Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Ban IP" reveals IP to non-CU #141

Open
Salvidrim opened this issue Sep 25, 2017 · 0 comments
Open

"Ban IP" reveals IP to non-CU #141

Salvidrim opened this issue Sep 25, 2017 · 0 comments
Assignees
@dqwiki
Labels
bug main priority

Comments

@Salvidrim
Copy link
Contributor

When a non-CU tooladmin in a ticket clicks the "Ban IP" button, the ticket's underlying IP is revealed on the page where we are requested to input a reason (whether I back out or go through with it). They should be obscured just like they eventually are on the Ban Management page if a ban does go through.

I noticed when applying Ban ID 343, which, once applied, has the IP properly obscured/encrypted

In theory by inputting any ticket ID into https://utrs.wmflabs.org/banMgmt.php?appeal=XXXXX&target=1 I can reveal its IP despite not being CU.

I'm not too worried about WP:BEANS because this bug only impacts non-CU tooladmins (i.e. Jamie and me) but this should be considered high-priority
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dqwiki dqwiki

Labels
bug main priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dqwiki @Salvidrim