Last modified: 2012-01-11 22:00:12 UTC
Created attachment 9695 [details] Patch that fixes the issue If a privileged user diffs a hidden revision against another revision (hidden or not; or maybe even against emptiness), that diff maybe cached in Squid if an &smaxage parameter is passed, and subsequently served to non-privileged users. I've attached a patch that fixes this by never exposing hidden content (the rest of the module does this too). I'm filing this in BZ because I'm unsure whether this warrants a security release or a hidden deployment or whatever.
Created attachment 9722 [details] Slightly modified patch Reproduced and tested. Maybe it would be better to deny access to deleted revisions, rather than allowing access to deleted revisions and denying everything else ;)
Roan, please review my patch and then if it's OK, reassign the bug to Sam Reed for release with 1.18.1.
Pinging Roan...
(In reply to comment #3) > Pinging Roan... Whoops, I'm sorry. I should fix my BZ settings so I actually get bugmail for hidden bugs.
Patch is OK. Thanks for catching that embarrassing mistake :)
trunk in r108682 1.18wmf1 in r108683
REL1_17 in r108686 REL1_18 in r108687