Page MenuHomePhabricator

RevDeled log entry information leaks
Closed, ResolvedPublic

Description

For some reason, RevDel DELETED_ACTION on log entries is supposed to also hide the target page of the log entry. However,

  1. Deleted log entries still show up in Special:Log when searching by target.
  2. The API's list=logevents still returns the pageid, despite not returning the title or namespace or returning the log entry at all when searching with a title.
  3. If the target page is on your watchlist, the log entry will show up.
  4. On the watchlist, the target's namespace and title are included in a CSS class.
  5. On the enhanced recentchanges, the namespace and title may show up in a CSS class.

RevDel DELETED_USER is supposed to hide the performer of the action, be it a log entry or an edit. However,

  1. Special:Log will still show it when searching by Performer.

Version: unspecified
Severity: normal

Details

Reference
bz58699

Related Objects

StatusAssignedTask
ResolvedNone

Event Timeline

bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz58699.
bzimport added a subscriber: Unknown Object (MLST).
Anomie created this task.Dec 19 2013, 6:12 PM

(In reply to comment #0)

  1. Deleted log entries still show up in Special:Log when searching by target.

Actually, no they won't. I must have gotten confused with switching accounts back and forth on my test wiki.

(In reply to comment #0)

  1. Special:Log will still show it when searching by Performer.

Same, I must have been confused.

(In reply to comment #0)

  1. On the watchlist, the target's namespace and title are included in a CSS class.

Solving #3 solves this one too, because the target won't be on the watchlist anymore in the first place.

Created attachment 14141
Patch to fix RevDel log handling

attachment diff ignored as obsolete

Created attachment 14142
Updated patch

Attached:

Thanks Brad, all of the pieces to the patch look good, and are correctly removing the leaked data in my dev environment.

Aaron, could you also make sure this looks ok?

We'll get it deployed Jan 2 most likely, and include it in the next security release.

aaron added a comment.Jan 6 2014, 11:56 PM

Seems reasonable.

19:52 logmsgbot: csteipp synchronized php-1.23wmf8/includes 'bug 58699'
19:46 logmsgbot: csteipp synchronized php-1.23wmf9/includes 'bug 58699'

Created attachment 14270
Updated patch (1.19 branch)

Attached:

Created attachment 14271
Updated patch (1.21 branch)

Attached:

Created attachment 14272
Updated patch (1.22 branch)

Attached:

This was assigned CVE-2013-6472. Someone may want to split out the issues into separate CVE's: The page id in the log display, the title in the enhanced RC, and the page showing up on the user's watchlist. But they're all in core, all fix that we were showing information about deleted pages, and should all be patched at the same time. So I'm happy with keeping this as one issue for now.

FYI, those watch list classes were introduced in r50714 and r76342