" name="location_city" id="location_city" value="' . ( isset( $location_city ) ? htmlspecialchars( $location_city, ENT_QUOTES ) : '' ) . '" /></p>
+			<p class="profile-update-unit"><input type="text" size="25" name="location_city" id="location_city" value="' . ( isset( $location_city ) && in_array( 'up_location_city', $this->profile_visible_fields ) ? htmlspecialchars( $location_city, ENT_QUOTES ) : '' ) . '" /></p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left" id="location_state_label">' . $this->msg( 'user-profile-personal-country' )->escaped() . '</p>';
 		$form .= '<p class="profile-update-unit">';
@@ -296,7 +298,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 		$form .= '<div class="profile-update">
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-hometown' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-city' )->escaped() . '</p>
-			<p class="profile-update-unit"><input type="text" size="25" name="hometown_city" id="hometown_city" value="' . ( isset( $hometown_city ) ? htmlspecialchars( $hometown_city, ENT_QUOTES ) : '' ) . '" /></p>
+			<p class="profile-update-unit"><input type="text" size="25" name="hometown_city" id="hometown_city" value="' . ( isset( $hometown_city ) && in_array( 'up_hometown_city', $this->profile_visible_fields ) ? htmlspecialchars( $hometown_city, ENT_QUOTES ) : '' ) . '" /></p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left" id="hometown_state_label">' . $this->msg( 'user-profile-personal-country' )->escaped() . '</p>
 			<p class="profile-update-unit">';
@@ -319,7 +321,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 		$form .= '<div class="profile-update">
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-birthday' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-birthdate-with-year' )->escaped() . '</p>
-			<p class="profile-update-unit"><input type="text" class="long-birthday" size="25" name="birthday" id="birthday" value="' . ( isset( $birthday ) ? htmlspecialchars( $birthday, ENT_QUOTES ) : '' ) . '" /></p>
+			<p class="profile-update-unit"><input type="text" class="long-birthday" size="25" name="birthday" id="birthday" value="' . ( isset( $birthday ) && in_array( 'up_birthday', $this->profile_visible_fields ) ? htmlspecialchars( $birthday, ENT_QUOTES ) : '' ) . '" /></p>
 			<div class="visualClear"></div>
 		</div><div class="visualClear"></div>';
 
@@ -327,7 +329,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-aboutme' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-aboutme' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="about" id="about" rows="3" cols="75">' . ( isset( $about ) ? htmlspecialchars( $about, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="about" id="about" rows="3" cols="75">' . ( isset( $about ) && in_array( 'up_about', $this->profile_visible_fields ) ? htmlspecialchars( $about, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 		</div>
@@ -337,7 +339,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-work' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-occupation' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="occupation" id="occupation" rows="2" cols="75">' . ( isset( $occupation ) ? htmlspecialchars( $occupation, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="occupation" id="occupation" rows="2" cols="75">' . ( isset( $occupation ) && in_array( 'up_occupation', $this->profile_visible_fields ) ? htmlspecialchars( $occupation, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 		</div>
@@ -347,7 +349,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-education' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-schools' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="schools" id="schools" rows="2" cols="75">' . ( isset( $schools ) ? htmlspecialchars( $schools, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="schools" id="schools" rows="2" cols="75">' . ( isset( $schools ) && in_array( 'up_schools', $this->profile_visible_fields ) ? htmlspecialchars( $schools, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 		</div>
@@ -357,7 +359,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-places' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-placeslived' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="places" id="places" rows="3" cols="75">' . ( isset( $places ) ? htmlspecialchars( $places, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="places" id="places" rows="3" cols="75">' . ( isset( $places ) && in_array( 'up_places_lived', $this->profile_visible_fields ) ? htmlspecialchars( $places, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 		</div>
@@ -367,7 +369,7 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-personal-web' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-personal-websites' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="websites" id="websites" rows="2" cols="75">' . ( isset( $websites ) ? htmlspecialchars( $websites, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="websites" id="websites" rows="2" cols="75">' . ( isset( $websites ) && in_array( 'up_websites', $this->profile_visible_fields ) ? htmlspecialchars( $websites, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 		</div>
@@ -418,32 +420,32 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-interests-entertainment' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-movies' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="movies" id="movies" rows="3" cols="75">' . ( isset( $movies ) ? htmlspecialchars( $movies, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="movies" id="movies" rows="3" cols="75">' . ( isset( $movies ) && in_array( 'up_movies', $this->profile_visible_fields ) ? htmlspecialchars( $movies, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-tv' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="tv" id="tv" rows="3" cols="75">' . ( isset( $tv ) ? htmlspecialchars( $tv, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="tv" id="tv" rows="3" cols="75">' . ( isset( $tv ) && in_array( 'up_tv', $this->profile_visible_fields ) ? htmlspecialchars( $tv, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-music' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="music" id="music" rows="3" cols="75">' . ( isset( $music ) ? htmlspecialchars( $music, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="music" id="music" rows="3" cols="75">' . ( isset( $music ) && in_array( 'up_music', $this->profile_visible_fields ) ? htmlspecialchars( $music, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-books' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="books" id="books" rows="3" cols="75">' . ( isset( $books ) ? htmlspecialchars( $books, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="books" id="books" rows="3" cols="75">' . ( isset( $books ) && in_array( 'up_books', $this->profile_visible_fields ) ? htmlspecialchars( $books, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-magazines' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="magazines" id="magazines" rows="3" cols="75">' . ( isset( $magazines ) ? htmlspecialchars( $magazines, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="magazines" id="magazines" rows="3" cols="75">' . ( isset( $magazines ) && in_array( 'up_magazines', $this->profile_visible_fields ) ? htmlspecialchars( $magazines, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-videogames' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="videogames" id="videogames" rows="3" cols="75">' . ( isset( $videogames ) ? htmlspecialchars( $videogames, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="videogames" id="videogames" rows="3" cols="75">' . ( isset( $videogames ) && in_array( 'up_video_games', $this->profile_visible_fields ) ? htmlspecialchars( $videogames, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			</div>
@@ -451,12 +453,12 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 			<p class="profile-update-title">' . $this->msg( 'user-profile-interests-eats' )->escaped() . '</p>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-foodsnacks' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="snacks" id="snacks" rows="3" cols="75">' . ( isset( $snacks ) ? htmlspecialchars( $snacks, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="snacks" id="snacks" rows="3" cols="75">' . ( isset( $snacks ) && in_array( 'up_snacks', $this->profile_visible_fields ) ? htmlspecialchars( $snacks, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			<p class="profile-update-unit-left">' . $this->msg( 'user-profile-interests-drinks' )->escaped() . '</p>
 			<p class="profile-update-unit">
-				<textarea name="drinks" id="drinks" rows="3" cols="75">' . ( isset( $drinks ) ? htmlspecialchars( $drinks, ENT_QUOTES ) : '' ) . '</textarea>
+				<textarea name="drinks" id="drinks" rows="3" cols="75">' . ( isset( $drinks ) && in_array( 'up_drinks', $this->profile_visible_fields ) ? htmlspecialchars( $drinks, ENT_QUOTES ) : '' ) . '</textarea>
 			</p>
 			<div class="visualClear"></div>
 			</div>
@@ -503,28 +505,28 @@ class SpecialEditProfile extends SpecialUpdateProfile {
 					<div id="profile-update-custom1">
 					<p class="profile-update-unit-left">' . $this->msg( 'custom-info-field1' )->inContentLanguage()->parse() . '</p>
 					<p class="profile-update-unit">
-						<textarea name="custom1" id="fav_moment" rows="3" cols="75">' . ( isset( $custom1 ) ? htmlspecialchars( $custom1, ENT_QUOTES ) : '' ) . '</textarea>
+						<textarea name="custom1" id="fav_moment" rows="3" cols="75">' . ( isset( $custom1 ) && in_array( 'up_custom1', $this->profile_visible_fields ) ? htmlspecialchars( $custom1, ENT_QUOTES ) : '' ) . '</textarea>
 					</p>
 					</div>
 					<div class="visualClear"></div>
 					<div id="profile-update-custom2">
 					<p class="profile-update-unit-left">' . $this->msg( 'custom-info-field2' )->inContentLanguage()->parse() . '</p>
 					<p class="profile-update-unit">
-						<textarea name="custom2" id="least_moment" rows="3" cols="75">' . ( isset( $custom2 ) ? htmlspecialchars( $custom2, ENT_QUOTES ) : '' ) . '</textarea>
+						<textarea name="custom2" id="least_moment" rows="3" cols="75">' . ( isset( $custom2 ) && in_array( 'up_custom2', $this->profile_visible_fields ) ? htmlspecialchars( $custom2, ENT_QUOTES ) : '' ) . '</textarea>
 					</p>
 					</div>
 					<div class="visualClear"></div>
 					<div id="profile-update-custom3">
 					<p class="profile-update-unit-left">' . $this->msg( 'custom-info-field3' )->inContentLanguage()->parse() . '</p>
 					<p class="profile-update-unit">
-						<textarea name="custom3" id="fav_athlete" rows="3" cols="75">' . ( isset( $custom3 ) ? htmlspecialchars( $custom3, ENT_QUOTES ) : '' ) . '</textarea>
+						<textarea name="custom3" id="fav_athlete" rows="3" cols="75">' . ( isset( $custom3 ) && in_array( 'up_custom3', $this->profile_visible_fields ) ? htmlspecialchars( $custom3, ENT_QUOTES ) : '' ) . '</textarea>
 					</p>
 					</div>
 					<div class="visualClear"></div>
 					<div id="profile-update-custom4">
 					<p class="profile-update-unit-left">' . $this->msg( 'custom-info-field4' )->inContentLanguage()->parse() . '</p>
 					<p class="profile-update-unit">
-						<textarea name="custom4" id="least_fav_athlete" rows="3" cols="75">' . ( isset( $custom4 ) ? htmlspecialchars( $custom4, ENT_QUOTES ) : '' ) . '</textarea>
+						<textarea name="custom4" id="least_fav_athlete" rows="3" cols="75">' . ( isset( $custom4 ) && in_array( 'up_custom4', $this->profile_visible_fields ) ? htmlspecialchars( $custom4, ENT_QUOTES ) : '' ) . '</textarea>
 					</p>
 					</div>
 					<div class="visualClear"></div>
ashley added a comment.Aug 28 2024, 12:01 PM
In T373265, @ashley wrote:

I didn't check is how do fields that are hidden behave after someone with no rights to view 'em but the right to use Special:EditProfile edits their profile - my guess is that the data gets overwritten

This is indeed what happens, and it can be fixed by refactoring SpecialUpdateProfile.php a bit (since the EditProfile special page extends that class):

diff --git a/UserProfile/includes/specials/SpecialUpdateProfile.php b/UserProfile/includes/specials/SpecialUpdateProfile.php
index 4d22eb00..65e1b5db 100644
--- a/UserProfile/includes/specials/SpecialUpdateProfile.php
+++ b/UserProfile/includes/specials/SpecialUpdateProfile.php
@@ -364,24 +364,54 @@ class SpecialUpdateProfile extends UnlistedSpecialPage {
                $dbw = wfGetDB( DB_PRIMARY );
                $request = $this->getRequest();
 
+               // As for why the rest of the fields are done below instead of here...that's got to do with T373265
+               // tl,dr summary: we do NOT want to overwrite hidden/otherwise not-viewable-by-the-current-user
+               // data when a privileged user (who is *not* allowed to view said user profile data, however) uses
+               // Special:EditProfile (sic) to edit another user's profile
                $basicProfileData = [
-                       'up_location_city' => $request->getVal( 'location_city' ) ?? '',
-                       'up_location_state' => $request->getVal( 'location_state' ) ?? '',
-                       'up_location_country' => $request->getVal( 'location_country' ) ?? '',
-
-                       'up_hometown_city' => $request->getVal( 'hometown_city' ) ?? '',
-                       'up_hometown_state' => $request->getVal( 'hometown_state' ) ?? '',
-                       'up_hometown_country' => $request->getVal( 'hometown_country' ) ?? '',
-
                        'up_birthday' => self::formatBirthdayDB( $request->getVal( 'birthday' ) ),
-                       'up_about' => $request->getVal( 'about' ) ?? '',
-                       'up_occupation' => $request->getVal( 'occupation' ) ?? '',
-                       'up_schools' => $request->getVal( 'schools' ) ?? '',
-                       'up_places_lived' => $request->getVal( 'places' ) ?? '',
-                       'up_websites' => $request->getVal( 'websites' ) ?? '',
-                       'up_relationship' => $request->getVal( 'relationship' ) ?? 0
                ];
 
+               if ( $request->getVal( 'location_city' ) ) {
+                       $basicProfileData['up_location_city'] = $request->getVal( 'location_city' );
+               }
+               if ( $request->getVal( 'location_state' ) ) {
+                       $basicProfileData['up_location_state'] = $request->getVal( 'location_state' );
+               }
+               if ( $request->getVal( 'location_country' ) ) {
+                       $basicProfileData['up_location_country'] = $request->getVal( 'location_country' );
+               }
+
+               if ( $request->getVal( 'hometown_city' ) ) {
+                       $basicProfileData['up_hometown_city'] = $request->getVal( 'hometown_city' );
+               }
+               if ( $request->getVal( 'hometown_state' ) ) {
+                       $basicProfileData['up_hometown_state'] = $request->getVal( 'hometown_state' );
+               }
+               if ( $request->getVal( 'hometown_country' ) ) {
+                       $basicProfileData['up_hometown_country'] = $request->getVal( 'hometown_country' );
+               }
+
+               if ( $request->getVal( 'about' ) ) {
+                       $basicProfileData['up_about'] = $request->getVal( 'about' );
+               }
+               if ( $request->getVal( 'occupation' ) ) {
+                       $basicProfileData['up_occupation'] = $request->getVal( 'occupation' );
+               }
+               if ( $request->getVal( 'schools' ) ) {
+                       $basicProfileData['up_schools'] = $request->getVal( 'schools' );
+               }
+               if ( $request->getVal( 'places' ) ) {
+                       $basicProfileData['up_places_lived'] = $request->getVal( 'places' );
+               }
+               if ( $request->getVal( 'websites' ) ) {
+                       $basicProfileData['up_websites'] = $request->getVal( 'websites' );
+               }
+               // @todo FIXME: remove this per T373263
+               if ( $request->getVal( 'relationship' ) ) {
+                       $basicProfileData['up_relationship'] = $request->getVal( 'relationship' ) ?? 0;
+               }
+
                $dbw->update(
                        'user_profile',
                        /* SET */$basicProfileData,
ashley moved this task from Backlog to Bugs on the SocialProfile board.Aug 28 2024, 12:02 PM
ashley added a project: Social-Tools.Aug 31 2024, 10:51 PM
ashley moved this task from Backlog to SocialProfile on the Social-Tools board.
Mstyles subscribed.Sep 30 2024, 11:35 PM

@ashley this patch can go through Gerrit since it's unlikely to get any review as a private Phabricator ticket.

sbassett added a subscriber: gerritbot.Oct 1 2024, 3:29 PM
Mstyles added a comment.Oct 5 2024, 12:58 AM

@ashley since the patch isn't public, this will go out with the next supplemental release

Mstyles mentioned this in T375631: Write and send supplementary release announcement for extensions and skins with security patches (1.39.11/1.41.5/1.42.4).Oct 5 2024, 1:18 AM
gerritbot added a comment.Mon, Jan 13, 7:15 PM

Change #1110835 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/SocialProfile@master] Special:EditProfile: Respect profile field visibility settings

https://gerrit.wikimedia.org/r/1110835

gerritbot added a project: Patch-For-Review.Mon, Jan 13, 7:15 PM
mmartorana subscribed.EditedMon, Jan 13, 7:18 PM

Hey @ashley - I have uploaded these two patches to Gerrit.

gerritbot added a comment.Tue, Jan 14, 5:04 PM

Change #1110835 merged by Jack Phoenix:

[mediawiki/extensions/SocialProfile@master] Special:EditProfile: Respect profile field visibility settings

https://gerrit.wikimedia.org/r/1110835

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Tue, Jan 14, 5:15 PM
Bawolff changed the edit policy from "Custom Policy" to "All Users".
Bawolff subscribed.

[Marking public per request from Ashley]

ashley closed this task as Resolved.Tue, Jan 14, 5:18 PM
ashley removed a project: Patch-For-Review.
gerritbot added a comment.Tue, Jan 14, 6:55 PM

Change #1111306 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/SocialProfile@REL1_42] Special:EditProfile: Respect profile field visibility settings

https://gerrit.wikimedia.org/r/1111306

gerritbot added a project: Patch-For-Review.Tue, Jan 14, 6:55 PM

Change #1111307 had a related patch set uploaded (by Mmartorana; author: Mmartorana):

[mediawiki/extensions/SocialProfile@REL1_41] Special:EditProfile: Respect profile field visibility settings

https://gerrit.wikimedia.org/r/1111307

mmartorana renamed this task from Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed) to CVE-2025-23074: Special:EditProfile exposes the contents of profile fields marked "hidden"/friends or "friends of friends" when the privileged user isn't a friend of the user whose profile they edit(ed).Tue, Jan 14, 7:17 PM
gerritbot added a comment.Mon, Jan 20, 9:02 AM

Change #1111307 merged by Jack Phoenix:

[mediawiki/extensions/SocialProfile@REL1_41] Special:EditProfile: Respect profile field visibility settings

https://gerrit.wikimedia.org/r/1111307

gerritbot added a comment.Mon, Jan 20, 9:02 AM

Change #1111306 merged by Jack Phoenix:

[mediawiki/extensions/SocialProfile@REL1_42] Special:EditProfile: Respect profile field visibility settings

https://gerrit.wikimedia.org/r/1111306

Maintenance_bot removed a project: Patch-For-Review.Mon, Jan 20, 9:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits