From 7519daf75df3b482ee7719aa6e292bd62430e9ac Mon Sep 17 00:00:00 2001 From: Brad Jorsch Date: Tue, 4 Jun 2013 11:14:42 -0400 Subject: [PATCH] Prevent tokens in jsonp mode Add checks to token-returning functions to prevent returning tokens in jsonp mode. This affects action=login, action=block, action=unblock, and action=query&list=deletedrevs. Bug: 49090 Change-Id: Ibeaa5c72d8084585092b15935a3f5709104bf7f7 --- RELEASE-NOTES-1.19 | 7 +++++++ includes/api/ApiBlock.php | 4 ++++ includes/api/ApiLogin.php | 9 +++++++++ includes/api/ApiQueryDeletedrevs.php | 5 +++++ includes/api/ApiUnblock.php | 4 ++++ 5 files changed, 29 insertions(+) diff --git a/RELEASE-NOTES-1.19 b/RELEASE-NOTES-1.19 index 560ee3b..32a1f57 100644 --- a/RELEASE-NOTES-1.19 +++ b/RELEASE-NOTES-1.19 @@ -3,6 +3,13 @@ Security reminder: MediaWiki does not require PHP's register_globals setting since version 1.2.0. If you have it on, turn it '''off''' if you can. +== MediaWiki 1.19.8 == + +This is a security release of the MediaWiki 1.19 branch. + +=== Changes since 1.19.7 === +* (bug 49090) Token-getting functions will fail when using jsonp callbacks. + == MediaWiki 1.19.7 == This is a security and maintenance release of the MediaWiki 1.19 branch diff --git a/includes/api/ApiBlock.php b/includes/api/ApiBlock.php index 351ac6b..5c9e68f 100644 --- a/includes/api/ApiBlock.php +++ b/includes/api/ApiBlock.php @@ -47,6 +47,10 @@ class ApiBlock extends ApiBase { $params = $this->extractRequestParams(); if ( $params['gettoken'] ) { + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $this->dieUsage( 'Cannot get token when using a callback', 'aborted' ); + } $res['blocktoken'] = $user->getEditToken( '', $this->getMain()->getRequest() ); $this->getResult()->addValue( null, $this->getModuleName(), $res ); return; diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php index aa570cb..3384910 100644 --- a/includes/api/ApiLogin.php +++ b/includes/api/ApiLogin.php @@ -46,6 +46,15 @@ class ApiLogin extends ApiBase { * is reached. The expiry is $this->mLoginThrottle. */ public function execute() { + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $this->getResult()->addValue( null, 'login', array( + 'result' => 'Aborted', + 'reason' => 'Cannot log in when using a callback', + ) ); + return; + } + $params = $this->extractRequestParams(); $result = array(); diff --git a/includes/api/ApiQueryDeletedrevs.php b/includes/api/ApiQueryDeletedrevs.php index 0a0cc93..13978f9 100644 --- a/includes/api/ApiQueryDeletedrevs.php +++ b/includes/api/ApiQueryDeletedrevs.php @@ -57,6 +57,11 @@ class ApiQueryDeletedrevs extends ApiQueryBase { $fld_content = isset( $prop['content'] ); $fld_token = isset( $prop['token'] ); + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $fld_token = false; + } + $result = $this->getResult(); $pageSet = $this->getPageSet(); $titles = $pageSet->getTitles(); diff --git a/includes/api/ApiUnblock.php b/includes/api/ApiUnblock.php index d0ad3a8..122cb98 100644 --- a/includes/api/ApiUnblock.php +++ b/includes/api/ApiUnblock.php @@ -44,6 +44,10 @@ class ApiUnblock extends ApiBase { $params = $this->extractRequestParams(); if ( $params['gettoken'] ) { + // If we're in JSON callback mode, no tokens can be obtained + if ( !is_null( $this->getMain()->getRequest()->getVal( 'callback' ) ) ) { + $this->dieUsage( 'Cannot get token when using a callback', 'aborted' ); + } $res['unblocktoken'] = $user->getEditToken( '', $this->getMain()->getRequest() ); $this->getResult()->addValue( null, $this->getModuleName(), $res ); return; -- 1.7.10.4