Last modified: 2014-02-12 23:32:49 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T45518, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 43518 - api.php?action=unblock returns the full user object
api.php?action=unblock returns the full user object
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
API (Other open bugs)
1.20.x
All All
: High normal (vote)
: 1.20.x release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-30 13:13 UTC by Alex Monk
Modified: 2014-02-12 23:32 UTC (History)
10 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments
Patch (986 bytes, patch)
2012-12-30 14:05 UTC, Alex Monk
Details
Updated Patch (1.00 KB, patch)
2013-02-16 00:57 UTC, Chris Steipp
Details
patch for 1.19 branch (1.00 KB, patch)
2013-02-16 01:06 UTC, Chris Steipp
Details

Description Alex Monk 2012-12-30 13:13:55 UTC
When you unblock someone via the API, you get the full user object back. This includes mPassword (hashed, so I'm not sure how much of a big deal this is), mToken, mEmail (not public info), and some other things.

On a slightly unrelated note, I'm not sure api.php?meta=userinfo should return the watchlisttoken preference... In the UI it says 'Filling in this field with a secret key will generate an RSS feed for your watchlist. Anyone who knows the key in this field will be able to read your watchlist, so choose a secure value.'
Comment 1 Alex Monk 2012-12-30 13:58:18 UTC
(In reply to comment #0)
> On a slightly unrelated note, I'm not sure api.php?meta=userinfo should
> return
> the watchlisttoken preference... In the UI it says 'Filling in this field
> with
> a secret key will generate an RSS feed for your watchlist. Anyone who knows
> the
> key in this field will be able to read your watchlist, so choose a secure
> value.'

Ignore this bit. meta=userinfo is for the current user only.
Comment 2 Alex Monk 2012-12-30 14:05:44 UTC
Created attachment 11567 [details]
Patch
Comment 3 Alex Monk 2012-12-30 14:06:53 UTC
This was caused by r83855.
Comment 4 Chad H. 2012-12-31 12:57:42 UTC
Interesting that __toString() doesn't seem to be working.
Comment 5 Alex Monk 2012-12-31 15:52:40 UTC
The API uses json_encode (When using format=json, obviously. This bug probably doesn't apply to other formats), which doesn't appear to use __toString() (Why represent it as a string when we know about objects?).

------

<?php
class A {
	public $youshouldnotseethis = "uh oh";

	function __toString() {
		return "works";
	}
}
echo( json_encode( new A() ) );


------

{"youshouldnotseethis":"uh oh"}
Comment 6 Chris Steipp 2013-01-02 17:33:23 UTC
Patch looks reasonable to me, and looks like it should apply fine to both master and 1.20.

We'll get the cluster patched asap, and this will be in the 1.20.3 release.

With this, and admin could easily block and unblock a user to get their password hash, and attempt to escalate their privileges. And if they escalated to someone with suppress rights, they could cover their tracks. So I think this may drive getting 1.20.3 out a little sooner.
Comment 7 Siebrand Mazeland 2013-02-08 11:45:20 UTC
Should 1.19 also get this?
Comment 8 Chris Steipp 2013-02-09 00:21:36 UTC
Yes, 1.19 should also get this. Shooting for a 1.20.3/1.19.4 release next week.
Comment 9 Chris Steipp 2013-02-16 00:52:10 UTC
Reviewing this for release and realized this throws an exception if the block was an autoblock -- "Fatal error: Call to a member function getName() on a non-object".

Probably just need a $target instanceof User ? conditional.
Comment 10 Chris Steipp 2013-02-16 00:57:03 UTC
Created attachment 11796 [details]
Updated Patch
Comment 11 Chris Steipp 2013-02-16 01:06:16 UTC
Created attachment 11797 [details]
patch for 1.19 branch
Comment 12 Chris Steipp 2013-02-21 21:21:49 UTC
Can I get someone on this bug to "+2" the attached "Updated Patch", and I'll deploy it to cluster? It's a one line change to includes/api/ApiUnblock.php.
Comment 13 Alex Monk 2013-02-21 21:35:32 UTC
(In reply to comment #10)
> Created attachment 11796 [details]
> Updated Patch

+2: Looks good to me
Comment 14 Chris Steipp 2013-03-04 19:13:06 UTC
Released as part of 1.20.3 / 1.19.4
Comment 15 Chris Steipp 2013-03-05 17:40:34 UTC
RedHat as assigned CVE-2013-1817 to this issue.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links