SECURITY: HTMLUserTextField: Treat hidden users as unregistered if current user can't view them

MatmaRex · reedy · commit 2a6d9c3c7db2 · 2022-09-29T19:09:10.000+01:00
CVE-2022-41765 Bug: T309894 Change-Id: I0707153ccbdb062a6b7ce461cc535aa2af8e4576
diff --git a/includes/htmlform/fields/HTMLUserTextField.php b/includes/htmlform/fields/HTMLUserTextField.php
@@ -55,7 +55,11 @@ public function validate( $value, $alldata ) {
 			return $this->msg( 'htmlform-user-not-valid', $value );
 		} elseif (
 			// check, if the user exists, if requested
-			( $this->mParams['exists'] && $user->getId() === 0 ) &&
+			( $this->mParams['exists'] && !(
+				$user->isRegistered() &&
+				// Treat hidden users as unregistered if current user can't view them (T309894)
+				!( $user->isHidden() && !( $this->mParent && $this->mParent->getUser()->isAllowed( 'hideuser' ) ) )
+			) ) &&
 			// check, if the username is a valid IP address, otherwise save the error message
 			!( $this->mParams['ipallowed'] && IPUtils::isValid( $value ) ) &&
 			// check, if the username is a valid IP range, otherwise save the error message
