49907788ab
CVE-2025-61639 Why: * ManualLogEntry::getRecentChange creates the RecentChange object for the ManualLogEntry instance. ** This does not currently include the deleted flags set in the ManualLogEntry ** Without this, the RecentChange that is created will not be marked as deleted and published as public. * Therefore, this means that any code which hides a log entry from the creation of the entry will cause a unintentionally public recent change entry. ** The AbuseFilter extension attempts to suppress the log entry for the block on it's creation, which therefore hits this security bug. What: * Update RecentChange::newLogEntry to accept a $deleted field which is set by default as 0 which is used as the value of rc_deleted. * Update ManualLogEntry::getRecentChange to pass the value of ManualLogEntry::getDeleted to RecentChange::newLogEntry. * Test that this fix worked. Bug: T280413 Change-Id: I681a49ac7d7b22ffe259b976ad5315490dda467b |
||
|---|---|---|
| .. | ||
| Hook | ||
| BlockLogFormatter.php | ||
| ContentModelLogFormatter.php | ||
| DatabaseLogEntry.php | ||
| DeleteLogFormatter.php | ||
| ImportLogFormatter.php | ||
| LegacyLogFormatter.php | ||
| LogEntry.php | ||
| LogEntryBase.php | ||
| LogEventsList.php | ||
| LogFormatter.php | ||
| LogFormatterFactory.php | ||
| LoggingSelectQueryBuilder.php | ||
| LogPage.php | ||
| LogPager.php | ||
| ManualLogEntry.php | ||
| MergeLogFormatter.php | ||
| MoveLogFormatter.php | ||
| NewUsersLogFormatter.php | ||
| PageLangLogFormatter.php | ||
| PatrolLog.php | ||
| PatrolLogFormatter.php | ||
| ProtectLogFormatter.php | ||
| RCDatabaseLogEntry.php | ||
| RenameuserLogFormatter.php | ||
| RightsLogFormatter.php | ||
| TagLogFormatter.php | ||
| UploadLogFormatter.php | ||
| WikitextLogFormatter.php | ||