Oversighted IP still visible on Recent Changes when using when grouping edits per page
Closed, ResolvedPublic

Description

Screenshot of RC showing OS'ed IP

Oversighted IP's are still visible on Meta for non-oversighters. This happen when we enable "Group changes by page in recent changes and watchlist" on preferences [1]. The IP disappear when it is disabled.

Recently, Meta started to use CleanChanges and that may be related with this problem [2] as I can't recall this issue previously.

[1] - https://meta.wikimedia.org/w/index.php?title=Special:Preferences&success=1#mw-prefsection-rc
[2] - https://www.mediawiki.org/wiki/Extension:CleanChanges


Version: unspecified
Severity: major

attachment recentchanges.png ignored as obsolete

bzimport added a subscriber: wikibugs-l.
bzimport set Reference to bz54294.
Teles created this task.Via LegacySep 18 2013, 10:49 PM
Teles added a comment.Via ConduitSep 18 2013, 10:53 PM

content hidden as private in Bugzilla

csteipp added a comment.Via ConduitSep 20 2013, 2:42 AM

Hi Teles,

I'm working on reproducing this. Can you walk me through the process that you used to suppress the IP address?

I'm correctly not seeing the IP displayed with I use "Hide editor's username/IP address" under Special:RevisionDelete. But are you actually using the oversight extension for this?

csteipp added a comment.Via ConduitSep 20 2013, 2:46 AM

Ah, I found it. The issue does only show up after installing CleanChanges, so yes, that extension is the problem.

I'm on vacation for a couple of days. Adding Niklas as the extension owner. I would recommend removing the extension if this is a problem, and you need a solution before next week.

Barras added a comment.Via ConduitSep 20 2013, 4:59 AM

The usage of the extension itself is currently discussed on meta anyway. See [[bugzilla:53541]] and [[m:Meta:Babel#Enable_CleanChanges]].

Since that bug is a security bug and reveals private data to the public I'd strongly suggest to either have it fixed immediately or have it removed until it is fixed.

It might be worth to check all other wikis that use this extension for the same bug. I guess that one is not only related to meta, so it might be a good idea to remove it from other wikis as well as long as this bug is not fixed.

[[m:User:Barras]]

Nikerabbit added a comment.Via ConduitSep 20 2013, 5:06 AM

The number of wikis using both CleanChanges and the long deprecated Oversight extension is probably just one: meta.

Rschen7754 added a comment.Via ConduitSep 20 2013, 5:09 AM

I was involved in the IRC discussion where this was discovered, and it was using RevDel (modern suppression). I believe the issue had something to do with the number of recent edits displayed, but Teles or Barras can probably explain it better.

Teles added a comment.Via ConduitSep 21 2013, 3:12 AM

It was firstly rev deleted, which should have been enough to hide from RC. As it was still appearing, I request to Barras oversight it, but it was still there.

Barras added a comment.Via ConduitSep 23 2013, 2:51 PM

Probably another case related to this bug, this time the IP is still shown on user's watchlist.

https://meta.wikimedia.org/w/index.php?title=Talk%3ACommunity_Logo%2FReclaim_the_Logo&action=revisiondelete&ids%5B5826096%5D=1

IP has been suppressed, but still visible to the user on their watchlist.

Please get that fixed asap or remove the extension until it is fixed!

Deskana added a comment.Via ConduitSep 24 2013, 5:08 AM

Given the noncritical nature of this extension (i.e. quality of life improvements to RC feeds), I think any kind of credible security concern, such as this one, should lead to the extension being temporarily removed until it's fixed.

csteipp added a comment.Via ConduitSep 24 2013, 3:42 PM

Created attachment 13359
Patch for Special:RecentChanges info leak

Here's a patch for the RecentChanges display. I'll start working on the watchlist also.

Niklas, can you review this patch and comment here if you think it looks appropriate to patch the cluster? If so, we'll patch the cluster, and then add this to gerrit when we do the next security release (scheduled for next week).

Attached: bug54294.patch

csteipp added a comment.Via ConduitSep 24 2013, 8:28 PM

Actually, that patch addresses the watchlist piece too, so this should be the full patch now. Niklas or Siebrand, could you verify that patch looks sane?

I'm also reviewing the extension as a whole, just to make sure we don't have any obvious, similar issues.

Deskana added a comment.Via ConduitSep 24 2013, 8:32 PM

We've temporarily disabled the extension on Meta pending the security review mentioned by Chris above. I made a post about it here: https://meta.wikimedia.org/w/index.php?title=Meta:Babel&diff=prev&oldid=5829114

Teles added a comment.Via ConduitSep 24 2013, 8:56 PM

Thanks.

Trijnstel added a comment.Via ConduitSep 24 2013, 8:57 PM

(In reply to comment #5)

The number of wikis using both CleanChanges and the long deprecated Oversight
extension is probably just one: meta.

Meta isn't using the oversight extension for years anymore.

@Dan: thanks for disabling it.

csteipp added a comment.Via ConduitSep 27 2013, 12:29 AM

Niklas / Siebrand, can one of you review the attached patch to ensure that is a good way to address the issue? Now that we have the extension disabled on the cluster, feel free to drop this in gerrit as well, if that will make review easier.

Nikerabbit added a comment.Via ConduitSep 27 2013, 5:37 AM

I had planned to have a look at the patch on Wed, Thu but been working on sprint tasks.

csteipp added a comment.Via ConduitOct 23 2013, 9:37 PM

Niklas, were you ever able to review the attachment here? I'd like to include this update in the next security release, and reenable this extension.

Nikerabbit added a comment.Via ConduitOct 24 2013, 11:45 AM

Patch tested to work and not produce warnings.

csteipp added a comment.Via ConduitOct 24 2013, 3:39 PM

Thanks Niklas!

Deskana added a comment.Via ConduitOct 28 2013, 4:37 PM

Thanks everyone. In light of the above, when can this be expected to be live on Meta-Wiki? It doesn't seem to be live as of now.

siebrand added a comment.Via ConduitOct 28 2013, 6:02 PM

(In reply to comment #20)

Thanks everyone. In light of the above, when can this be expected to be live
on Meta-Wiki? It doesn't seem to be live as of now.

Looks to me like the patch first has to land in master. Given that this is not installed on Wikimedia, I think we can take it out of "Security" already? Chris?

csteipp added a comment.Via ConduitOct 28 2013, 7:40 PM

Do we have any external users? If so, it would be best to give them some warning. If not, we can just push it into master, then deploy from git on the cluster.

siebrand added a comment.Via ConduitOct 28 2013, 8:07 PM

It's part of https://www.mediawiki.org/wiki/MLEB which has a monthly release that was today. Translatewiki.net uses it, which runs master of core and the extensions that it uses, usually updated daily or multiple times a day.

I'll leave the final decision on release procedure to you, but I think this is hanging around in Security for too long, especially since the extension is no longer deployed on Wikimedia wikis.

Deskana added a comment.Via ConduitOct 30 2013, 3:36 PM

Let's just get this merged in and deployed ASAP. This has been sitting around too long.

csteipp added a comment.Via ConduitNov 14 2013, 7:30 PM

This was assigned CVE-2013-4569

bzimport added a comment.Via ConduitNov 15 2013, 2:23 AM

Thehelpfulonewiki wrote:

The content of attachment 13315 has been deleted by

Thehelpfulone <Thehelpfulonewiki@gmail.com>

who provided the following reason:

Contained private data (IP)

The token used to delete this attachment was generated at 2013-11-15 02:22:58 UTC.

Teles added a comment.Via ConduitNov 15 2013, 2:45 AM

tks, THO

csteipp added a project: Security.Via WebThu, Mar 26, 8:39 PM

Add Comment

Column Prototype
This is a very early prototype of a persistent column. It is not expected to work yet, and leaving it open will activate other new features which will break things. Press "\" (backslash) on your keyboard to close it now.