Page MenuHomePhabricator
Create Task
Maniphest T45137

The API should not return the SHA1 for revisions with the DELETED_TEXT attribute
Closed, ResolvedPublic
Actions

Description

Querying the API with action=query&prop=revisions&rvprop=sha1 returns the SHA1 even for revisions whose content is hidden, for any user.

Example: http://fr.wikipedia.org/w/api.php?action=query&prop=revisions&revids=86537049&rvprop=content|sha1|comment

I think this should not be the case: a revision might be hidden because of a very short string (first name of the contributor, phone number...). In this case it is possible to recover the hidden content from the SHA1 and the text of the next revision.

Version: 1.21.x
Severity: normal

Details

Reference
bz43137

Related Objects

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL