Skip to content

Commit a3dae0c

Browse files
Universal-OmegaUniversal-Omega
committed
Security: fix hiding usernames for hidden users
Release version 3.6.4
1 parent e278dfc commit a3dae0c

File tree

4 files changed

+75
-34
lines changed

4 files changed

+75
-34
lines changed

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -852,3 +852,8 @@ Many thanks to GreenReaper on GitHub for reporting and finding issues with core
852852
* Fixed tests, replacing `ParserOutput::getText` with `ParserOutput::getContentHolderText`.
853853
* Removed `Query::getTableNames` and associated properties, replacing calls with `$this->dbr->tableName`.
854854
* Fixed compatability with upstream backported changes to use raw table names where necessary (by passing the second parameter of `$this->dbr->tableName` as `'raw'` where needed).
855+
856+
# Version 3.6.4
857+
* Fixed a PHP warning in `nottitleregexp` (uninitialised array/key).
858+
* Removed some unused parameters, methods, and variables.
859+
* SECURITY: Fixed leakage of hidden/suppressed usernames ([GHSA-7pgw-q3qp-6pgq](https://github.com/Universal-Omega/DynamicPageList3/security/advisories/GHSA-7pgw-q3qp-6pgq)).

extension.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "DynamicPageList3",
3-
"version": "3.6.3",
3+
"version": "3.6.4",
44
"author": [
55
"'''Universal Omega'''",
66
"Alexia E. Smith",

includes/Article.php

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
use MediaWiki\Context\RequestContext;
66
use MediaWiki\MediaWikiServices;
7+
use MediaWiki\Revision\RevisionRecord;
78
use MediaWiki\Title\Title;
89
use MediaWiki\User\ActorStore;
910
use stdClass;
@@ -211,8 +212,11 @@ public static function newFromRow(
211212
$article = new self( $title, $pageNamespace );
212213

213214
$revActorName = ActorStore::UNKNOWN_USER_NAME;
214-
if ( isset( $row->rev_actor ) && $row->rev_actor !== '0' ) {
215-
$revActorName = $userFactory->newFromActorId( $row->rev_actor )->getName();
215+
if ( isset( $row->rev_actor ) && (int)$row->rev_actor !== 0 ) {
216+
$revUser = $userFactory->newFromActorId( $row->rev_actor );
217+
$revUserDeleted = $row->rev_deleted & RevisionRecord::DELETED_USER;
218+
$revActorName = $revUser->isHidden() || $revUserDeleted ?
219+
wfMessage( 'rev-deleted-user' )->escaped() : $revUser->getName();
216220
}
217221

218222
$titleText = $title->getText();
@@ -342,9 +346,10 @@ public static function newFromRow(
342346
// CONTRIBUTION, CONTRIBUTOR
343347
if ( $parameters->getParameter( 'addcontribution' ) ) {
344348
$article->mContribution = $row->contribution;
345-
346-
$article->mContributor = $userFactory->newFromActorId( $row->contributor )->getName();
347-
349+
$contribUser = $userFactory->newFromActorId( $row->contributor );
350+
$contribUserDeleted = $row->contrib_deleted & RevisionRecord::DELETED_USER;
351+
$article->mContributor = $contribUser->isHidden() || $contribUserDeleted ?
352+
wfMessage( 'rev-deleted-user' )->escaped() : $contribUser->getName();
348353
$article->mContrib = substr( '*****************', 0, (int)round( log( $row->contribution ) ) );
349354
}
350355

includes/Query.php

Lines changed: 59 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -832,7 +832,8 @@ private function _addcontribution( $option ) {
832832
$this->addSelect(
833833
[
834834
'contribution' => 'SUM(ABS(rc.rc_new_len - rc.rc_old_len))',
835-
'contributor' => 'rc.rc_actor'
835+
'contributor' => 'rc.rc_actor',
836+
'contrib_deleted' => 'rc.rc_deleted',
836837
]
837838
);
838839

@@ -962,6 +963,7 @@ private function _adduser( $option, $tableAlias = '' ) {
962963
$this->addSelect(
963964
[
964965
$tableAlias . 'rev_actor',
966+
$tableAlias . 'rev_deleted',
965967
]
966968
);
967969
}
@@ -1150,15 +1152,19 @@ private function _notcategory( $option ) {
11501152
* @param mixed $option
11511153
*/
11521154
private function _createdby( $option ) {
1155+
$user = $this->userFactory->newFromName( $option );
1156+
if ( $user->isHidden() ) {
1157+
return;
1158+
}
1159+
11531160
$this->addTable( 'revision', 'creation_rev' );
11541161
$this->_adduser( null, 'creation_rev' );
11551162

11561163
$this->addWhere( [
1157-
$this->dbr->addQuotes(
1158-
$this->userFactory->newFromName( $option )->getActorId()
1159-
) . ' = creation_rev.rev_actor',
1164+
$this->dbr->addQuotes( $user->getActorId() ) . ' = creation_rev.rev_actor',
11601165
'creation_rev.rev_page = page_id',
1161-
'creation_rev.rev_parent_id = 0'
1166+
'creation_rev.rev_deleted = 0',
1167+
'creation_rev.rev_parent_id = 0',
11621168
] );
11631169
}
11641170

@@ -1308,12 +1314,17 @@ private function _imageused( $option ) {
13081314
* @param mixed $option
13091315
*/
13101316
private function _lastmodifiedby( $option ) {
1317+
$user = $this->userFactory->newFromName( $option );
1318+
if ( $user->isHidden() ) {
1319+
return;
1320+
}
1321+
13111322
$this->addWhere(
1312-
$this->dbr->addQuotes(
1313-
$this->userFactory->newFromName( $option )->getActorId()
1314-
) . ' = (SELECT rev_actor FROM ' . $this->dbr->tableName( 'revision' ) .
1315-
' WHERE ' . $this->dbr->tableName( 'revision' ) . '.rev_page=page_id ORDER BY ' .
1316-
$this->dbr->tableName( 'revision' ) . '.rev_timestamp DESC LIMIT 1)'
1323+
$this->dbr->addQuotes( $user->getActorId() ) .
1324+
' = (SELECT rev_actor FROM ' . $this->dbr->tableName( 'revision' ) .
1325+
' WHERE ' . $this->dbr->tableName( 'revision' ) . '.rev_page = page_id' .
1326+
' AND ' . $this->dbr->tableName( 'revision' ) . '.rev_deleted = 0' .
1327+
' ORDER BY ' . $this->dbr->tableName( 'revision' ) . '.rev_timestamp DESC LIMIT 1)'
13171328
);
13181329
}
13191330

@@ -1676,12 +1687,16 @@ private function _minrevisions( $option ) {
16761687
* @param mixed $option
16771688
*/
16781689
private function _modifiedby( $option ) {
1690+
$user = $this->userFactory->newFromName( $option );
1691+
if ( $user->isHidden() ) {
1692+
return;
1693+
}
1694+
16791695
$this->addTable( 'revision', 'change_rev' );
16801696

16811697
$this->addWhere(
1682-
$this->dbr->addQuotes(
1683-
$this->userFactory->newFromName( $option )->getActorId()
1684-
) . ' = change_rev.rev_actor AND change_rev.rev_page = page_id'
1698+
$this->dbr->addQuotes( $user->getActorId() ) .
1699+
' = change_rev.rev_actor AND change_rev.rev_deleted = 0 AND change_rev.rev_page = page_id'
16851700
);
16861701
}
16871702

@@ -1714,13 +1729,17 @@ private function _namespace( $option ) {
17141729
* @param mixed $option
17151730
*/
17161731
private function _notcreatedby( $option ) {
1732+
$user = $this->userFactory->newFromName( $option );
1733+
if ( $user->isHidden() ) {
1734+
return;
1735+
}
1736+
17171737
$this->addTable( 'revision', 'no_creation_rev' );
17181738

17191739
$this->addWhere(
1720-
$this->dbr->addQuotes(
1721-
$this->userFactory->newFromName( $option )->getActorId()
1722-
) . ' != no_creation_rev.rev_actor AND no_creation_rev.rev_page = ' .
1723-
'page_id AND no_creation_rev.rev_parent_id = 0'
1740+
$this->dbr->addQuotes( $user->getActorId() ) .
1741+
' != no_creation_rev.rev_actor AND no_creation_rev.rev_deleted = 0 ' .
1742+
'AND no_creation_rev.rev_page = page_id AND no_creation_rev.rev_parent_id = 0'
17241743
);
17251744
}
17261745

@@ -1730,11 +1749,17 @@ private function _notcreatedby( $option ) {
17301749
* @param mixed $option
17311750
*/
17321751
private function _notlastmodifiedby( $option ) {
1733-
$this->addWhere( $this->dbr->addQuotes(
1734-
$this->userFactory->newFromName( $option )->getActorId()
1735-
) . ' != (SELECT rev_actor FROM ' . $this->dbr->tableName( 'revision' ) .
1736-
' WHERE ' . $this->dbr->tableName( 'revision' ) . '.rev_page=page_id ORDER BY ' .
1737-
$this->dbr->tableName( 'revision' ) . '.rev_timestamp DESC LIMIT 1)'
1752+
$user = $this->userFactory->newFromName( $option );
1753+
if ( $user->isHidden() ) {
1754+
return;
1755+
}
1756+
1757+
$this->addWhere(
1758+
$this->dbr->addQuotes( $user->getActorId() ) .
1759+
' != (SELECT rev_actor FROM ' . $this->dbr->tableName( 'revision' ) .
1760+
' WHERE ' . $this->dbr->tableName( 'revision' ) . '.rev_page = page_id' .
1761+
' AND ' . $this->dbr->tableName( 'revision' ) . '.rev_deleted = 0' .
1762+
' ORDER BY ' . $this->dbr->tableName( 'revision' ) . '.rev_timestamp DESC LIMIT 1)'
17381763
);
17391764
}
17401765

@@ -1744,12 +1769,18 @@ private function _notlastmodifiedby( $option ) {
17441769
* @param mixed $option
17451770
*/
17461771
private function _notmodifiedby( $option ) {
1747-
$this->addWhere( 'NOT EXISTS (SELECT 1 FROM ' .
1748-
$this->dbr->tableName( 'revision' ) . ' WHERE ' . $this->dbr->tableName( 'revision' ) .
1749-
'.rev_page=page_id AND ' . $this->dbr->tableName( 'revision' ) . '.rev_actor = ' .
1750-
$this->dbr->addQuotes(
1751-
$this->userFactory->newFromName( $option )->getActorId()
1752-
) . ' LIMIT 1)'
1772+
$user = $this->userFactory->newFromName( $option );
1773+
if ( $user->isHidden() ) {
1774+
return;
1775+
}
1776+
1777+
$this->addWhere(
1778+
'NOT EXISTS (SELECT 1 FROM ' .
1779+
$this->dbr->tableName( 'revision' ) .
1780+
' WHERE ' . $this->dbr->tableName( 'revision' ) . '.rev_page = page_id' .
1781+
' AND ' . $this->dbr->tableName( 'revision' ) . '.rev_actor = ' . $this->dbr->addQuotes( $user->getActorId() ) .
1782+
' AND ' . $this->dbr->tableName( 'revision' ) . '.rev_deleted = 0' .
1783+
' LIMIT 1)'
17531784
);
17541785
}
17551786

0 commit comments

Comments
 (0)