wikimedia/mediawiki-extensions-AbuseFilter
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git synced 2024-11-15 02:03:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Avoid deleted usernames leak in page_recent_contributors

Browse source 
Bug: T71367
Change-Id: I8d5ed9ca84282ee50832035af86123633fc88293
This commit is contained in:
Daimona Eaytoy 2021-03-09 15:53:36 -06:00 committed by sbassett
parent 5c355d3acb
commit f25c96f472
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
includes/Variables/LazyVariableComputer.php
View file

@ -262,6 +262,7 @@ class LazyVariableComputer {
case 'load-first-author':
$revision = $this->revisionLookup->getFirstRevision( $parameters['title'] );
if ( $revision ) {
// TODO T233241
$user = $revision->getUser();
$result = $user === null ? '' : $user->getName();
} else {
@ -409,7 +410,12 @@ class LazyVariableComputer {
$revAuthors = $dbr->selectFieldValues(
$revQuery['tables'],
$revQuery['fields']['rev_user_text'],
[ 'rev_page' => $title->getArticleID() ],
[
'rev_page' => $title->getArticleID(),
// TODO Should deleted names be counted in the 10 authors? If yes, this check should
// be moved inside the foreach
'rev_deleted' => 0
],
$fname,
// Some pages have < 10 authors but many revisions (e.g. bot pages)
[ 'ORDER BY' => 'rev_timestamp DESC, rev_id DESC',