Page MenuHomeMiraheze

POST request does not check registered status for RequestWiki comments
Closed, ResolvedPublic

Description

A locked user reopened request #2831 and edited the request various times. The username of the user for some reason is not visible in the wiki request (the requester appears to be one's IP for some reason) but after looking through the Farmer log (see log from 27 March, 2017), it seems the request was opened by a user named "Hello" (CentralAuth) who was locked for long-term abuse.

This "Hello" user was locked by NDKilla in *2017* and is still locked but they somehow reopened this 5 year old request and when they reopened the request, they did not trigger a log entry in the farmer log saying that they had reopened their request, it just suddenly appeared in the wiki request queue. How could this have happened?

(Task temporarily hidden from public view to prevent a potential Streisand effect)

Event Timeline

Agent_Isai triaged this task as Normal priority.Apr 2 2022, 17:19
Agent_Isai created this task.
Agent_Isai created this object with visibility "Custom Policy".
Agent_Isai created this object with edit policy "Custom Policy".
John raised the priority of this task from Normal to High.
John added a project: Security.
John changed the visibility from "Custom Policy" to "Public (No Login Required)".
John changed the edit policy from "Custom Policy" to "All Users".
RhinosF1 renamed this task from Locked user reopened wiki request to POST request does not check registered status for RequestWiki comments.Apr 2 2022, 19:25

@RhinosF1 Thanks for the link. Is that advisory up and posted, no? I get a 404 not found error

Still waiting for GitHub to issue the CVE

Still waiting for GitHub to issue the CVE

Okay, thanks. Did we revert the changes made to the wiki requests by manually editing the applicable wiki request database table?

No

Can we try and do that, please, presumably by looking in a backup database table and manually reverting to the pre-LTA-effected changes?