wikimedia/mediawiki-extensions-AbuseFilter
1
0
Fork 0
mirror of https://gerrit.wikimedia.org/r/mediawiki/extensions/AbuseFilter.git synced 2024-11-24 14:13:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
mediawiki-extensions-AbuseF.../includes/Api
History
Dreamy Jazz 233a4f1b31 SECURITY: abusefiltercheckmatch: Check if user can see log details 
CVE-2024-PENDING

Why:
* The 'abusefiltercheckmatch' API allows callers to match
  arbitary filter conditions against existing AbuseFilter logs
* The API does not check if the performer has the ability to
  see the log details for the given filter, so can allow a user
  to bypass hidden and protected visibility settings.

What:
* Call AbuseFilterPermissionManager::canSeeLogDetailsForFilter
  before attempting to match a filter against a given AbuseFilter
  log.
* Add a test to verify that this security fix works.

Bug: T372998
Change-Id: I4a2467dc4e0d1f8401d5428a89c7f6d6ebcdfa70
2024-10-01 00:18:18 +01:00
..
AbuseLogPrivateDetails.php Fix usage of ApiBase::PARAM_* deprecated constants 2022-04-04 00:49:37 +00:00
CheckMatch.php SECURITY: abusefiltercheckmatch: Check if user can see log details 2024-10-01 00:18:18 +01:00
CheckSyntax.php Call IContextSource::getAuthority instead of IContextSource::getUser 2022-07-03 16:37:18 +02:00
EvalExpression.php Use namespaced classes 2023-12-10 23:03:12 +01:00
QueryAbuseFilters.php Use namespaced classes 2023-12-10 23:03:12 +01:00
QueryAbuseLog.php Use namespaced classes 2023-12-10 23:03:12 +01:00
UnblockAutopromote.php Avoid TestUser in non-database tests 2023-08-06 22:18:49 +00:00