Last modified: 2014-01-14 10:28:46 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T60699, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 58699 - RevDeled log entry information leaks
RevDeled log entry information leaks
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Page deletion (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 59830
  Show dependency treegraph
 
Reported: 2013-12-19 18:12 UTC by Brad Jorsch
Modified: 2014-01-14 10:28 UTC (History)
7 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Patch to fix RevDel log handling (3.62 KB, patch)
2013-12-19 21:16 UTC, Brad Jorsch 		Details
Updated patch (4.10 KB, patch)
2013-12-19 21:32 UTC, Brad Jorsch 		Details
Updated patch (1.19 branch) (4.16 KB, patch)
2014-01-08 23:13 UTC, Markus Glaser 		Details
Updated patch (1.21 branch) (4.08 KB, patch)
2014-01-08 23:13 UTC, Markus Glaser 		Details
Updated patch (1.22 branch) (4.12 KB, patch)
2014-01-08 23:14 UTC, Markus Glaser 		Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Description Brad Jorsch 2013-12-19 18:12:23 UTC 
For some reason, RevDel DELETED_ACTION on log entries is supposed to also hide the target page of the log entry. However,

1. Deleted log entries still show up in Special:Log when searching by target.
2. The API's list=logevents still returns the pageid, despite not returning the title or namespace or returning the log entry at all when searching with a title.
3. If the target page is on your watchlist, the log entry will show up.
4. On the watchlist, the target's namespace and title are included in a CSS class.
5. On the enhanced recentchanges, the namespace and title may show up in a CSS class.

RevDel DELETED_USER is supposed to hide the performer of the action, be it a log entry or an edit. However,

6. Special:Log will still show it when searching by Performer.
Comment 1 Brad Jorsch 2013-12-19 20:52:13 UTC 
(In reply to comment #0)
> 1. Deleted log entries still show up in Special:Log when searching by target.

Actually, no they won't. I must have gotten confused with switching accounts back and forth on my test wiki.
Comment 2 Brad Jorsch 2013-12-19 20:54:09 UTC 
(In reply to comment #0)
> 6. Special:Log will still show it when searching by Performer.

Same, I must have been confused.
Comment 3 Brad Jorsch 2013-12-19 21:07:02 UTC 
(In reply to comment #0)
> 4. On the watchlist, the target's namespace and title are included in a CSS
> class.

Solving #3 solves this one too, because the target won't be on the watchlist anymore in the first place.
Comment 4 Brad Jorsch 2013-12-19 21:16:14 UTC 
Created attachment 14141 [details]
Patch to fix RevDel log handling
Comment 5 Brad Jorsch 2013-12-19 21:32:53 UTC 
Created attachment 14142 [details]
Updated patch
Comment 6 Chris Steipp 2013-12-23 23:59:52 UTC 
Thanks Brad, all of the pieces to the patch look good, and are correctly removing the leaked data in my dev environment.

Aaron, could you also make sure this looks ok?

We'll get it deployed Jan 2 most likely, and include it in the next security release.
Comment 7 Aaron Schulz 2014-01-06 23:56:56 UTC 
Seems reasonable.
Comment 8 Chris Steipp 2014-01-07 20:05:01 UTC 
19:52 logmsgbot: csteipp synchronized php-1.23wmf8/includes 'bug 58699'
19:46 logmsgbot: csteipp synchronized php-1.23wmf9/includes 'bug 58699'
Comment 9 Markus Glaser 2014-01-08 23:13:08 UTC 
Created attachment 14270 [details]
Updated patch (1.19 branch)
Comment 10 Markus Glaser 2014-01-08 23:13:44 UTC 
Created attachment 14271 [details]
Updated patch (1.21 branch)
Comment 11 Markus Glaser 2014-01-08 23:14:12 UTC 
Created attachment 14272 [details]
Updated patch (1.22 branch)
Comment 12 Chris Steipp 2014-01-13 20:45:55 UTC 
This was assigned CVE-2013-6472. Someone may want to split out the issues into separate CVE's: The page id in the log display, the title in the enhanced RC, and the page showing up on the user's watchlist. But they're all in core, all fix that we were showing information about deleted pages, and should all be patched at the same time. So I'm happy with keeping this as one issue for now.
Comment 13 Derk-Jan Hartman 2014-01-14 10:28:46 UTC 
FYI, those watch list classes were introduced in r50714 and r76342
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links