Page MenuHomePhabricator
Create Task
Maniphest T71617

AbuseFilter logs suppression deletions (CVE-2021-31546)
Closed, ResolvedPublic
Actions

Description

Steinsplitter reported to me on IRC that they suppressed a page on beta labs and the AbuseFilter logged it like a normal deletion (visible to me, a non OS at the time).

http://commons.wikimedia.beta.wmflabs.org/wiki/Special:AbuseLog/25130 is the AF entry, the log action is: 17:26, 15 August 2014 Steinsplitter (talk | contribs | block) suppressed page GWToolset:BLAHAHA (testing abf) (view/restore)

Details

Reference
bz69617
SubjectRepoBranchLines +/-
SECURITY: Don't filter suppressionsmediawiki/extensions/AbuseFilterREL1_31+7 -1
SECURITY: Don't filter suppressionsmediawiki/extensions/AbuseFilterREL1_35+7 -1
SECURITY: Don't filter suppressionsmediawiki/extensions/AbuseFiltermaster+6 -1
Customize query in gerrit

Related Objects

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 3:34 AM
bzimport added a project: Security-Extensions.
bzimport set Reference to bz69617.
bzimport changed Security from none to Software security bug.
Restricted Application changed the visibility from "Public (No Login Required)" to "acl*security (Project)". · View Herald TranscriptNov 22 2014, 3:34 AM
Restricted Application changed the edit policy from "All Users" to "acl*security (Project)". · View Herald Transcript
Legoktm created this task.Aug 15 2014, 5:41 PM
Legoktm added a comment.Aug 15 2014, 5:45 PM

My simple-ish idea of how to fix this is pass $suppress to the ArticleDelete hook, and in AF just don't try to filter it if $suppress === true.

Legoktm added a comment.Aug 15 2014, 6:20 PM

https://en.wikipedia.org/wiki/Special:AbuseFilter/626 and https://commons.wikimedia.org/wiki/Special:AbuseFilter/134 are very likely to trigger this bug, but have been temporarily disabled until this can be fixed.

csteipp added a comment.Aug 29 2014, 9:18 PM

(In reply to Kunal Mehta (Legoktm) from comment #1)

My simple-ish idea of how to fix this is pass $suppress to the ArticleDelete
hook, and in AF just don't try to filter it if $suppress === true.

That seems reasonable. I'm surprised we don't already pass it.

csteipp added a comment.Aug 29 2014, 9:22 PM

(In reply to Chris Steipp from comment #3)

(In reply to Kunal Mehta (Legoktm) from comment #1)

My simple-ish idea of how to fix this is pass $suppress to the ArticleDelete
hook, and in AF just don't try to filter it if $suppress === true.

That seems reasonable. I'm surprised we don't already pass it.

Except we probably do want to still filter it, just additionally suppress any logs.

We could also hook ArticleDeleteComplete and do the suppression of the log from there.

csteipp added a project: acl*security.Nov 24 2014, 9:27 PM
Restricted Application changed the visibility from "acl*security (Project)" to "Custom Policy". · View Herald TranscriptNov 24 2014, 9:27 PM
Restricted Application changed the edit policy from "acl*security (Project)" to "Custom Policy". · View Herald Transcript
dpatrick triaged this task as Medium priority.Aug 14 2015, 8:52 PM
dpatrick added a project: Vuln-Infoleak.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 14 2015, 8:52 PM
dpatrick raised the priority of this task from Medium to High.Aug 14 2015, 8:52 PM
dpatrick lowered the priority of this task from High to Medium.
Krenair added a project: AbuseFilter.Sep 13 2015, 5:06 PM
Krenair subscribed.
Krenair added a comment.EditedSep 14 2015, 5:23 AM

For some reason I was looking at the ArticleDelete hook recently and wondered why there was no $suppress parameter provided (ugh, now I'm wondering why it was because it'd probably be useful to link here). Shall we just upload a patch to Gerrit to do that?

csteipp added a comment.Sep 14 2015, 12:33 PM
In T71617#1636201, @Krenair wrote:

For some reason I was looking at the ArticleDelete hook recently and wondered why there was no $suppress parameter provided (ugh, now I'm wondering why it was because it'd probably be useful to link here). Shall we just upload a patch to Gerrit to do that?

I think that's fine.

hoo subscribed.Sep 15 2015, 8:23 AM
Krenair added a comment.Sep 20 2015, 9:54 PM

https://gerrit.wikimedia.org/r/239758

Krenair added a comment.Sep 20 2015, 10:06 PM

Should probably check the other extensions using this hook to ensure nothing is being left exposed in suppression deletions

Aklapper removed projects: AbuseFilter, Vuln-Infoleak, acl*security.Nov 27 2019, 1:30 PM
Restricted Application added a project: acl*security. · View Herald TranscriptNov 27 2019, 1:30 PM
Aklapper edited projects, added AbuseFilter, Vuln-Infoleak; removed Security-Extensions.Dec 2 2019, 1:02 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:08 PM
Daimona added a project: User-Daimona.Aug 28 2020, 10:16 PM
Daimona moved this task from Backlog to Ideas for overhaul on the User-Daimona board.
Daimona changed the visibility from "Custom Policy" to "Custom Policy".Sep 16 2020, 3:32 PM
Daimona added a subscriber: matej_suchanek.
Daimona edited projects, added AbuseFilter (Overhaul-2020); removed User-Daimona, AbuseFilter.Sep 16 2020, 3:37 PM
DannyS712 subscribed.Nov 14 2020, 9:03 PM
Daimona claimed this task.Jan 5 2021, 2:08 PM
Daimona added a project: Patch-For-Review.
Daimona subscribed.

T71617.patch1 KBDownload

Daimona updated the task description. (Show Details)Jan 5 2021, 2:08 PM
matej_suchanek added a comment.Jan 8 2021, 10:29 AM

+1

Daimona added subscribers: sbassett, Urbanecm, Reedy.Feb 5 2021, 1:08 PM

@sbassett @Reedy @Urbanecm Anybody who would be willing to take a final look at T71617#6722431 and sec-deploy it? Thanks!

Urbanecm added a comment.Feb 5 2021, 1:25 PM
In T71617#6806423, @Daimona wrote:

@sbassett @Reedy @Urbanecm Anybody who would be willing to take a final look at T71617#6722431 and sec-deploy it? Thanks!

+2, patch approved. I'll ping Daimona on Monday so we can deploy&test the patch together.

sbassett added a project: Security-Team.Feb 5 2021, 4:02 PM

+2, patch approved. I'll ping Daimona on Monday so we can deploy&test the patch together.

Thanks - if you need any help, let me know.

Also - there's a handful of these kinds of lingering sec patches, unfortunately. These are the other ones for AF of which I am aware:

  1. T214067#5027051
  2. T152394#5535402
  3. T223654#6717718
  4. T272244#6753978
sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Feb 5 2021, 4:02 PM
Urbanecm added a project: User-Urbanecm.Feb 6 2021, 3:26 PM
Urbanecm moved this task from Backlog to To deploy on the User-Urbanecm board.Feb 6 2021, 4:46 PM
Urbanecm moved this task from Security Patch To Deploy to Incoming on the Security-Team board.Feb 8 2021, 11:32 AM

Deployed:

12:25 <Urbanecm> !log Deploy security patch for T71617
12:25 <+stashbot> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log

@sbassett Moving to Incoming. Could you please do the final honors (backport mainly), please?

I'll do my best to look at the other waiting patches.

sbassett moved this task from Incoming to In Progress on the Security-Team board.Feb 8 2021, 4:04 PM
sbassett mentioned this in T270466: Write and send supplementary release announcement for extensions and skins with security patches (1.31.13/1.35.2).Feb 8 2021, 10:19 PM
In T71617#6810461, @Urbanecm wrote:

Deployed:

Thanks.

@sbassett Moving to Incoming. Could you please do the final honors (backport mainly), please?

I'm tracking this on the supplemental patch for now: T270466. I'll try to get to the backports (at least for master) and CVE this week.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Mar 9 2021, 9:38 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
gerritbot added a comment.Mar 9 2021, 9:39 PM

Change 670302 had a related patch set uploaded (by SBassett; owner: Daimona Eaytoy):
[mediawiki/extensions/AbuseFilter@master] SECURITY: Don't filter suppressions

https://gerrit.wikimedia.org/r/670302

RhinosF1 subscribed.Mar 9 2021, 9:42 PM
sbassett lowered the priority of this task from Medium to Low.Mar 9 2021, 9:47 PM
gerritbot added a comment.Mar 9 2021, 10:41 PM

Change 670302 merged by jenkins-bot:
[mediawiki/extensions/AbuseFilter@master] SECURITY: Don't filter suppressions

https://gerrit.wikimedia.org/r/670302

ReleaseTaggerBot added a project: MW-1.36-notes (1.36.0-wmf.35; 2021-03-16).Mar 9 2021, 11:00 PM
gerritbot added a comment.Apr 13 2021, 12:37 AM

Change 678659 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Don't filter suppressions

https://gerrit.wikimedia.org/r/678659

gerritbot added a comment.Apr 13 2021, 12:40 AM

Change 678660 had a related patch set uploaded (by Reedy; author: Daimona Eaytoy):

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Don't filter suppressions

https://gerrit.wikimedia.org/r/678660

Reedy closed this task as Resolved.Apr 13 2021, 12:47 AM
gerritbot added a comment.Apr 13 2021, 12:51 AM

Change 678660 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_31] SECURITY: Don't filter suppressions

https://gerrit.wikimedia.org/r/678660

gerritbot added a comment.Apr 13 2021, 12:53 AM

Change 678659 merged by jenkins-bot:

[mediawiki/extensions/AbuseFilter@REL1_35] SECURITY: Don't filter suppressions

https://gerrit.wikimedia.org/r/678659

sbassett renamed this task from AbuseFilter logs suppression deletions to AbuseFilter logs suppression deletions (CVE-2021-31546).Apr 23 2021, 6:48 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits