Last modified: 2012-12-19 07:43:47 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T44814, the corresponding Phabricator task for complete and up-to-date bug report information.

Bug 42814 - Abusefilter API does not check for abusefilter-view-private userright


Summary:	Abusefilter API does not check for abusefilter-view-private userright

Status:	RESOLVED FIXED

Product:	MediaWiki extensions
Classification:	Unclassified
Component:	AbuseFilter (Other open bugs)
Version:	unspecified
Hardware:	All All

Importance:	Unprioritized major (vote)
Target Milestone:	---
Assigned To:	Nobody - You can work on this!

URL:
Whiteboard:
Keywords:	easy

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-12-07 04:53 UTC by Kunal Mehta (Legoktm)
Modified:	2012-12-19 07:43 UTC (History)
CC List:	6 users (show)

See Also:
Web browser:	---
Mobile Platform:	---
Assignee Huggle Beta Tester:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kunal Mehta (Legoktm) 2012-12-07 04:53:29 UTC

506 is a hidden filter on enwiki, which means I (not a sysop or EFM) cannot see https://en.wikipedia.org/wiki/Special:AbuseFilter/506. However, I can still see https://en.wikipedia.org/w/api.php?action=query&list=abuselog&aflfilter=506, which is basically the same content.

I'm marking this as major since it's another data leak.

Comment 1 MZMcBride 2012-12-07 05:30:03 UTC

I believe this just needs an additional security check in extensions/AbuseFilter/api/ApiQueryAbuseLog.php. It looks like there are already some permissions checks in place, but none for the "filter" prop. I'm marking this bug with the "easy" keyword as I don't believe adding a check should be very difficult.

https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/AbuseFilter.git;a=blob;f=api/ApiQueryAbuseLog.php;h=543d55f7af0b0327f2348073d5b188653898887d;hb=d6444fae14963204962c9b7d6df36ce6eaa2bd0f

Comment 2 Kunal Mehta (Legoktm) 2012-12-07 07:38:00 UTC

I just filed a similar one at bug 42816, which deals which permissions of blocked users.

Comment 3 Chris Steipp 2012-12-11 01:02:37 UTC

As I accidentally posted on bug 42816...

I think the basis of the leak is that the special page only filters the result
for a filter id if the user has the permission 'abusefilter-log-private' or
'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't
seem to check for this. Should be easy to check for.

Additionally, the api always lists the filter_id that triggered the log entry, whereas the special page gives the generic "an abuse filter".

Gerrit change #37989

Comment 4 Marius Hoch 2012-12-18 21:40:35 UTC

Change tested and merged

Comment 5 Marius Hoch 2012-12-18 21:54:48 UTC

Reopened: I didn't notice that with aflprop=filter|action|details it's still possible to see information usually being hidden.

Comment 6 Marius Hoch 2012-12-18 22:05:56 UTC

Fixed in https://gerrit.wikimedia.org/r/39317 (tested). Please review

Comment 7 Marius Hoch 2012-12-19 07:43:47 UTC

Chris merged my patch... thanks :)

Wikimedia Bugzilla is closed!

Search

Personal tools

Navigation

Links