Go to file
Dreamy Jazz 48b26792a9 SECURITY: abusefiltercheckmatch: Check if user can see log details
CVE-2024-PENDING

Why:
* The 'abusefiltercheckmatch' API allows callers to match
  arbitary filter conditions against existing AbuseFilter logs
* The API does not check if the performer has the ability to
  see the log details for the given filter, so can allow a user
  to bypass hidden and protected visibility settings.

What:
* Call AbuseFilterPermissionManager::canSeeLogDetailsForFilter
  before attempting to match a filter against a given AbuseFilter
  log.
* Add a test to verify that this security fix works.

Bug: T372998
Change-Id: I4a2467dc4e0d1f8401d5428a89c7f6d6ebcdfa70
2024-10-01 00:18:55 +01:00
.phan phan: Update config to load ConfirmEdit 2024-05-05 11:02:07 +03:00
db_patches Drop af_user(_text) and afh_user(_text) fields 2024-06-10 18:48:21 +02:00
i18n Localisation updates from https://translatewiki.net. 2024-09-30 09:20:19 +02:00
includes SECURITY: abusefiltercheckmatch: Check if user can see log details 2024-10-01 00:18:55 +01:00
maintenance Specify caller in DB queries 2024-09-11 15:20:11 +02:00
modules More effective use of LESS 2024-08-07 09:26:42 +03:30
tests SECURITY: abusefiltercheckmatch: Check if user can see log details 2024-10-01 00:18:55 +01:00
.eslintignore build: Update linters 2023-11-08 14:05:03 +00:00
.eslintrc.json
.gitignore
.gitreview
.phpcs.xml build: Updating mediawiki/mediawiki-codesniffer to 43.0.0 2024-03-16 18:53:05 +00:00
.stylelintrc.json build: Update linters 2023-11-08 14:05:03 +00:00
AbuseFilter.alias.php Add new special page aliases for Chinese variants 2024-06-30 15:55:02 +08:00
CODE_OF_CONDUCT.md
composer.json build: Updating mediawiki/mediawiki-codesniffer to 44.0.0 2024-08-10 15:45:06 +00:00
COPYING
extension.json Bugfix: Fix minor issues with protected vars logging 2024-09-23 03:42:41 -07:00
Gruntfile.js build: Run stylelint for less file 2023-11-28 20:06:41 +01:00
package-lock.json build: Updating micromatch to 4.0.8 2024-08-24 14:37:14 +00:00
package.json build: Updating npm dependencies 2024-06-16 16:32:36 +00:00
quibble.yaml build: Add quibble.yaml and enable early warning bot feedback 2024-05-10 14:25:14 +02:00