Last modified: 2012-12-19 07:43:47 UTC
506 is a hidden filter on enwiki, which means I (not a sysop or EFM) cannot see https://en.wikipedia.org/wiki/Special:AbuseFilter/506. However, I can still see https://en.wikipedia.org/w/api.php?action=query&list=abuselog&aflfilter=506, which is basically the same content. I'm marking this as major since it's another data leak.
I believe this just needs an additional security check in extensions/AbuseFilter/api/ApiQueryAbuseLog.php. It looks like there are already some permissions checks in place, but none for the "filter" prop. I'm marking this bug with the "easy" keyword as I don't believe adding a check should be very difficult. https://gerrit.wikimedia.org/r/gitweb?p=mediawiki/extensions/AbuseFilter.git;a=blob;f=api/ApiQueryAbuseLog.php;h=543d55f7af0b0327f2348073d5b188653898887d;hb=d6444fae14963204962c9b7d6df36ce6eaa2bd0f
I just filed a similar one at bug 42816, which deals which permissions of blocked users.
As I accidentally posted on bug 42816... I think the basis of the leak is that the special page only filters the result for a filter id if the user has the permission 'abusefilter-log-private' or 'abusefilter-view-private' (SpecialAbuseLog around line 225). The api doesn't seem to check for this. Should be easy to check for. Additionally, the api always lists the filter_id that triggered the log entry, whereas the special page gives the generic "an abuse filter". Gerrit change #37989
Change tested and merged
Reopened: I didn't notice that with aflprop=filter|action|details it's still possible to see information usually being hidden.
Fixed in https://gerrit.wikimedia.org/r/39317 (tested). Please review
Chris merged my patch... thanks :)