f7c717b09a
CVE-2025-61643 Why: * Some RecentChange objects being processed by RecentChangeRCFeedNotifier::notifyRCFeeds can be already deleted / suppressed ** This can happen for log entries which are deleted or suppressed when they are created such as described by T280413 * RecentChanges feeds are often not equipped to handle appropriate redaction of deleted or suppressed recent change entries ** Therefore, sending them suppressed recentchanges entries will likely publicly expose the suppressed information * As a short-term fix we can stop sending any defined RCFeed instances RecentChange objects which are suppressed ** We may want to consider making RCFeeds capable of suppressing information before publishing the data, but that would need a more considered approach. What: * Update RecentChangeRCFeedNotifier::notifyRCFeeds to return early if the rc_deleted attribute on the provided RecentChange object isn't zero (0 means not deleted). * Add a PHPUnit test to check for this Bug: T403757 Change-Id: Ic5e553bab8e82e7faee323a46ed6704043c5163b |
||
|---|---|---|
| .. | ||
| Hook | ||
| RCFeed | ||
| CategoryMembershipChange.php | ||
| ChangesFeed.php | ||
| ChangesList.php | ||
| ChangesListBooleanFilter.php | ||
| ChangesListBooleanFilterGroup.php | ||
| ChangesListFilter.php | ||
| ChangesListFilterGroup.php | ||
| ChangesListStringOptionsFilter.php | ||
| ChangesListStringOptionsFilterGroup.php | ||
| EnhancedChangesList.php | ||
| OldChangesList.php | ||
| RCCacheEntry.php | ||
| RCCacheEntryFactory.php | ||
| RecentChange.php | ||
| RecentChangesUpdateJob.php | ||