From bb52a9906af8eb70af2fb6609cd38d3f26b818d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Szab=C3=B3?= <mszabo@wikimedia.org>
Date: Fri, 15 Aug 2025 14:55:56 +0200
Subject: [PATCH] SECURITY: Exclude suppress blocks in
 CentralAuthUser::getBlocks()

Why:

- CentralAuthUser::getBlocks() currently includes blocks where the
  target user name is hidden.
- This is a potential information leak, since the data might be used in
  a context where the requester should not be able to access such
  information on foreign wikis in the result set.

What:

- Exclude blocks with suppressed targets in
  CentralAuthUser::getBlocks().

Bug: T400892
---
 includes/User/CentralAuthUser.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/includes/User/CentralAuthUser.php b/includes/User/CentralAuthUser.php
index b4c5a306..b548984c 100644
--- a/includes/User/CentralAuthUser.php
+++ b/includes/User/CentralAuthUser.php
@@ -925,7 +925,12 @@ class CentralAuthUser implements IDBAccessObject {
 				->getDatabaseBlockStoreFactory()
 				->getDatabaseBlockStore( $wikiId );
 			$blocksByWikiId[$wikiId] = $blockStore->newListFromConds(
-				[ 'bt_user' => $row->user_id ]
+				[
+					'bt_user' => $row->user_id,
+					// SECURITY: The user might not have permissions to view suppress blocks
+					// on the foreign wiki (T400892).
+					'bl_deleted' => 0,
+				]
 			);
 		}
 
-- 
2.50.1