Page MenuHomePhabricator
Create Task
Maniphest T35117

prop=revisions allows deleted text to be exposed through cache pollution
Closed, ResolvedPublic
Actions

Description

Patch that fixes the issue

If a privileged user diffs a hidden revision against another revision (hidden or not; or maybe even against emptiness), that diff maybe cached in Squid if an &smaxage parameter is passed, and subsequently served to non-privileged users.

I've attached a patch that fixes this by never exposing hidden content (the rest of the module does this too). I'm filing this in BZ because I'm unsure whether this warrants a security release or a hidden deployment or whatever.

Version: unspecified
Severity: normal

attachment proprevisionscachepollution.patch ignored as obsolete

Details

Reference
bz33117
TitleReferenceAuthorSource BranchDest Branch
builds-builder: bump to 0.0.92-20240219153535-48c88c91repos/cloud/toolforge/toolforge-deploy!200project_1317_bot_df3177307bed93c3f34e421e26c86e38bump_builds-buildermain
[builds-builder] meaningful error message when user exceeds harbor quotarepos/cloud/toolforge/builds-builder!33raymond-ndibehandle_harbor_quota_error_on_exportmain
Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to High.Nov 22 2014, 12:01 AM
bzimport added projects: MediaWiki-Action-API, platformeng.
bzimport set Reference to bz33117.
bzimport added a subscriber: Unknown Object (MLST).
Catrope created this task.Dec 14 2011, 4:38 PM
tstarling added a comment.Dec 16 2011, 4:21 AM

Created attachment 9722
Slightly modified patch

Reproduced and tested. Maybe it would be better to deny access to deleted revisions, rather than allowing access to deleted revisions and denying everything else ;)

Attached:

bug33117-v2.patch596 BDownload

tstarling added a comment.Dec 16 2011, 4:54 AM

Roan, please review my patch and then if it's OK, reassign the bug to Sam Reed for release with 1.18.1.

RobLa-WMF added a comment.Jan 3 2012, 10:09 PM

Pinging Roan...

Catrope added a comment.Jan 4 2012, 1:40 PM

(In reply to comment #3)

Pinging Roan...

Whoops, I'm sorry. I should fix my BZ settings so I actually get bugmail for hidden bugs.

Catrope added a comment.Jan 4 2012, 1:41 PM

Patch is OK. Thanks for catching that embarrassing mistake :)

Reedy added a comment.Jan 11 2012, 9:58 PM

trunk in r108682
1.18wmf1 in r108683

Reedy added a comment.Jan 11 2012, 10:00 PM

REL1_17 in r108686
REL1_18 in r108687

csteipp added a project: acl*security.Mar 26 2015, 8:39 PM
chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:16 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL