I'm actually not sure what it is, but I do know that the incident reports vandalized by 2600:387:5:80d::b4 cannot be fixed nor displayed due to
[b62f836f40daa03fc146c69a] 2019-05-24 11:15:03: Fatal exception of type "Error"
or something alike. I think this is some sort of vulnerability lying in the function, and thus should be fixed immediately. Thanks in advance.
2019-05-24 10:23:21 mw1 metawiki: [9b27a4ecb41a43dbbd47bf8b] /wiki/Special:IncidentReports/11/edit ErrorException from line 641 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: PHP Notice: A non well formed numeric value encountered
Actually
2019-05-24 12:01:42 mw1 metawiki: [c564b622472bcff6f0f3ece4] /wiki/Special:IncidentReports/15/edit Error from line 56 of /srv/mediawiki/w/extensions/IncidentReporting/includes/IncidentReportingFormFactory.php: Call to a member function getId() on boolean
I have a fix, but before i deploy it i would like to speak to @John about restricting access to IR to only people who need to write reports.
Thank you for your reasonable disclosure.
This was caused by a lack of permissions checking in IncidentReporting which I have now fixed.
As usual, please continue to report (potential) security related issues here.
Thanks,
John