Page MenuHomePhabricator

Some old private wiki accounts included in centralauth.localuser table
Closed, ResolvedPublic

Description

I was doing more SUL audit stuff, and discovered that some private wikis are in centralauth's localuser table.

mysql:sul@dbstore1002 [centralauth]> select count(*) from localuser where lu_wiki="internalwiki";
+----------+

count(*)

+----------+

3

+----------+
1 row in set (0.00 sec)

Additionally 1 from comcomwiki, 1 from officewiki, and 1 from otrs_wikiwiki.

There are also some 40 accounts from foundationwiki, but that's not a private wiki (foundationwiki is also in the localnames table).

I think this is left over from some point in 2008 when those wikis were SUL linked? All the timestamps are from March 13, 2008.

Filing this as a security bug since this information is also replicated to Labs, and is leaking a (very small) subset of those wiki's user tables. This will also cause issues if any of those users are globally renamed.

My proposed solution is to just delete those rows.


Version: unspecified
Severity: normal

Details

Reference
bz67548

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:36 AM
bzimport set Reference to bz67548.
Legoktm created this task.Jul 5 2014, 3:09 AM

I think we can delete them.