From ed2f2bf9f6cee9a7d800d94db551ad6fc67cc34c Mon Sep 17 00:00:00 2001 From: dannys712-main Date: Sat, 18 Apr 2020 17:27:13 -0700 Subject: [PATCH] SECURITY: Do not leak user info via API If a user is not allowed to see an account, treat it the same as an account that doesn't exist in terms of including any requested information regarding edit count, user groups, etc. Bug: T250594 --- includes/api/ApiQueryGlobalUserInfo.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/includes/api/ApiQueryGlobalUserInfo.php b/includes/api/ApiQueryGlobalUserInfo.php index 26f7966f..52316029 100644 --- a/includes/api/ApiQueryGlobalUserInfo.php +++ b/includes/api/ApiQueryGlobalUserInfo.php @@ -76,6 +76,10 @@ class ApiQueryGlobalUserInfo extends ApiQueryBase { } else { // The user doesn't exist or we pretend it doesn't if it's hidden $data['missing'] = true; + + // If we are pretending that the user doesn't exist because it is hidden, + // do not add any more information + $userExists = false; } $result->addValue( 'query', $this->getModuleName(), $data ); -- 2.20.1.windows.1