Page MenuHomePhabricator

Very easy to spoof revert notification
Closed, DuplicatePublic

Description

Open a page's edit window
Add a input value of 'wpUndidRevision' with some valid revid. Save.
Whoever made that edit will receive an extremely confusing Echo notification.

This can easily be exploited by adding the same parameter to an edit made via the API. A warning will be displayed, but the notification is still sent.

Ideas on how to fix:

Temporary: Check that $rev->getTitle() == $article->getTitle()

Maybe also look into using sha1's to only show reverts for exact reverts.

Long term: Find some other way than using a request value like wpUndidRevision to trigger a notification.


Version: unspecified
Severity: major

Details

Reference
bz57474

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:39 AM
bzimport added a project: Notifications.
bzimport set Reference to bz57474.
bzimport added a subscriber: Unknown Object (MLST).
Legoktm created this task.Nov 23 2013, 6:18 AM

Change 97191 had a related patch set uploaded by Legoktm:
Check supposed revision being reverted is on the same page

https://gerrit.wikimedia.org/r/97191

(In reply to comment #0)

Temporary: Check that $rev->getTitle() == $article->getTitle()

Patch only addresses this for now.

Change 97191 merged by jenkins-bot:
Check supposed revision being reverted is on the same page

https://gerrit.wikimedia.org/r/97191

EBernhardson triaged this task as Normal priority.Feb 27 2015, 6:52 PM
EBernhardson added a subscriber: EBernhardson.

Annoying, but probably not a show stopper.