SECURITY: Fix log entry search revealing suppressed data to users with 'deletedhistory' rights

CVE-2025-32698 Bug: T385958 Change-Id: Id0588baf6a1587d326b262d075d4e943dc5daacd
2025-02-11 21:20:58 +01:00 · 2025-02-11 21:20:58 +01:00 · 8702751d5e
commit 8702751d5e
parent 4d9b508c04
1 changed files with 2 additions and 2 deletions
--- a/includes/logging/LogPager.php
+++ b/includes/logging/LogPager.php
@ -523,7 +523,7 @@ class LogPager extends ReverseChronologicalPager {
 			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_ACTION ) . ' = 0';
 		} elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
 			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_ACTION ) .
-				' != ' . LogPage::SUPPRESSED_USER;
+				' != ' . LogPage::SUPPRESSED_ACTION;
 		}
 	}
@ -540,7 +540,7 @@ class LogPager extends ReverseChronologicalPager {
 			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::DELETED_USER ) . ' = 0';
 		} elseif ( !$this->getAuthority()->isAllowedAny( 'suppressrevision', 'viewsuppressed' ) ) {
 			$this->mConds[] = $this->mDb->bitAnd( 'log_deleted', LogPage::SUPPRESSED_USER ) .
-				' != ' . LogPage::SUPPRESSED_ACTION;
+				' != ' . LogPage::SUPPRESSED_USER;
 		}
 	}
 }