From 8cbcc50f1bc05ded13b1f62c38ae618f4fbad62b Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Tue, 4 Jun 2013 11:14:42 -0400
Subject: [PATCH] Prevent tokens in jsonp mode

Add checks to token-returning functions to prevent returning tokens in
jsonp mode. This affects action=tokens, action=login, action=block,
action=unblock, and action=query&list=deletedrevs.

Bug: 49090
Change-Id: Ibeaa5c72d8084585092b15935a3f5709104bf7f7
---
 RELEASE-NOTES-1.20                   |    7 +++++++
 includes/api/ApiBlock.php            |    4 ++++
 includes/api/ApiLogin.php            |    9 +++++++++
 includes/api/ApiQueryDeletedrevs.php |    5 +++++
 includes/api/ApiTokens.php           |    5 +++++
 includes/api/ApiUnblock.php          |    4 ++++
 6 files changed, 34 insertions(+)

diff --git a/RELEASE-NOTES-1.20 b/RELEASE-NOTES-1.20
index d4f399a..aacc462 100644
--- a/RELEASE-NOTES-1.20
+++ b/RELEASE-NOTES-1.20
@@ -4,6 +4,13 @@ Security reminder: MediaWiki does not require PHP's register_globals
 setting since version 1.2.0. If you have it on, turn it '''off''' if you can.
 
 
+== MediaWiki 1.20.7 ==
+
+This is a security release of the MediaWiki 1.20 branch.
+
+=== Changes since 1.20.6 ===
+* (bug 49090) Token-getting functions will fail when using jsonp callbacks.
+
 == MediaWiki 1.20.6 ==
 
 This is a security and maintenance release of the MediaWiki 1.20 branch.
diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php
index c879b35..c284c3b 100644
--- a/includes/api/ApiBlock.php
+++ b/includes/api/ApiBlock.php
@@ -47,6 +47,10 @@ class ApiBlock extends ApiBase {
 		$params = $this->extractRequestParams();
 
 		if ( $params['gettoken'] ) {
+			// If we're in JSON callback mode, no tokens can be obtained
+			if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+				$this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
+			}
 			$res['blocktoken'] = $user->getEditToken();
 			$this->getResult()->addValue( null, $this->getModuleName(), $res );
 			return;
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 1f91fe9..8afc538 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -46,6 +46,15 @@ class ApiLogin extends ApiBase {
 	 * is reached. The expiry is $this->mLoginThrottle.
 	 */
 	public function execute() {
+		// If we're in JSON callback mode, no tokens can be obtained
+		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+			$this->getResult()->addValue( null, 'login', array(
+				'result' => 'Aborted',
+				'reason' => 'Cannot log in when using a callback',
+			) );
+			return;
+		}
+
 		$params = $this->extractRequestParams();
 
 		$result = array();
diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php
index e69ccbd..7f21420 100644
--- a/includes/api/ApiQueryDeletedrevs.php
+++ b/includes/api/ApiQueryDeletedrevs.php
@@ -57,6 +57,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase {
 		$fld_content = isset( $prop['content'] );
 		$fld_token = isset( $prop['token'] );
 
+		// If we're in JSON callback mode, no tokens can be obtained
+		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+			$fld_token = false;
+		}
+
 		$result = $this->getResult();
 		$pageSet = $this->getPageSet();
 		$titles = $pageSet->getTitles();
diff --git a/includes/api/ApiTokens.php b/includes/api/ApiTokens.php
index 2c9b482..2b31987 100644
--- a/includes/api/ApiTokens.php
+++ b/includes/api/ApiTokens.php
@@ -57,6 +57,11 @@ class ApiTokens extends ApiBase {
 	}
 
 	private function getTokenTypes() {
+		// If we're in JSON callback mode, no tokens can be obtained
+		if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+			return array();
+		}
+
 		static $types = null;
 		if ( $types ) {
 			return $types;
diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php
index ff9ac47..bc740f1 100644
--- a/includes/api/ApiUnblock.php
+++ b/includes/api/ApiUnblock.php
@@ -44,6 +44,10 @@ class ApiUnblock extends ApiBase {
 		$params = $this->extractRequestParams();
 
 		if ( $params['gettoken'] ) {
+			// If we're in JSON callback mode, no tokens can be obtained
+			if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) {
+				$this->dieUsage( 'Cannot get token when using a callback', 'aborted' );
+			}
 			$res['unblocktoken'] = $user->getEditToken();
 			$this->getResult()->addValue( null, $this->getModuleName(), $res );
 			return;
-- 
1.7.10.4