Last modified: 2014-07-07 18:03:44 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T69548, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 67548 - Some old private wiki accounts included in centralauth.localuser table
Some old private wiki accounts included in centralauth.localuser table
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: ---
Assigned To: Kunal Mehta (Legoktm)
:
Depends on:
Blocks: 67350
  Show dependency treegraph
 
Reported: 2014-07-05 03:09 UTC by Kunal Mehta (Legoktm)
Modified: 2014-07-07 18:03 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Kunal Mehta (Legoktm) 2014-07-05 03:09:27 UTC 
I was doing more SUL audit stuff, and discovered that some private wikis are in centralauth's localuser table.

mysql:sul@dbstore1002 [centralauth]> select count(*) from localuser where lu_wiki="internalwiki";
+----------+
| count(*) |
+----------+
|        3 |
+----------+
1 row in set (0.00 sec)

Additionally 1 from comcomwiki, 1 from officewiki, and 1 from otrs_wikiwiki.

There are also some 40 accounts from foundationwiki, but that's not a private wiki (foundationwiki is also in the localnames table).

I think this is left over from some point in 2008 when those wikis were SUL linked? All the timestamps are from March 13, 2008.

Filing this as a security bug since this information is also replicated to Labs, and is leaking a (very small) subset of those wiki's user tables. This will also cause issues if any of those users are globally renamed.

My proposed solution is to just delete those rows.
Comment 1 Chris Steipp 2014-07-07 13:02:37 UTC 
I think we can delete them.
Comment 2 Kunal Mehta (Legoktm) 2014-07-07 17:53:28 UTC 
Done.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links