Abusefilter API does not check for abusefilter-view-private userright
Closed, ResolvedPublic

Description

506 is a hidden filter on enwiki, which means I (not a sysop or EFM) cannot see https://en.wikipedia.org/wiki/Special:AbuseFilter/506. However, I can still see https://en.wikipedia.org/w/api.php?action=query&list=abuselog&aflfilter=506, which is basically the same content.

I'm marking this as major since it's another data leak.


Version: unspecified
Severity: major

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz42814.
Legoktm created this task.Via LegacyDec 7 2012, 4:53 AM
MZMcBride added a comment.Via ConduitDec 7 2012, 5:30 AM

I believe this just needs an additional security check in extensions/AbuseFilter/api/ApiQueryAbuseLog.php. It looks like there are already some permissions checks in place, but none for the "filter" prop. I'm marking this bug with the "easy" keyword as I don't believe adding a check should be very difficult.

https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/AbuseFilter.git;a=blob;f=api/ApiQueryAbuseLog.php;h=543d55f7af0b0327f2348073d5b188653898887d;hb=d6444fae14963204962c9b7d6df36ce6eaa2bd0f

Legoktm added a comment.Via ConduitDec 7 2012, 7:38 AM

I just filed a similar one at bug 42816, which deals which permissions of blocked users.

csteipp added a comment.Via ConduitDec 11 2012, 1:02 AM

As I accidentally posted on bug 42816...

I think the basis of the leak is that the special page only filters the result
for a filter id if the user has the permission 'abusefilter-log-private' or
'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't
seem to check for this. Should be easy to check for.

Additionally, the api always lists the filter_id that triggered the log entry, whereas the special page gives the generic "an abuse filter".

Gerrit 37989

hoo added a comment.Via ConduitDec 18 2012, 9:40 PM

Change tested and merged

hoo added a comment.Via ConduitDec 18 2012, 9:54 PM

Reopened: I didn't notice that with aflprop=filter|action|details it's still possible to see information usually being hidden.

hoo added a comment.Via ConduitDec 18 2012, 10:05 PM

Fixed in https://gerrit.wikimedia.org/r/39317 (tested). Please review

hoo added a comment.Via ConduitDec 19 2012, 7:43 AM

Chris merged my patch... thanks :)

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.