SECURITY: BlockList: Hide rows containing suppressed users
CVE-2025-6589 Bug: T391343 Co-Authored-by: MusikAnimal <musikanimal@gmail.com> Change-Id: Id5462b942f5e916c2f1dc725739615d54a1070de
This commit is contained in:
Tim Starling
Reedy
parent
87ea0c739f
commit
686589d207
2 changed files with 46 additions and 9 deletions
|
|
@ -479,16 +479,20 @@ class BlockListPager extends TablePager {
|
|||
# be private and could be included in block lists and logs for
|
||||
# transparency purposes. Previously, filtering out deleted blocks
|
||||
# was a convenient way to avoid showing the target name.
|
||||
if ( !$this->getAuthority()->isAllowed( 'hideuser' ) ) {
|
||||
$info['conds']['bl_deleted'] = 0;
|
||||
if ( $this->getAuthority()->isAllowed( 'hideuser' ) ) {
|
||||
$info['fields']['hu_deleted'] = $this->hideUserUtils->getExpression(
|
||||
$db,
|
||||
'block_target.bt_user',
|
||||
HideUserUtils::HIDDEN_USERS
|
||||
);
|
||||
} else {
|
||||
$info['fields']['hu_deleted'] = 0;
|
||||
$info['conds'][] = $this->hideUserUtils->getExpression(
|
||||
$db,
|
||||
'block_target.bt_user',
|
||||
HideUserUtils::SHOWN_USERS
|
||||
);
|
||||
}
|
||||
|
||||
# Determine if the user is hidden
|
||||
# With multiblocks we can't just rely on bl_deleted in the row being formatted
|
||||
$info['fields']['hu_deleted'] = $this->hideUserUtils->getExpression(
|
||||
$db,
|
||||
'block_target.bt_user',
|
||||
HideUserUtils::HIDDEN_USERS );
|
||||
return $info;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ use MediaWiki\Context\RequestContext;
|
|||
use MediaWiki\Linker\LinkRenderer;
|
||||
use MediaWiki\MainConfigNames;
|
||||
use MediaWiki\Pager\BlockListPager;
|
||||
use MediaWiki\Permissions\SimpleAuthority;
|
||||
use MediaWiki\Request\FauxRequest;
|
||||
use MediaWiki\SpecialPage\SpecialPageFactory;
|
||||
use MediaWiki\Utils\MWTimestamp;
|
||||
|
|
@ -364,4 +365,36 @@ class BlockListPagerTest extends MediaWikiIntegrationTestCase {
|
|||
$pager->getFullOutput();
|
||||
$this->assertTrue( true );
|
||||
}
|
||||
|
||||
/**
|
||||
* T391343 regression test
|
||||
* @coversNothing
|
||||
*/
|
||||
public function testBlockLinkSuppression() {
|
||||
$user = $this->getTestUser()->getUserIdentity();
|
||||
$store = $this->getServiceContainer()->getDatabaseBlockStore();
|
||||
$store->insertBlockWithParams( [
|
||||
'targetUser' => $user,
|
||||
'by' => $this->getTestSysop()->getUser(),
|
||||
] );
|
||||
$store->insertBlockWithParams( [
|
||||
'targetUser' => $user,
|
||||
'by' => $this->getTestSysop()->getUser(),
|
||||
'hideName' => true
|
||||
] );
|
||||
|
||||
RequestContext::getMain()->setAuthority(
|
||||
new SimpleAuthority(
|
||||
$this->getTestSysop()->getUserIdentity(),
|
||||
[ 'block' ]
|
||||
)
|
||||
);
|
||||
|
||||
$pager = $this->getBlockListPager();
|
||||
$body = $pager->getBody();
|
||||
$this->assertStringNotContainsString( $user->getName(), $body );
|
||||
// Fail even if punctuation in the name was replaced
|
||||
$regex = '/' . preg_replace( '/[^A-Za-z0-9]+/', '.+', $user->getName() ) . '/';
|
||||
$this->assertDoesNotMatchRegularExpression( $regex, $body );
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue