mediawiki-extensions-AbuseF.../includes
Dreamy Jazz 48b26792a9 SECURITY: abusefiltercheckmatch: Check if user can see log details
CVE-2024-PENDING

Why:
* The 'abusefiltercheckmatch' API allows callers to match
  arbitary filter conditions against existing AbuseFilter logs
* The API does not check if the performer has the ability to
  see the log details for the given filter, so can allow a user
  to bypass hidden and protected visibility settings.

What:
* Call AbuseFilterPermissionManager::canSeeLogDetailsForFilter
  before attempting to match a filter against a given AbuseFilter
  log.
* Add a test to verify that this security fix works.

Bug: T372998
Change-Id: I4a2467dc4e0d1f8401d5428a89c7f6d6ebcdfa70
2024-10-01 00:18:55 +01:00
..
Api SECURITY: abusefiltercheckmatch: Check if user can see log details 2024-10-01 00:18:55 +01:00
ChangeTags Support more log actions in testing interface 2024-06-19 17:35:43 +02:00
Consequences Fix broken PHPDoc comment 2024-08-11 17:23:37 +02:00
EditBox Use namespaced classes 2024-06-12 20:01:35 +02:00
Filter Miscellaneous minor fixes 2024-07-03 02:31:38 +02:00
Hooks Make PreferencesHandler implement the hook interface 2024-09-13 18:45:30 +02:00
LogFormatter Use namespaced classes 2024-06-12 20:01:35 +02:00
Pager Miscellaneous minor fixes 2024-07-03 02:31:38 +02:00
Parser Support named capturing groups in get_matches() 2024-09-07 11:25:48 +00:00
Special Bugfix: Fix minor issues with protected vars logging 2024-09-23 03:42:41 -07:00
VariableGenerator Support more log actions in testing interface 2024-06-19 17:35:43 +02:00
Variables Replace gettype() with get_debug_type() in exception messages etc. 2024-08-12 23:05:16 +02:00
View Add preference for viewing protected variables in AbuseFilter 2024-09-12 07:59:24 -07:00
Watcher Migrate to IDatabase::newUpdateQueryBuilder 2024-04-15 23:07:44 +02:00
AbuseFilter.php
AbuseFilterChangesList.php Use namespaced classes 2024-06-12 20:01:35 +02:00
AbuseFilterPermissionManager.php Add preference for viewing protected variables in AbuseFilter 2024-09-12 07:59:24 -07:00
AbuseFilterPreAuthenticationProvider.php Skip auth checks when autocreate is allowed by provider 2024-09-05 11:17:16 -07:00
AbuseFilterServices.php Remove AbuseFilterActorMigration 2024-06-15 09:42:27 +02:00
AbuseLogger.php Remove modification of wgCheckUserLogAdditionalRights 2024-06-27 16:43:25 +00:00
AbuseLoggerFactory.php Log changes to protected variables access 2024-09-13 01:39:09 -07:00
ActionSpecifier.php
BlockAutopromoteStore.php Use namespaced classes 2023-12-10 23:03:12 +01:00
BlockedDomainFilter.php Add missing typehints 2024-09-23 14:25:50 +01:00
BlockedDomainStorage.php Add missing typehints 2024-09-23 14:25:50 +01:00
CentralDBManager.php
CentralDBNotAvailableException.php
EchoNotifier.php
EditRevUpdater.php Migrate to IDatabase::newUpdateQueryBuilder 2024-04-15 23:07:44 +02:00
EditStashCache.php Add new variable for last edit time 2024-04-10 23:12:45 +00:00
EmergencyCache.php
FilterCompare.php Convert af_hidden into a bitmask 2024-05-28 00:59:08 -07:00
FilterImporter.php Use namespaced classes 2024-06-12 20:01:35 +02:00
FilterLookup.php Allow variables to be restricted by user right 2024-06-04 06:54:53 -07:00
FilterProfiler.php build: Updating mediawiki/mediawiki-codesniffer to 43.0.0 2024-03-16 18:53:05 +00:00
FilterRunner.php Use namespaced classes 2023-12-10 23:03:12 +01:00
FilterRunnerFactory.php Use namespaced classes 2023-12-10 23:03:12 +01:00
FilterStore.php Remove AbuseFilterActorMigration 2024-06-15 09:42:27 +02:00
FilterUser.php Don't attempt to steal or create the FilterUser in CheckUserHandler 2024-01-31 19:32:52 +00:00
FilterUtils.php Allow variables to be restricted by user right 2024-06-04 06:54:53 -07:00
FilterValidator.php Miscellaneous minor fixes 2024-07-03 02:31:38 +02:00
GlobalNameUtils.php
InvalidImportDataException.php
KeywordsManager.php Add user_unnamed_ip variable 2024-05-23 07:19:48 -07:00
ProtectedVarsAccessLogger.php Write protected variables access logs to CheckUser if installed 2024-09-18 07:59:05 -07:00
RunnerData.php
ServiceWiring.php Log changes to protected variables access 2024-09-13 01:39:09 -07:00
SpecsFormatter.php Miscellaneous minor fixes 2024-07-03 02:31:38 +02:00
TableDiffFormatterFullContext.php
TextExtractor.php Use namespaced classes 2024-06-12 20:01:35 +02:00
ThrottleFilterPresentationModel.php Use namespaced classes 2024-06-12 20:01:35 +02:00