From 990bb6be9ae5fe5c301363dbe661efb896b92b64 Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Fri, 15 Jun 2018 08:19:49 +0000
Subject: [PATCH] SECURITY: Fix reauth in Special:ChangeEmail

Previously you could bypass reauthentication by directly
POSTing to Special:ChangeEmail.

Bug: T197279
Change-Id: I674557351e0e91a8105c12ddf6cd30283aac9f7a
---
 includes/specials/SpecialChangeEmail.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/includes/specials/SpecialChangeEmail.php b/includes/specials/SpecialChangeEmail.php
index c514300..cd720eb 100644
--- a/includes/specials/SpecialChangeEmail.php
+++ b/includes/specials/SpecialChangeEmail.php
@@ -54,14 +54,16 @@ class SpecialChangeEmail extends FormSpecialPage {
 	 * @param string $par
 	 */
 	function execute( $par ) {
-		$this->checkLoginSecurityLevel();
-
 		$out = $this->getOutput();
 		$out->disallowUserJs();
 
 		parent::execute( $par );
 	}
 
+        protected function getLoginSecurityLevel() {
+                return $this->getName();
+        }
+
 	protected function checkExecutePermissions( User $user ) {
 		if ( !AuthManager::singleton()->allowsPropertyChange( 'emailaddress' ) ) {
 			throw new ErrorPageError( 'changeemail', 'cannotchangeemail' );
-- 
2.8.1