RevDelFileItem is missing the corresponding write new code. This results in T423065.
Description
Description
Details
Details
- Risk Rating
- Medium
- Author Affiliation
- Wikimedia Communities
Related Changes in Gerrit:
Related Objects
Related Objects
- Mentioned In
- T424553: Fix fr_deleted drifts in WMF production
T423065: Stuck-hidden file / Deleted file revisions displaying improperly - Mentioned Here
- T423654: Expectation (readQueryTime <= 5) by MediaWiki\Actions\ActionEntryPoint::execute not met (actual: {actualSeconds}) in trx #{trxId}:{query}
T423065: Stuck-hidden file / Deleted file revisions displaying improperly
Event Timeline
Comment Actions
We can probably just push this through Gerrit now that prod is not affected by this anymore.
Comment Actions
Virtual +2, For future and after clean up of the old code, we can rely on fr_id instead of fr_name but that's not a blocker.
Comment Actions
if the change introducing the bug is not new, we still need to be careful about third parties but also at the same time. No third party is using the new file system I think (READ_NEW should be quite recent I assume)
Comment Actions
$wgFileSchemaMigrationStage is not yet documented to actually support read new. The problem is actually that this is even a WRITE_NEW issue. If any third party wiki already set their wiki to WRITE_BOTH, they will have deviations in their filerevision table.
The next thing I just noticed is that the drift in fr_deleted also exposes a lot of rows in the wiki replicas which should be hidden.
Comment Actions
Do we need to write a maintenance script to fix fr_deleted fields that got out of sync with oi_deleted?
Comment Actions
Might want to edit the ticket to include why this is a security issue. The bug in T423065 resulted in hidden files being clickable, but clicking on them gave an error message, so the hidden files were not actually viewable.
Comment Actions
Yes.
It also did affect the other kinds of revision deletions. For example did I hide your username on the file you linked in your task (https://test.wikipedia.org/w/index.php?title=Special:Log&logid=461602) and it simply did not work.
Generally, _deleted rows are used in all kinds of permission checks and none of them will work here, so a bit of caution seems like a good idea.
Comment Actions
Deployed this as a security patch for now (nothing changed, I just fixed the commit message).
This comment was removed by Zabe.
Comment Actions
Meh. I thought I tested it, but my local wiki was set to write old, smart. Here a fixed version.
Comment Actions
Instead of querying file table, you can use ->getFileIdFromName() instead. Much simpler.
Comment Actions
Did this also get deployed and replace the original patch? Or no? Also, can we just push this up to gerrit? Similar to T423654? I think the Security-Team is fine with that, cc: @Catrope.
Comment Actions
No I removed the first version and waited for a review of the new one.
Also, can we just push this up to gerrit? Similar to T423654? I think the Security-Team is fine with that, cc: @Catrope.
We can push it through Gerrit if folks are fine with it.
Comment Actions
Change #1276084 had a related patch set uploaded (by Zabe; author: Zabe):
[mediawiki/core@master] Correctly support new file tables in RevDelFileItem
Comment Actions
Change #1276084 merged by jenkins-bot:
[mediawiki/core@master] Correctly support new file tables in RevDelFileItem
Comment Actions
Change #1277777 had a related patch set uploaded (by Zabe; author: Zabe):
[mediawiki/core@REL1_45] Correctly support new file tables in RevDelFileItem
Comment Actions
Change #1277778 had a related patch set uploaded (by Zabe; author: Zabe):
[mediawiki/core@REL1_44] Correctly support new file tables in RevDelFileItem
Comment Actions
Change #1277777 merged by jenkins-bot:
[mediawiki/core@REL1_45] Correctly support new file tables in RevDelFileItem
Comment Actions
Change #1277778 merged by jenkins-bot:
[mediawiki/core@REL1_44] Correctly support new file tables in RevDelFileItem