Page MenuHomePhabricator

The API should not return the SHA1 for revisions with the DELETED_TEXT attribute
Closed, ResolvedPublic

Description

Querying the API with action=query&prop=revisions&rvprop=sha1 returns the SHA1 even for revisions whose content is hidden, for any user.

Example: http://fr.wikipedia.org/w/api.php?action=query&prop=revisions&revids=86537049&rvprop=content|sha1|comment

I think this should not be the case: a revision might be hidden because of a very short string (first name of the contributor, phone number...). In this case it is possible to recover the hidden content from the SHA1 and the text of the next revision.


Version: 1.21.x
Severity: normal

Details

Reference
bz43137

Event Timeline

bzimport raised the priority of this task from to Normal.Nov 22 2014, 12:48 AM
bzimport added a project: MediaWiki-API.
bzimport set Reference to bz43137.
Orlodrim created this task.Dec 14 2012, 8:27 PM

Gerrit change 38802

successfully merged