Last modified: 2012-01-11 22:00:12 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T35117, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 33117 - prop=revisions allows deleted text to be exposed through cache pollution


Summary:	prop=revisions allows deleted text to be exposed through cache pollution

Status:	RESOLVED FIXED

Product:	MediaWiki
Classification:	Unclassified
Component:	API (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	High normal (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:	platformeng

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-12-14 16:38 UTC by Roan Kattouw
Modified:	2012-01-11 22:00 UTC (History)
CC List:	6 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Patch that fixes the issue (597 bytes, patch) 2011-12-14 16:38 UTC, Roan Kattouw	Details
Slightly modified patch (596 bytes, patch) 2011-12-16 04:21 UTC, Tim Starling	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Roan Kattouw 2011-12-14 16:38:33 UTC

Created attachment 9695 [details]
Patch that fixes the issue

If a privileged user diffs a hidden revision against another revision (hidden or not; or maybe even against emptiness), that diff maybe cached in Squid if an &smaxage parameter is passed, and subsequently served to non-privileged users.

I've attached a patch that fixes this by never exposing hidden content (the rest of the module does this too). I'm filing this in BZ because I'm unsure whether this warrants a security release or a hidden deployment or whatever.

Comment 1 Tim Starling 2011-12-16 04:21:21 UTC

Created attachment 9722 [details]
Slightly modified patch

Reproduced and tested. Maybe it would be better to deny access to deleted revisions, rather than allowing access to deleted revisions and denying everything else ;)

Comment 2 Tim Starling 2011-12-16 04:54:48 UTC

Roan, please review my patch and then if it's OK, reassign the bug to Sam Reed for release with 1.18.1.

Comment 3 Rob Lanphier 2012-01-03 22:09:55 UTC

Pinging Roan...

Comment 4 Roan Kattouw 2012-01-04 13:40:20 UTC

(In reply to comment #3)
> Pinging Roan...

Whoops, I'm sorry. I should fix my BZ settings so I actually get bugmail for hidden bugs.

Comment 5 Roan Kattouw 2012-01-04 13:41:01 UTC

Patch is OK. Thanks for catching that embarrassing mistake :)

Comment 6 Sam Reed (reedy) 2012-01-11 21:58:07 UTC

trunk in r108682
1.18wmf1 in r108683

Comment 7 Sam Reed (reedy) 2012-01-11 22:00:12 UTC

REL1_17 in r108686
REL1_18 in r108687

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links