49907788ab
CVE-2025-61639 Why: * ManualLogEntry::getRecentChange creates the RecentChange object for the ManualLogEntry instance. ** This does not currently include the deleted flags set in the ManualLogEntry ** Without this, the RecentChange that is created will not be marked as deleted and published as public. * Therefore, this means that any code which hides a log entry from the creation of the entry will cause a unintentionally public recent change entry. ** The AbuseFilter extension attempts to suppress the log entry for the block on it's creation, which therefore hits this security bug. What: * Update RecentChange::newLogEntry to accept a $deleted field which is set by default as 0 which is used as the value of rc_deleted. * Update ManualLogEntry::getRecentChange to pass the value of ManualLogEntry::getDeleted to RecentChange::newLogEntry. * Test that this fix worked. Bug: T280413 Change-Id: I681a49ac7d7b22ffe259b976ad5315490dda467b |
||
|---|---|---|
| .. | ||
| Hook | ||
| RCFeed | ||
| CategoryMembershipChange.php | ||
| ChangesFeed.php | ||
| ChangesList.php | ||
| ChangesListBooleanFilter.php | ||
| ChangesListBooleanFilterGroup.php | ||
| ChangesListFilter.php | ||
| ChangesListFilterGroup.php | ||
| ChangesListStringOptionsFilter.php | ||
| ChangesListStringOptionsFilterGroup.php | ||
| EnhancedChangesList.php | ||
| OldChangesList.php | ||
| RCCacheEntry.php | ||
| RCCacheEntryFactory.php | ||
| RecentChange.php | ||
| RecentChangesUpdateJob.php | ||