Page MenuHomePhabricator
Create Task
Maniphest T397497

CVE-2025-62661: UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Assigned To
mszwarc
Authored By
dom_walden
Jun 20 2025, 6:52 AM
Tags
Referenced Files
F65688999: T397497_Thanks.patch
Jul 29 2025, 1:15 PM
F65688998: T397497_GrowthExperiments.patch
Jul 29 2025, 1:15 PM
Subscribers
Aklapper
Cyndymediawiksim
Djackson-ctr
DMburugu
dom_walden
Dreamy_Jazz
Etonkovidova
View All 25 Subscribers

Description

The counts for some data points include edits/actions which the user does not have permission to see.

These include:

  • totalEditCount
  • thanksGiven
  • thanksReceived
  • newArticlesCount
  • globalEditCount
  • revertedEditCount (I will need to verify this)

I will need to follow up on whether this affects the other data points (e.g. block counts, checkuser counts, etc.)

Reproduction
  1. Create a new user
  2. As that new user:
    1. edit an existing page
    2. create a new page
    3. thank another user (e.g. in the revision history page)
  3. Login as an admin
    1. thank the new user for one of their edits
    2. revert their edit from step 2a.
    3. Go to Special:Contributions/<new user> and for each contribution suppress its visibility (click "change visibility" and check all of the checkboxes)
    4. Go to Special:Log/thanks and change the visibility of the thanks given/received in steps 2c and 3a
  4. Login as a normal user with no elevated rights
  5. Enabled with UserInfoCard by submitting: Special:ApiSandbox#action=options&format=json&optionname=checkuser-userinfocard-enable&optionvalue=1
  6. Go to Special:ListUsers?username=<new user> and click the UserInfoCard icon next to <new user>

Expected: all the counts for "Global edits", "Local edits", "reverted", "New articles" and "Thanks received/given" to be zero.
Actual: those counts are non-zero. If you click their respective links you will not be able to see any of the edits/actions which UIC reports.

Details

Risk Rating
High
Author Affiliation
WMF Product
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Exclude deleted entries when counting thanksmediawiki/extensions/ThanksREL1_43+1 -0
SECURITY: Exclude deleted entries when counting thanksmediawiki/extensions/Thanksmaster+26 -0
SECURITY: Exclude deleted entries when counting thanksmediawiki/extensions/ThanksREL1_44+27 -1
SECURITY: Exclude deleted log entries when counting created articlesmediawiki/extensions/GrowthExperimentsREL1_44+118 -0
SECURITY: Exclude deleted log entries when counting created articlesmediawiki/extensions/GrowthExperimentsmaster+12 -0
Customize query in gerrit

Related Objects

Event Timeline

dom_walden created this task.Jun 20 2025, 6:52 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 20 2025, 6:52 AM
dom_walden renamed this task from UserInfoCard: Do permission checking when getting counts of gobal and local edits, new articles and thanks to UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks.Jun 20 2025, 6:54 AM
dom_walden added projects: Trust and Safety Product Team, CheckUser-UserInfoCard.
dom_walden added subscribers: kostajh, Tchanders, Dreamy_Jazz and 5 others.
kostajh added a comment.Jun 20 2025, 8:18 AM

See also {T397396}

sbassett edited projects, added SecTeam-Processed, Vuln-MissingAuthz, Vuln-Infoleak; removed Security-Team.Jun 23 2025, 4:38 PM
sbassett subscribed.

Leaving to Trust and Safety Product Team unless there is a specific ask of the Security Team here.

kostajh added projects: MediaWiki-User-management, GrowthExperiments, Thanks, MediaWiki-extensions-CentralAuth.Jun 27 2025, 6:30 PM

thanksGiven and thanksReceived are from ThanksQueryHelper in Thanks, so tagging that extension.

globalEditCount is from MediaWiki-extensions-CentralAuth getGlobalEditCount, so tagging that extension here too.

totalEditCount is from UserEditTracker in core -> MediaWiki-User-management

newArticlesCount and revertedEditCount this is from GrowthExperiments

Restricted Application added projects: Growth-Team, MediaWiki-Platform-Team. · View Herald TranscriptJun 27 2025, 6:30 PM
matmarex added a subscriber: OWresch-WMF.Jun 30 2025, 2:31 PM
OWresch-WMF moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Jun 30 2025, 2:43 PM
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
Urbanecm_WMF added subscribers: Michael, Sgs, Cyndymediawiksim and 3 others.Jul 3 2025, 9:48 AM
Urbanecm_WMF subscribed.Jul 3 2025, 9:50 AM

Out of those numbers, only thanksGiven/Received and newArticlesCount/revertedEditCount are dynamically calculated. The edit counts are implemented by bumping a counter, so I don't think we can/should do much there – it is a widely known fact the edit counter does not always represent what you see in Special:Contributions.

Urbanecm_WMF added a subscriber: DMburugu.Jul 3 2025, 9:52 AM
kostajh moved this task from Inbox to In Progress on the CheckUser-UserInfoCard board.Jul 3 2025, 12:03 PM
kostajh added a comment.EditedJul 23 2025, 10:58 AM

OK, what I think we (Trust and Safety Product Team) should do for UserInfoCard:

  • Update ThanksQueryHelper to only include log_deleted = 0 in its queries. If someone in the future wants to include support for adding an Authority to include counts based on suppressed log entries, that would be fine, but I dont' think we need to do it now. On enwiki, out of 4,259,843 log entries for thanks, only 469 are suppressed.
  • newArticlesCount - we can update ComputedUserImpactLookup#getCreatedArticleCount in GrowthEpxeriments to check that log_deleted is 0

What I propose we don't do anything about:

  • As @Urbanecm_WMF notes above: both methods in CentralAuth for calculating edit counts don't take into account the authority that is checking the count, and the edit tracker in core doesn't do that either. I propose that we leave this as a "won't fix".
  • revertedEditCount already checks for rev_deleted ($queryBuilder->where( $db->bitAnd( 'rev_deleted', RevisionRecord::DELETED_USER ) . ' = 0' );), so I think there is nothing more to be done there.
kostajh set the point value for this task to 1.Jul 23 2025, 10:58 AM
Michael moved this task from Inbox to Tracking on the Growth-Team board.Jul 23 2025, 1:46 PM
kostajh added a project: Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).Jul 24 2025, 7:58 AM
kostajh moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.Jul 24 2025, 11:51 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).Jul 27 2025, 7:53 PM
kostajh moved this task from Priority Backlog to Ready on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
kostajh added a subscriber: OKryva-WMF.
kostajh added subscribers: mszabo, mszwarc.Jul 28 2025, 5:46 AM
mszwarc changed the task status from Open to In Progress.Jul 29 2025, 10:50 AM
mszwarc claimed this task.
mszwarc moved this task from Ready to In Progress on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
mszwarc added a project: Patch-For-Review.Jul 29 2025, 1:15 PM
In T397497#11027301, @kostajh wrote:

OK, what I think we (Trust and Safety Product Team) should do for UserInfoCard:

  • Update ThanksQueryHelper to only include log_deleted = 0 in its queries. If someone in the future wants to include support for adding an Authority to include counts based on suppressed log entries, that would be fine, but I dont' think we need to do it now. On enwiki, out of 4,259,843 log entries for thanks, only 469 are suppressed.
  • newArticlesCount - we can update ComputedUserImpactLookup#getCreatedArticleCount in GrowthEpxeriments to check that log_deleted is 0

Here are patches for GrowthExperiments and Thanks to address these two points:

T397497_GrowthExperiments.patch2 KBDownload

T397497_Thanks.patch3 KBDownload

mszwarc moved this task from In Progress to Needs Review on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Jul 29 2025, 1:16 PM
dom_walden added a subscriber: Djackson-ctr.Jul 29 2025, 5:29 PM
OKryva-WMF triaged this task as High priority.Aug 1 2025, 1:44 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.Aug 6 2025, 9:40 AM
hector.arroyo added a comment.Aug 13 2025, 11:25 AM

+2, I've reviewed both patches and they look ok for me

Dreamy_Jazz added a project: OKR-Work.Aug 14 2025, 9:41 AM
Dreamy_Jazz added a project: Security-Team.
Dreamy_Jazz moved this task from Incoming to Security Patch To Deploy on the Security-Team board.
mszwarc moved this task from Needs Review to Done on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.Aug 14 2025, 9:44 AM
Mstyles subscribed.Aug 19 2025, 12:34 AM
In T397497#11042883, @mszwarc wrote:
In T397497#11027301, @kostajh wrote:

OK, what I think we (Trust and Safety Product Team) should do for UserInfoCard:

  • Update ThanksQueryHelper to only include log_deleted = 0 in its queries. If someone in the future wants to include support for adding an Authority to include counts based on suppressed log entries, that would be fine, but I dont' think we need to do it now. On enwiki, out of 4,259,843 log entries for thanks, only 469 are suppressed.
  • newArticlesCount - we can update ComputedUserImpactLookup#getCreatedArticleCount in GrowthEpxeriments to check that log_deleted is 0

Here are patches for GrowthExperiments and Thanks to address these two points:

T397497_GrowthExperiments.patch2 KBDownload

T397497_Thanks.patch3 KBDownload

Deployed

Mstyles mentioned this in T397776: Write and send supplementary release announcement for extensions and skins with security patches (1.39.14/1.43.4/1.44.1).Aug 19 2025, 12:36 AM
sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Aug 19 2025, 9:20 PM
Michael added a comment.Aug 29 2025, 10:09 AM

Given the comment in T402600#11119989, would it be fine to upload these changes to Gerrit as well for Thanks and GrowthExperiments? And, in that vein, what would be the process to make this task itself public?

sbassett edited subscribers, added: gerritbot; removed: mszabo.Sep 2 2025, 3:18 PM
In T397497#11131311, @Michael wrote:

Given the comment in T402600#11119989, would it be fine to upload these changes to Gerrit as well for Thanks and GrowthExperiments? And, in that vein, what would be the process to make this task itself public?

ext:Thanks is actually bundled since 1.40. So we'd want to keep that one tracked and embargoed until the upcoming core security release (T397766, due out towards the end of September 2025). The ext:GrowthExperiments patch would be fine to push up to gerrit, especially if it's causing conflicts with other, public work, but this task should remain protected until the aforementioned core security release is out. I've added @gerritbot as a subscriber to this task, so if you do push the ext:GrowthExperiments patch up to gerrit, it should still post the changes here.

gerritbot added a comment.Sep 17 2025, 1:58 PM

Change #1189190 had a related patch set uploaded (by Reedy; author: Mszwarc):

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Exclude deleted log entries when counting created articles

https://gerrit.wikimedia.org/r/1189190

Restricted Application added a project: Connection-Team. · View Herald TranscriptSep 17 2025, 1:58 PM
gerritbot added a comment.Sep 17 2025, 2:52 PM

Change #1189190 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] SECURITY: Exclude deleted log entries when counting created articles

https://gerrit.wikimedia.org/r/1189190

gerritbot added a comment.Sep 17 2025, 4:00 PM

Change #1189252 had a related patch set uploaded (by Reedy; author: Mszwarc):

[mediawiki/extensions/GrowthExperiments@REL1_44] SECURITY: Exclude deleted log entries when counting created articles

https://gerrit.wikimedia.org/r/1189252

gerritbot added a comment.Sep 17 2025, 4:01 PM

Change #1189252 abandoned by Reedy:

[mediawiki/extensions/GrowthExperiments@REL1_44] SECURITY: Exclude deleted log entries when counting created articles

https://gerrit.wikimedia.org/r/1189252

Reedy renamed this task from UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks to CVE-2025-61654: UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks.Sep 29 2025, 1:40 PM
Reedy added a project: MW-1.44-release.Sep 29 2025, 11:17 PM
gerritbot added a comment.Oct 2 2025, 9:24 PM

Change #1193240 had a related patch set uploaded (by Reedy; author: Mszwarc):

[mediawiki/extensions/Thanks@REL1_44] SECURITY: Exclude deleted entries when counting thanks

https://gerrit.wikimedia.org/r/1193240

gerritbot added a comment.Oct 2 2025, 10:00 PM

Change #1193240 merged by jenkins-bot:

[mediawiki/extensions/Thanks@REL1_44] SECURITY: Exclude deleted entries when counting thanks

https://gerrit.wikimedia.org/r/1193240

gerritbot added a comment.Oct 2 2025, 10:29 PM

Change #1193250 had a related patch set uploaded (by Reedy; author: Mszwarc):

[mediawiki/extensions/Thanks@master] SECURITY: Exclude deleted entries when counting thanks

https://gerrit.wikimedia.org/r/1193250

gerritbot added a comment.Oct 2 2025, 11:18 PM

Change #1193250 merged by jenkins-bot:

[mediawiki/extensions/Thanks@master] SECURITY: Exclude deleted entries when counting thanks

https://gerrit.wikimedia.org/r/1193250

gerritbot added a comment.Oct 3 2025, 2:45 PM

Change #1193431 had a related patch set uploaded (by Reedy; author: Mszwarc):

[mediawiki/extensions/Thanks@REL1_43] SECURITY: Exclude deleted entries when counting thanks

https://gerrit.wikimedia.org/r/1193431

gerritbot added a comment.Oct 3 2025, 3:45 PM

Change #1193431 merged by jenkins-bot:

[mediawiki/extensions/Thanks@REL1_43] SECURITY: Exclude deleted entries when counting thanks

https://gerrit.wikimedia.org/r/1193431

OKryva-WMF edited projects, added Product Safety and Integrity; removed Trust and Safety Product Team.Fri, Oct 10, 11:02 AM
OKryva-WMF moved this task from Inbox to Done (waiting deployment) on the Product Safety and Integrity board.
Mstyles renamed this task from CVE-2025-61654: UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks to CVE-2025-62661: UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks.Tue, Oct 21, 7:34 PM
sbassett closed this task as Resolved.Tue, Oct 21, 9:01 PM
sbassett changed Author Affiliation from N/A to WMF Product.
sbassett removed a project: Patch-For-Review.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to High.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits