| commit | 724a52dfc17160d70572e990d19d084943ef7606 | |
| author | Dreamy Jazz <wpgbrown@wikimedia.org> | |
| Mon, 30 Sep 2024 23:34:29 +0000 (1 00:34 +0100) | ||
| committer | Gerrit Code Review <gerrit@wikimedia.org> | |
| Mon, 30 Sep 2024 23:34:29 +0000 (30 23:34 +0000) | ||
| tree | d88121000708a0c2dfad61464525336e26a48b6a | treesnapshot (tar.gz zip) |
| parent | 5f7cc224cb7d8b1c45ce0a8f33f520589eed9cad | commitdiff |
Update git submodules
* Update extensions/AbuseFilter from branch 'REL1_41'
to d0c3001c626ef1db6239f369db432a9246b53021
- SECURITY: abusefiltercheckmatch: Check if user can see log details
CVE-2024-PENDING
Why:
* The 'abusefiltercheckmatch' API allows callers to match
arbitary filter conditions against existing AbuseFilter logs
* The API does not check if the performer has the ability to
see the log details for the given filter, so can allow a user
to bypass hidden and protected visibility settings.
What:
* Call AbuseFilterPermissionManager::canSeeLogDetailsForFilter
before attempting to match a filter against a given AbuseFilter
log.
* Add a test to verify that this security fix works.
Bug: T372998
Change-Id: I4a2467dc4e0d1f8401d5428a89c7f6d6ebcdfa70
* Update extensions/AbuseFilter from branch 'REL1_41'
to d0c3001c626ef1db6239f369db432a9246b53021
- SECURITY: abusefiltercheckmatch: Check if user can see log details
CVE-2024-PENDING
Why:
* The 'abusefiltercheckmatch' API allows callers to match
arbitary filter conditions against existing AbuseFilter logs
* The API does not check if the performer has the ability to
see the log details for the given filter, so can allow a user
to bypass hidden and protected visibility settings.
What:
* Call AbuseFilterPermissionManager::canSeeLogDetailsForFilter
before attempting to match a filter against a given AbuseFilter
log.
* Add a test to verify that this security fix works.
Bug: T372998
Change-Id: I4a2467dc4e0d1f8401d5428a89c7f6d6ebcdfa70
| extensions/AbuseFilter | diffblobblamehistory |