Page MenuHomePhabricator
Create Task
Maniphest T41823

If a block log reason was rev-deleted, it is still visible for all admins in [[Special:Block]]
Closed, ResolvedPublic
Actions

Description

If a user is blocked with the "Hide username from edits and lists" option selected, and another administrator attempted to reblock the same user, then the block reason was shown to the second administrator even if they lacked the hideuser right.

This was fixed in the attached patch, to be included with the release of MediaWiki 1.19.2 and 1.18.5.

Administrators are advised to avoid placing private data in block reasons. If a block reason does contain private data, the user should be reblocked with a non-private block reason and the original log entry suppressed.

Version: 1.19.1
Severity: normal

Details

Reference
bz39823

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 12:52 AM
bzimport added projects: MW-1.19-release, MediaWiki-User-management.
bzimport set Reference to bz39823.
bzimport added a subscriber: Unknown Object (MLST).
tstarling created this task.Aug 31 2012, 1:55 AM
tstarling added a comment.Aug 31 2012, 1:56 AM

Created attachment 11042
Patch for 1.18 branch

Attached:

blockreason-1.18.patch903 BDownload

tstarling added a comment.Aug 31 2012, 1:56 AM
  • Bug 35839 has been marked as a duplicate of this bug. ***
csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:53 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL