SECURITY: Make sure provided filter id match provided history ID in history view

AbuseFilterViewEdit does privilege checks based on filter ID, and displays what is hidden under given history ID, but doesn't make sure those two IDs actually belong to one filter. That means user can easily change filter ID to a public filter and view old versions of nowadays private filters. Bug: T237887 Change-Id: Ic12790bd33982473f77551bde9599ed083a3e1f1
2024-11-23 21:53:35 +00:00 · 2019-11-10 23:11:34 +01:00 · 2019-11-10 23:11:34 +01:00 · 5fd861365f
parent af000125ac
commit 5fd861365f
1 changed files with 5 additions and 1 deletions
--- a/includes/Views/AbuseFilterViewEdit.php
+++ b/includes/Views/AbuseFilterViewEdit.php
@ -157,7 +157,11 @@ class AbuseFilterViewEdit extends AbuseFilterView {
 		// Load from request OR database.
 		list( $row, $actions ) = $this->loadRequest( $filter, $history_id );

-		if ( !$row ) {
+		if (
+			!$row ||
+			// @fixme Temporary stopgap for T237887
+			( $history_id && $row->af_id !== $filter )
+		) {
 			$out->addHTML(
 				Xml::tags(
 					'p',