Page MenuHomePhabricator
Create Task
Maniphest T96079

Can view and hide log entry for suppress actions
Closed, DuplicatePublic
Actions

Description

As member of the sysop user group on dewiki I can visit Special:RevisionDelete, when setting the url parameter to a log id it is possible to see the log entry and also hide parts of it.

This is happen because there seems no check for $wgLogRestrictions when showing the log entry for a restricted log. The log entry itself is not marked as revision deleted and therefore it is shown.

Working example (for viewing):
https://de.wikipedia.org/w/index.php?title=Spezial:Versionsl%C3%B6schung&type=logging&ids=67810647
But I cannot visit https://de.wikipedia.org/wiki/Spezial:Logbuch/suppress where this should also be listed.

To get a log id of a suppressed log I have looked at the api (list=logevents) for a gap in the returned log_id and test it.

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Apr 14 2015, 8:43 PM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 14 2015, 8:43 PM
Umherirrender created this task.Apr 14 2015, 8:43 PM
Umherirrender updated the task description. (Show Details)
Umherirrender added projects: MediaWiki-Revision-deletion, acl*security.
Umherirrender changed Security from None to Software security bug.
Umherirrender edited subscribers, added: Umherirrender; removed: Aklapper.
Jalexander subscribed.Apr 14 2015, 8:45 PM
csteipp added subscribers: aaron, csteipp.Apr 15 2015, 12:00 AM

Confirmed by @Jalexander.

@aaron, is there a reason $wgLogRestrictions shouldn't apply here? It looks like the check is missing from RevDelLogItem::canView() (seems like revdel should account for it at that layer), and from SpecialRevisionDelete when calculating $this->mIsAllowed or SpecialRevisionDelete should just check for this special case and error out if it happens.

csteipp triaged this task as High priority.Apr 15 2015, 12:02 AM
Umherirrender added a comment.May 14 2015, 7:16 PM

I would add a check to RevDelLogItem::canView function because that is already checked in Special:RevisionDelete

diff --git a/includes/revisiondelete/RevDelLogItem.php b/includes/revisiondelete/RevDelLogItem.php
index 49adf20..dbc6225 100644
--- a/includes/revisiondelete/RevDelLogItem.php
+++ b/includes/revisiondelete/RevDelLogItem.php
@@ -40,7 +40,10 @@
 	}
 
 	public function canView() {
-		return LogEventsList::userCan( $this->row, Revision::DELETED_RESTRICTED, $this->list->getUser() );
+		global $wgLogRestrictions;
+		return LogEventsList::userCan( $this->row, Revision::DELETED_RESTRICTED, $this->list->getUser() )
+			&& ( !isset( $wgLogRestrictions[$this->row->log_type] )
+				|| $this->list->getUser()->isAllowed( $wgLogRestrictions[$this->row->log_type] ) );
 	}
 
 	public function canViewContent() {
csteipp added a project: Vuln-Infoleak.Aug 20 2015, 9:55 PM
Krenair subscribed.Sep 15 2015, 10:24 PM

I don't think that's quite right - *no one* should be able to hide suppression log entries.

Bawolff subscribed.Apr 21 2016, 12:06 AM
In T96079#1643332, @Krenair wrote:

I don't think that's quite right - *no one* should be able to hide suppression log entries.

I don't see why suppressing suppression logs needs to be prevented. While it obviously doesn't make "sense" for someone to do such a thing, I don't see the harm, since anyone who can view the suppression log would be able to see the suppressed log entries anyways, and keeping MW's permission system general instead of special cased seems like a good thing.

Umherirrender added a comment.Nov 25 2017, 11:39 PM

It still works after 2,5 years to see suppress logs when using the log id. It is a small impact, because it already needs a sysop account, but it is not nice to filter suppress logs out of big list and than allow it on direct access.

Umherirrender added a comment.Apr 16 2019, 8:07 PM

Can we mark this public after 4 years to fix it with a patch on gerrit?

sbassett subscribed.Apr 16 2019, 8:19 PM

@Umherirrender - I'd say yes, especially given the nature of this issue. If nobody else objects, I can make this task public and you can push a patch up to gerrit.

Umherirrender added a comment.Jun 1 2019, 6:33 AM

public https://gerrit.wikimedia.org/r/#/c/mediawiki/core/+/507870/ links to restricted T222038, but the patch looks similar (a bit modern due to changes to LogFormatter over the time)

Umherirrender closed this task as a duplicate of T222038: Exposed suppressed log in RevisionDelete page.Jun 6 2019, 6:09 PM

Please change to public. Thanks

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 25 2019, 9:47 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL