From dfbc22b7e83d154cf6db36c54481f89d4f2acf27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Taavi=20V=C3=A4=C3=A4n=C3=A4nen?= <hi@taavi.wtf>
Date: Mon, 23 May 2022 18:06:11 +0300
Subject: [PATCH] SECURITY: ApiEditPage: update title after redirects

Otherwise permission checks are directed to the old title which makes it
possibly to bypass protection via redirects.

Bug: T309028
Change-Id: I157df365439b09416639e6ea2beefc01b60e6264
---
 includes/api/ApiEditPage.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/includes/api/ApiEditPage.php b/includes/api/ApiEditPage.php
index 611fb8af70..37285a3792 100644
--- a/includes/api/ApiEditPage.php
+++ b/includes/api/ApiEditPage.php
@@ -162,8 +162,10 @@ class ApiEditPage extends ApiBase {
 				ApiResult::setIndexedTagName( $redirValues, 'r' );
 				$apiResult->addValue( null, 'redirects', $redirValues );
 
-				// Since the page changed, update $pageObj
+				// Since the page changed, update $pageObj and $titleObj
 				$pageObj = $this->wikiPageFactory->newFromTitle( $redirTarget );
+				$titleObj = $pageObj->getTitle();
+
 				$this->getErrorFormatter()->setContextTitle( $redirTarget );
 			}
 		}
-- 
2.35.1