From 9d39b05391e2faf49625a141f4e3da3afe11a335 Mon Sep 17 00:00:00 2001 From: Dreamy Jazz Date: Wed, 23 Jul 2025 14:52:08 +0100 Subject: [PATCH] Update git submodules * Update extensions/AbuseFilter from branch 'REL1_43' to bc7e84a07c991ebd9251fb7d0cfb5829af50cbaf - SECURITY: Check protected variable access in CheckMatch API Why: * The AbuseFilter 'abusefiltercheckmatch' API allows users to check if abuse_filter_log rows or recentchange rows match against a provided pattern. * This currently does not check if the pattern attempts to match against protected variables that may be present in the variables generated for either the RecentChange or abuse_filter_log row. ** This allows users to trial-and-error work out the value of protected variables when they do not have access to the variables. * This should not be possible and proper access restrictions for protected variables should be applied. ** This includes logging when a caller is matching against protected variable values to avoid trial-and-error matching allowing an authorised user to see the value without creating a log entry. What: * Update CheckMatch::execute to: ** Reject attempts to match using a pattern that contains protected variables that the user cannot see the value of. ** Reject attempts to match against abuse_filter_log rows that have protected variable values that the user cannot see to be consistent with Special:AbuseLog access restrictions. ** Log when the provided pattern uses protected variables that have a value in the variable dump. * Add tests to verify this fix works. Bug: T397196 Change-Id: I5f02572b94760141f6f57873409469318f441e18 --- extensions/AbuseFilter | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/AbuseFilter b/extensions/AbuseFilter index a8dbd6b44e9..bc7e84a07c9 160000 --- a/extensions/AbuseFilter +++ b/extensions/AbuseFilter @@ -1 +1 @@ -Subproject commit a8dbd6b44e929cd52d738de6623251f140c814fb +Subproject commit bc7e84a07c991ebd9251fb7d0cfb5829af50cbaf